Sevecek-Kerberos - Ondrej Sevecek`s Blog

advertisement
Kerberos Underworld
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Kerberos Underworld
AN INTRODUCTION
The topics
• The hell of windows authentication mechanisms
• Basic, NTLM, Kerberos
• Certificates and smart cards or tokens
• How they work differently
• What is better or worse
• Weird and weirder things that you may not know
And the environment
• Windows 2000 and newer
• Active Directory domains
• Maybe some trusts or multidomain forests
• Connections to SMB, LDAP, Exchange, SQL, HTTP,
WMI, remote administration, RDP and other servers
Kerberos Underworld
NETWORK INTERACTIONS
Local Logon
Client
2000+
TGT: User
Kerberos
LDAP
SMB
TGS: LDAP, CIFS
GPO List
GPO Download
DC
2000+
CTRL-ALT-DEL Password
• Password is stored in memory only
• LSASS process
• In the form of MD4 hash
• never given out
Authentication Interactions in General
App
Traffic
Client
2000+
Server
2000+
In-band
TGS: Server
NTLM
Kerberos
TGT: User
SMB
D/COM
TGS: Server
Occasional PAC
Validation
NTLM
Pass-through
D/COM Dynamic
TCP
DC
2000+
DC
2000+
The three authentication methods
• Basic
• plain-text password
• results in Kerberos authentication
• NTLM
• hashed password (MD4) method from the past
• LM (DES), NTLM (DES), NTLMv2 (MD5)
• Kerberos
• hashed password (MD4) plus RC4/DES or AES
• mutual authentication and delegation
• can use certificates instead of passwords
Basic and RDP Network Logon
Client
2000+
App
Traffic
Server
2000+
In-band
clear text
Kerberos
DC
2000+
DC
2000+
TGT: User
NTLM Network Logon
Client
2000+
App
Traffic
Server
2000+
In-band
NTLM hash
SMB
D/COM
Pass-through
NTLM hash
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Kerberos Network Logon (basic principle)
App
Traffic
Client
2000+
In-band
TGS: Server
Kerberos
TGT: User
TGS: Server
DC
2000+
Server
2000+
Kerberos Network Logon (complete)
App
Traffic
Client
2000+
Server
2000+
In-band
TGS: Server
Kerberos
TGT: User
SMB
D/COM
Occasional PAC
Validation
TGS: Server
D/COM Dynamic
TCP
DC
2000+
DC
2000+
Kerberos Underworld
PERFORMANCE COMPARISON
NTLM Network Logon
Client
2000+
Server
2000+
60 % CPU
55 % CPU
DC
2000+
DC
2000+
Kerberos Network Logon, no PAC Validation
Client
2000+
Server
2000+
60 % CPU
0 % CPU
DC
2000+
DC
2000+
Kerberos Network Logon with PAC Validation
Client
2000+
Server
2000+
60 % CPU
0 % CPU
DC
2000+
14 % CPU
DC
2000+
Basic Authentication
Client
2000+
Server
2000+
5 % CPU
0 % CPU
DC
2000+
DC
2000+
NTLM Performance Issues
Client
Client
Client
Client
Server
Client
Client
Client
7 concurrent
40 sec.
DC
NTLM Trusts
D\User
A\Server
DC A
DC D
DC C
DC B
Kerberos Trusts
D\User
A\Server
DC A
DC D
DC C
DC B
Kerberos Underworld
WE WANT KERBEROS, SO WHAT?
Basic Facts
• Do not use IP addresses
• Configure SPN (service principal name)
• Have time in sync
• Use trusted identities to run services on Windows
2008 and newer
• instead of AD user accounts
• no PAC validation
• Enable AES with Windows 2008 DFL
Trusted Identities – Network Service
Trusted Identities – Service Accounts
Trusted Identities – AppPoolIdentity
Trusted Identities – Managed Service Account
Kerberos Underworld
IDENTITY ISOLATION FOR SERVICES
Identity Isolation
• Services on a single machine
• Services that access other back-end services
Windows Identities
Identity
Password
PAC
Validation
Local
Isolation
Network
Isolation
Operating
System
SYSTEM
random
changed 30 days
no
Administrators
no isolation
no
2000
AD User Account
administrator
changed???
yes
Users
isolated
yes
2000
Network Service
random
changed 30 days
no
Users
no isolation
no
XP
Local Service
no network
credentials
no
Users
no isolation
no
XP
Service Account
random
changed 30 days
no
Users
isolated
no
Vista
2008
Managed Service
Account
random
changed 30 days
no
Users
isolated
yes
7
2008 R2
Kerberos Underworld
SMART CARD LOGON
Smart Card Logon
App
Traffic
Client
2000+
Kerberos
PKINIT
Server
2000+
TGT: User
TGS: Server
DC
2000+
DC
2000+
Smart Card Logon and NTLM
Client
2000+
NTLM Hash
Server
2000+
TGT: User
TGS: Server
DC
2000+
NTLM Hash
DC
2000+
Smart Card Logon and NTLM
Client
2000+
NTLM Hash
Server
2000+
TGT: User
TGS: Server
NTLM Hash
NTLM Hash
DC
2000+
DC
2000+
Kerberos Underworld
DELEGATION
Basic Delegation
Client
Password
Front-End
Server
TGT: User
TGS: Back-End
DC
Back-End
Server
Kerberos Delegation Options
Kerberos Delegation (Simplified)
Client
TGS: Front-End
Front-End
Server
TGT: User
TGS: Back-End
TGS: Front-End
DC
DC
Back-End
Server
Protocol Transition
Client
Nothing
Front-End
Server
Kamil
TGS: Back-End
DC
Back-End
Server
Kerberos Underworld
GROUP MEMBERSHIP
Group Membership Limits
• AD Group in forest with 2000 FFL
• 5000 direct members limit
• AD Group in forest with 2003+ FFL
• unlimited membership
• Kerberos Ticket
• network transport
• limited to 8 kB on 2000 and XP
• up to 12 kB on 2003+
• HTTP.SYS header limits
• 16 kB of Base-64 encoded tickets
• Access Token
• local representation of a logon
• up to 1025 groups including local and system
Kerberos Ticket (PAC)
Kamil
S-1-5-Prague-1158
Prague Marketing
Global
3082
8 Bytes
Prague Sales
Global
3083
8 Bytes
Paris Visitors
Domain Local
Paris
S-1-5-Paris-2115
40 Bytes
Roma IS
Domain Local
Roma
S-1-5-Roma-1717
40 Bytes
Prague Documents
Domain Local
IDTT
S-1-5-Prague-3084
40 Bytes
Business Owners
Universal
IDTT
3085
8 Bytes
Employees
Universal
Paris
S-1-5-Paris-2116
40 Bytes
Kerberos Underworld
TAKEAWAY
Takeaway
• Kerberos is most secure, flexible and performance efficient
• Don’t be afraid and play with them!
Ondrej Sevecek | MCM: Directory | MVP: Security
[email protected] | www.sevecek.com
Don’t forget to submit
your feedback and win a
great Nokia smartphone
and Kindle e-reader!
Download