Protection against network privilege escalation
The application of perimeter security controls in each layer of any infrastructure as well as hardening measures in systems enable limiting an intruder lateral movement in the network, even if this has been produced by exploiting a 0day vulnerability.
Network security complete control is a tedious task requiring a significant number of resources in addition to modifying the way network administrators and operators interact with systems. Security measures definition should be complemented with the ongoing analysis of security elements and detection capacities correct functioning.
Broadly speaking, this article identifies some protection strategies against penetrations and lateral movement prevention in Windows environments. It also should be taken into account that the complete eradication of privileges escalation in networks is impossible and therefore, it is necessary to focus on protective and monitoring measures.
Segregation of users and IT staff functions
This refers to those actions that should be carried out by systems administrators in order to protect the company’s computer systems and avoid privileges escalation between roles and systems:
- Roles separation 1: The user account for daily activities shall be different from the one used for administration tasks (i.e. DOMAIN\atarasco y DOMAIN\adm.atarasco). The administrator account shall not include mailbox, navigation permissions.
- Roles separation 2: Administration tasks shall be compartmentalized, in such a way that a single administrator should not hold access to the platform, storage and backups at the same time. Besides, isolation strategies based on geographical distribution can also be used.
- Environments separation: Administration accounts should not be logged in the same desktops where navigation and mailing is used. Therefore, isolated “hop machines” shall be used only dealing with administration tasks.
- Administration vlan isolation: Desktop computers should not have direct connectivity to servers and dmz. They shall only get to the “hop machines” located in the administration vlan. These will be the ones connecting to servers. It is necessary to create the required “hop machines” in order to compartmentalize administration in different segments.
- Minimum privilege principle for service accounts: Service accounts shall have the possibility of starting a session only in servers aimed at that particular service. Monitoring measures shall be established in order to alert when these ones are used from/towards other locations or when the session login type does not match with what is expected.
- Hostids monitoring tools use, endpoints security and network elements to detect privileges escalation patterns and exploitation towards other systems.
The use of virtual machines in order to carry out non-privileged tasks, such as navigation, is a good security practice.
Security blocks at network level
This section refers to actions carried out at network level in order to block malicious traffic.
- Segmentation: Segmenting the network in vlans and applying filtering rules at network level and in workstations and servers. For example, limiting RDP and SMB connections.
- IP reputation services: Blocking navigation traffic to TOR or to non-classified systems. It is possible to use free services such as https://check.torproject.org/cgi-bin/TorBulkExitList.pyor https://www.dan.me.uk/torlist/, as well as commercial feeds identifying VPNS or notorious IPs.
- Blocking traffic to internet: Internal systems (regarding servers and workstations) shall not hold direct access to internet. DNS traffic, HTTP and HTTPs shall be restricted to the navigation proxy, including restrictive ACLs.
- Compromise paths study: Fulfilling a periodic security audit or Red Team exercises in order to discover compromise paths and improve response procedures to incidents.
- Monitoring remote accesses: Monitoring and controlling inbound VPN, Citrix, RDP or VDI connections. It is recommendable to add a double authentication factor to every authorized group for establishing remote connections and informing the user about the connection.
Security measures at systems level:
This section refers to actions that could be carried out in order to achieve workstation protection.
- Operating system firewall: Traffic and communications to SMB services block at firewall level and also affecting workstations isolation in the same network segment.
- Security updates: Central control of workstations and servers security updates using update control solutions such as WSUS.
- Passwords: Passwords management is another aspect that can be explained in another article. Roughly speaking this point concerns to avoiding neither local administrator nor administrative user passwords sharing between servers and workstations groups. Besides, passwords directives should avoid predictable patterns (months, years, company name). This could be complemented using Kerberos tickets regular reset in order to avoid persistence attacks.
- Execution blocks: memory passwords dump tools block (such as LSA Protection against MimiKatz, which is activated with the RunAsPPL”=dword:00000001mimikatz value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) using dominion policies (GPO) and software execution block (applocker).
- Hardening: Hardening guidelines creation and maintenance in order to guarantee communication cipher, then protection against main in the middle attacks is essential.
In the particular case of a file server, malicious actions carried out by ramsomware or by an attacker could be prevented and therefore, a prevention strategy in files servers with FSRM implementation could be defined. FSRM is a Microsoft file server ROLE providing the possibility of defining actions and executing scripts against certain types of files script. Please, find below some references:
Controlling privileges escalation final conclusions
It is necessary to apply hardening measures and analyze security elements correct functioning, together with those strategies which have obtained a very good result in the past, such as:
- Honeypots creation in workstations, as well as files monitoring to detect lateral movements and people sniffing around internal resources. This could be complemented by more advanced counterintelligence campaigns such as the ones designed by CounterCraft.
- Tools execution for detecting indicators of compromise (IOCs) and searching for anomalous activity in monitoring elements (SIEM,…)
A good way of increasing security is fulfilling Red Team exercises in order to help determining which weaknesses could be used in a real attack, achieving a better protection and clear indicators of the corporative security evolution.