Onboarding Accelerator: Securing Lateral Account Movement Onboarding Services Duration: 4-12 days Overview Expert deployment guidance Do you have core lateral account movement threat reporting protections in place for your endpoints? Onboarding Focus Area: Security and Compliance Focus on knowledge transfer, deployment, auditing, and Accelerator – Securing Lateral Account Movement (OA- Key takeaways SLAM) is a collection of engagements focusing on • Defense-in-Depth mitigation for potentially deploying mitigations to secure against lateral account movement. devastating credential theft attacks • Implementing the top credential theft mitigation, The OA-SLAM targets production environments in three based on data-driven analyses of known attack tracks: playbooks 1. Unique Local Passwords, • Implementing LAPS, firewall rules, and secure 2. Credential Partitioning and administrative practices, making it much more difficult 3. Network Protection. for commodity-style attacks to succeed in an Each track address a potentially devastating commodity environment attack vector. OA-SLAM offers flexible scoping options to allow customers to choose which engagements they need and in an order that suits their needs. Each engagement hardens customer infrastructure against a well-known successful attack methods. Completing all 3 OA-SLAM engagements can offer drastic attack surface area reduction. Objective Drive credential theft mitigation with a rational, outcomebased process for slowing down and reducing risks of Scope • Knowledge transfer on lateral account movement mitigations Select from: ➢ Implement unique local passwords, auditing, usage and reporting on up to 1000 machines ➢ Implement credential partitioning controls for local and domain administrative accounts and reporting ➢ Implement network protections (audit, analyze, enable, validate, report) on up to 1000 machines lateral account movement. Methodology Delivery options Hands On OA-SLAM (3 days onsite, 1 day remote) An expert will work with you to ensure you’re using the Each OA-SLAM engagement is scoped to one of the tracks. To complete all tracks requires three OA-SLAM engagements to be delivered. They can be delivered in any order and scheduled based on customer needs. recommended threat mitigation configurations. Flexible delivery Choose from Unique Local Passwords, Credential Partitioning and Network Protection phases, or all three, depending on the needs of your project. 2020 © Microsoft Corporation. All rights reserved. This data sheet is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY Detailed delivery framework Phase Duration Key Activities Educate: Knowledge transfer on automation, LAPS and LAPS auditing Unique Local Passwords Deploy: AD schema and settings, endpoint DLL rollout, and creation of GPOs for 4 days password management Audit: Enable LAPS auditing and collect events using Windows Event Forwarding Workflow: Secure Help Desk techniques and challenges using LAPS Reporting: documentation relevant on deployment and operations guides Domain accounts: Knowledge transfer and implementation of domain administrative account logon restrictions Local accounts: Knowledge Transfer and implementation of Local Administrative Account Credential Partitioning 4 days Logon Restrictions Additional protections: Knowledge Transfer and implementation of additional protections for Domain Administrative Accounts Wdigest: Knowledge transfer and disabling of Wdigest authentication Reporting: documentation relevant to customer deployment and operations guides Audit: Configure Windows firewall audit policy and Windows event forwarding policy Network Protection Analyze: Parse and analyze audit data for representative groups of workstations 4 days Enable: Create GPOs to enforce Windows firewall rules on workstations Validate: Use Windows firewall auditing to tune the ruleset Reporting: Setup documentation relevant to the deployment and operations guides Detailed scope and requirements Engagement Scope: • • • Knowledge Transfer, Deployment, audit (where applicable) and reporting on up to 1,000 computers Track Specific • Domain and local administrative accounts restrictions • Protect domain administrative accounts using Protected Users group, disabling Kerberos Delegation and WDigest Authentication • Windows Firewall audit and data analysis with a toolkit provided by PFE Reports done remotely post-onsite engagement Not In Scope: • Taking ownership of, or being responsible for, the overall project • Hardware procurement, operating system (OS), updates, and networking. • Reactive support • Any scorecards • Technical or architectural design review and remediation and vision/scope documents Recommended Participants • Active Directory (AD) and Desktop engineering, as well as support staff and others who share responsibility for domain controller and endpoint security. Customer Requirements • Conference room with projection display and whiteboard • Administrative access to representative systems for LAPS implementation and for Firewall auditing and implementation • Member server for Windows Event collection and initial LAPS configuration • Ability to create, link and manage GPOs, to extend the schema in AD, implement code on endpoints, create OUs, create security groups in AD and add/remove computer objects from these groups and create, link and modify Authentication Policies and Silos. • Ability to implement changes to workstation administration techniques and policies For more information Contact your Microsoft Account Representative for pricing and scheduling details. 2020 © Microsoft Corporation. All rights reserved. This data sheet is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY
