1 / 15

SLAM

SLAM. David Frye. A system for strong local account management. Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551. This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

uri
Download Presentation

SLAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SLAM David Frye A system for strong local account management. Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

  2. The Subject: Local Accounts • All computers have a local account database • Allows people or code to authenticate locally • Enable access to resources locally • At least 1 administrator (full permissions) • Maintained independently • No linkage to Active Directory • No centralized management UCRL: LLNL-PRES-413302

  3. The Problem: Common Passwords • Admin Password typically set build time • Typically the same on all machines (imaging) • Password is seldom if ever changed • Often neglected when joined to Domain UCRL: LLNL-PRES-413302

  4. The Problem: Illustrated • Typical AD Environment • Machines built from images • Local Administrator enabled • Password is common UCRL: LLNL-PRES-413302

  5. The Problem: Illustrated • Machine hack = site hack • AD is immune • AD can’t help Hacker UCRL: LLNL-PRES-413302

  6. Disable Local Accounts? • Offline without cached credentials • Temporary administration • Scientists on travel w/ need to install sw. • Dropped from domain • OS Virtualization • Re-enable via Recovery Console requires physical access. UCRL: LLNL-PRES-413302

  7. The Options: • Disable all local accounts • Best option • Not feasible in most environments • Deny “Access This Computer From The Network” • Force physical login • Kills remote management capability • Enabled accounts with common static passwords • Most typical • Most dangerous • Other options • Commercial solutions (expensive) UCRL: LLNL-PRES-413302

  8. Strong Local Admin Manager (SLAM) UCRL: LLNL-PRES-413302

  9. How it works: SHA-256 HMAC Computer Last Password Change Date + GUID • Crypto-Random 256 bits • RSA 1024 bit encrypted Local Administrator Password UCRL: LLNL-PRES-413302

  10. How it works: • OU Administrator uses AD Users & Computers (ADUC) • Custom Context Menu Option for SLAM Recovery • ADUC connects to Web Service & returns password UCRL: LLNL-PRES-413302

  11. How it works: • Passwords are NOT random • Passwords are calculated • Only the master hashing key & computer password change dates are stored How it works: • SLAM Recovery leverages existing authorization in AD • Permissions Required: Full Control of computer object UCRL: LLNL-PRES-413302

  12. Master Key • Computer Password Change Date SLAM Client AD OU Administrator • Small .NET app • Daily process • Requests new Local Admin Pwd • Creates local account if needed ADUC SSL SSL • Copy to clipboard • Historical passwords • Print • Checks for recently expired Computer pwd • Checks for recently recovered Admin pwd • Validates Authorization • Calculates and returns password Web Service UCRL: LLNL-PRES-413302

  13. SLAM Rollout @ LLNL • Developed in April 2008 by David Frye and Joe Taitt • Started deployment in June 2008 • Became mandated in 2009 for all unclassified Windows computers (except DCs) • ~9,000 Total SLAM Clients • ~200 Password Recoveries per Month UCRL: LLNL-PRES-413302

  14. SLAM Next Steps • SLAM Client for MAC (Daniel Hoit) • Client is developed & currently in test • Remove/Disable non-SLAM local accounts • Necessary next step to gain full benefit • Need exception policies and procedures • Need to be careful UCRL: LLNL-PRES-413302

  15. Questions on SLAM? UCRL: LLNL-PRES-413302

More Related