Sevecek-Kerberos - Ondrej Sevecek`s Blog
advertisement
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com Kerberos Underworld AN INTRODUCTION The topics • The hell of windows authentication mechanisms • Basic, NTLM, Kerberos • Certificates and smart cards or tokens • How they work differently • What is better or worse • Weird and weirder things that you may not know And the environment • Windows 2000 and newer • Active Directory domains • Maybe some trusts or multidomain forests • Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers Kerberos Underworld NETWORK INTERACTIONS Local Logon Client 2000+ TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC 2000+ CTRL-ALT-DEL Password • Password is stored in memory only • LSASS process • In the form of MD4 hash • never given out Authentication Interactions in General App Traffic Client 2000+ Server 2000+ In-band TGS: Server NTLM Kerberos TGT: User SMB D/COM TGS: Server Occasional PAC Validation NTLM Pass-through D/COM Dynamic TCP DC 2000+ DC 2000+ The three authentication methods • Basic • plain-text password • results in Kerberos authentication • NTLM • hashed password (MD4) method from the past • LM (DES), NTLM (DES), NTLMv2 (MD5) • Kerberos • hashed password (MD4) plus RC4/DES or AES • mutual authentication and delegation • can use certificates instead of passwords Basic and RDP Network Logon Client 2000+ App Traffic Server 2000+ In-band clear text Kerberos DC 2000+ DC 2000+ TGT: User NTLM Network Logon Client 2000+ App Traffic Server 2000+ In-band NTLM hash SMB D/COM Pass-through NTLM hash D/COM Dynamic TCP DC 2000+ DC 2000+ Kerberos Network Logon (basic principle) App Traffic Client 2000+ In-band TGS: Server Kerberos TGT: User TGS: Server DC 2000+ Server 2000+ Kerberos Network Logon (complete) App Traffic Client 2000+ Server 2000+ In-band TGS: Server Kerberos TGT: User SMB D/COM Occasional PAC Validation TGS: Server D/COM Dynamic TCP DC 2000+ DC 2000+ Kerberos Underworld PERFORMANCE COMPARISON NTLM Network Logon Client 2000+ Server 2000+ 60 % CPU 55 % CPU DC 2000+ DC 2000+ Kerberos Network Logon, no PAC Validation Client 2000+ Server 2000+ 60 % CPU 0 % CPU DC 2000+ DC 2000+ Kerberos Network Logon with PAC Validation Client 2000+ Server 2000+ 60 % CPU 0 % CPU DC 2000+ 14 % CPU DC 2000+ Basic Authentication Client 2000+ Server 2000+ 5 % CPU 0 % CPU DC 2000+ DC 2000+ NTLM Performance Issues Client Client Client Client Server Client Client Client 7 concurrent 40 sec. DC NTLM Trusts D\User A\Server DC A DC D DC C DC B Kerberos Trusts D\User A\Server DC A DC D DC C DC B Kerberos Underworld WE WANT KERBEROS, SO WHAT? Basic Facts • Do not use IP addresses • Configure SPN (service principal name) • Have time in sync • Use trusted identities to run services on Windows 2008 and newer • instead of AD user accounts • no PAC validation • Enable AES with Windows 2008 DFL Trusted Identities – Network Service Trusted Identities – Service Accounts Trusted Identities – AppPoolIdentity Trusted Identities – Managed Service Account Kerberos Underworld IDENTITY ISOLATION FOR SERVICES Identity Isolation • Services on a single machine • Services that access other back-end services Windows Identities Identity Password PAC Validation Local Isolation Network Isolation Operating System SYSTEM random changed 30 days no Administrators no isolation no 2000 AD User Account administrator changed??? yes Users isolated yes 2000 Network Service random changed 30 days no Users no isolation no XP Local Service no network credentials no Users no isolation no XP Service Account random changed 30 days no Users isolated no Vista 2008 Managed Service Account random changed 30 days no Users isolated yes 7 2008 R2 Kerberos Underworld SMART CARD LOGON Smart Card Logon App Traffic Client 2000+ Kerberos PKINIT Server 2000+ TGT: User TGS: Server DC 2000+ DC 2000+ Smart Card Logon and NTLM Client 2000+ NTLM Hash Server 2000+ TGT: User TGS: Server DC 2000+ NTLM Hash DC 2000+ Smart Card Logon and NTLM Client 2000+ NTLM Hash Server 2000+ TGT: User TGS: Server NTLM Hash NTLM Hash DC 2000+ DC 2000+ Kerberos Underworld DELEGATION Basic Delegation Client Password Front-End Server TGT: User TGS: Back-End DC Back-End Server Kerberos Delegation Options Kerberos Delegation (Simplified) Client TGS: Front-End Front-End Server TGT: User TGS: Back-End TGS: Front-End DC DC Back-End Server Protocol Transition Client Nothing Front-End Server Kamil TGS: Back-End DC Back-End Server Kerberos Underworld GROUP MEMBERSHIP Group Membership Limits • AD Group in forest with 2000 FFL • 5000 direct members limit • AD Group in forest with 2003+ FFL • unlimited membership • Kerberos Ticket • network transport • limited to 8 kB on 2000 and XP • up to 12 kB on 2003+ • HTTP.SYS header limits • 16 kB of Base-64 encoded tickets • Access Token • local representation of a logon • up to 1025 groups including local and system Kerberos Ticket (PAC) Kamil S-1-5-Prague-1158 Prague Marketing Global 3082 8 Bytes Prague Sales Global 3083 8 Bytes Paris Visitors Domain Local Paris S-1-5-Paris-2115 40 Bytes Roma IS Domain Local Roma S-1-5-Roma-1717 40 Bytes Prague Documents Domain Local IDTT S-1-5-Prague-3084 40 Bytes Business Owners Universal IDTT 3085 8 Bytes Employees Universal Paris S-1-5-Paris-2116 40 Bytes Kerberos Underworld TAKEAWAY Takeaway • Kerberos is most secure, flexible and performance efficient • Don’t be afraid and play with them! Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!
