1 / 45

Kerberos Underworld

Kerberos Underworld. Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com . Kerberos Underworld. An Introduction. The topics. The hell of windows authentication mechanisms Basic, NTLM, Kerberos Certificates and smart cards or tokens

dinesh
Download Presentation

Kerberos Underworld

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

  2. Kerberos Underworld An Introduction

  3. The topics • The hell of windows authentication mechanisms • Basic, NTLM, Kerberos • Certificates and smart cards or tokens • How they work differently • What is better or worse • Weird and weirder things that you may not know

  4. And the environment • Windows 2000 and newer • Active Directory domains • Maybe some trusts or multidomain forests • Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers

  5. Kerberos Underworld Network Interactions

  6. Local Logon Client 2000+ TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC2000+

  7. CTRL-ALT-DEL Password • Password is stored in memory only • LSASS process • In the form of MD4 hash • never given out

  8. Authentication Interactions in General App Traffic Client 2000+ Server2000+ In-band TGS: Server NTLM Occasional PAC Validation Kerberos SMB D/COM TGT: User NTLMPass-through TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

  9. The three authentication methods • Basic • plain-text password • results in Kerberos authentication • NTLM • hashed password (MD4) method from the past • LM (DES), NTLM (DES), NTLMv2 (MD5) • Kerberos • hashed password (MD4)plus RC4/DES or AES • mutual authentication and delegation • can use certificates instead of passwords

  10. Basic and RDP Network Logon App Traffic Client 2000+ Server2000+ In-band clear text Kerberos TGT: User DC2000+ DC2000+

  11. NTLM Network Logon App Traffic Client 2000+ Server2000+ In-band NTLM hash SMB D/COM Pass-through NTLM hash D/COM Dynamic TCP DC2000+ DC2000+

  12. Kerberos Network Logon (basic principle) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos TGT: User TGS: Server DC2000+

  13. Kerberos Network Logon (complete) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos SMB D/COM Occasional PAC Validation TGT: User TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

  14. Kerberos Underworld Performance Comparison

  15. NTLM Network Logon Client 2000+ Server2000+ 60 % CPU 55 % CPU DC2000+ DC2000+

  16. Kerberos Network Logon, no PAC Validation Client 2000+ Server2000+ 60 % CPU 0 % CPU DC2000+ DC2000+

  17. Kerberos Network Logon with PAC Validation Client 2000+ Server2000+ 60 % CPU 14 % CPU 0 % CPU DC2000+ DC2000+

  18. Basic Authentication Client 2000+ Server2000+ 5 % CPU 0 % CPU DC2000+ DC2000+

  19. NTLM Performance Issues Client Client Server Client Client Client Client Client 7 concurrent 40 sec. DC

  20. NTLM Trusts D\User A\Server DC A DC D DC C DC B

  21. Kerberos Trusts D\User A\Server DC A DC D DC C DC B

  22. Kerberos Underworld We Want Kerberos, so what?

  23. Basic Facts • Do not use IP addresses • Configure SPN (service principal name) • Have time in sync • Use trusted identities to run services on Windows 2008 and newer • instead of AD user accounts • no PAC validation • Enable AES with Windows 2008 DFL

  24. Trusted Identities – Network Service

  25. Trusted Identities – Service Accounts

  26. Trusted Identities – AppPoolIdentity

  27. Trusted Identities – Managed Service Account

  28. Kerberos Underworld Identity Isolation FOR Services

  29. Identity Isolation • Services on a single machine • Services that access other back-end services

  30. Windows Identities

  31. Kerberos Underworld Smart Card Logon

  32. Smart Card Logon App Traffic Client 2000+ Server2000+ Kerberos PKINIT TGT: User TGS: Server DC2000+ DC2000+

  33. Smart Card Logon and NTLM Client 2000+ Server2000+ NTLM Hash TGT: User NTLM Hash TGS: Server DC2000+ DC2000+

  34. Smart Card Logon and NTLM Client 2000+ Server2000+ NTLM Hash TGT: User NTLM Hash TGS: Server NTLM Hash DC2000+ DC2000+

  35. Kerberos Underworld Delegation

  36. Basic Delegation Front-End Server Back-End Server Client Password TGT: User TGS: Back-End DC

  37. Kerberos Delegation Options

  38. Kerberos Delegation (Simplified) Front-End Server Back-End Server Client TGS: Front-End TGT: User TGS: Back-End TGS: Front-End DC DC

  39. Protocol Transition Front-End Server Back-End Server Client Nothing Kamil TGS: Back-End DC

  40. Kerberos Underworld Group Membership

  41. Group Membership Limits • AD Group in forest with 2000 FFL • 5000 direct members limit • AD Group in forest with 2003+ FFL • unlimited membership • Kerberos Ticket • network transport • limited to 8 kB on 2000 and XP • up to 12 kB on 2003+ • HTTP.SYS header limits • 16 kB of Base-64 encoded tickets • Access Token • local representation of a logon • up to 1025 groups including local and system

  42. Kerberos Ticket (PAC)

  43. Kerberos Underworld Takeaway

  44. Takeaway • Kerberos is most secure, flexible and performance efficient • Don’t be afraid and play with them! Ondrej Sevecek | MCM: Directory | MVP: Security ondrej@sevecek.com | www.sevecek.com

  45. Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!

More Related