Nowadays, various companies have 3rd party administrators who access their Windows servers probably through VPN (Virtual Private Network) connections and RDP (Remote Desktop Protocol) leaving the password hashes in their own workstations or laptops.
From there the hashes could be hijacked and further used to log in to the system. The hacker could then search for other hashes and start moving laterally until they find the domain admin credentials and access to domain controllers. After that, the game is over – you have lost your throne. You might have Windows 10 or a Windows server 2016 on which you could have enabled the Credential Guard, but, let’s face it, every company that has more than three Windows servers probably has some older OS flavors than the previously mentioned. Windows 7 finally came to its EOL (End Of Life) on 14 January 2020, and Windows server 2012 r2 will reach its EOL on 10 October 2023. So, dare I say it, this is a real security threat that needs to be addressed accordingly.
One good way to mitigate this is to implement the PAM (Privileged Access Management) system and processes in production. Start managing your privileged accounts, take hold of them, and don’t let them roam free.
The first thing would be to run a scan and discovery tool to acquaint yourself with your privileged account surface. You might be surprised at what can be found and what is lurking in the depths of your environment. After you know what you have, and which credentials are which, try to delete all the non-needed ones or duplicates. You will be amazed at how many “obsolete” accounts can be found from old Active Directories.
After you have completed this cleanup, you should know the state of your environment and you will be ready for the next step. Try to come up with a plan on how to compile your standardized user access roles. So, in practice, think of your admins and stakeholders and the kinds of access they have, and whether they have some persistent access combinations? Go and talk with them. Is some access needed, if another is given? You could go as far as beginning to think of PEDM (Privileged-Elevation-Delegation-Management), which is the functionality usually within the user’s workstation, where a normal user could elevate their accesses so that they could, for example, run an installer of some application if needed.
Now implement the PAM system in production. There are mainly two types of PAM solutions at the moment for credential management – the ones which do password vaulting and rotation and the ones which mitigate the use of passwords and use ephemeral certificates (of course, there are many more functionalities and capabilities, but these are the main things). In this example, we are storing passwords in the password vault and then automatically managing and rotating them as necessary.
When the PAM solution has been implemented in production you will have an empty password vault waiting for the credentials to be saved in it. Start on-boarding the credentials into the vault. The process can be carried over manually, or by using automatic credential discovery over the domain/network. The automatic part usually needs a domain admin account and access to an active directory for NixOS sudo rights, and the IP ranges of the server’s networks will also be needed. When the credentials and keys have been onboarded, then it is good practice to configure the rotation, password complexity, show, lock and session monitoring policies. In addition, the “admin” credentials need to be declared in the PAM system to enable it to reconcile the target password. If, for instance, someone had changed it, it would be different from the one stored in the vault. The generated passwords should follow modern best practices for password strength.
Ideally, your RDP access credentials would now be secured in your PAM vault. Now a user with proper privileges could log in to the PAM system using their own credentials and verifying their identity with two-factor or multi-factor authentication. Following the PAM-solution, the user would initiate the needed RDP-connection to the target server. What happens here (see Figure 1.) differs with vendors, but one case is that a user is given an RDP file that configures the opened RDP session to connect to the PAM proxy by using the user’s credentials. The proxy is then given a password to the target server user from the vault, and, after that, it initiates the RDP connection to the target server. A “tunnel” is created from the user to the target server, where the user acts with the proxy server in the middle. No passwords are passed to the users and their workstations. After the user finishes and the connection is closed, the used password is automatically rotated and a new one is inserted in the target system. The user was connected to the target server without knowing the credentials, and the password hashes are no longer usable, as the password has been changed.
PAM Technology Lead
+358 20 760 3294