Anyone Use AV at home?
- Thread starter swain90
- Start date
Use a proper inband/outband setup and RDP is just fine, but yes, for every day admin built in remote tools should be used.
Which passwords? CESG actually recommend that passwords aren't rotated/expired now.
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry
Last edited:
Admin passwords. Attackers don't really care about standard user passwords, and besides for most cases some sort of 2FA should be possible for user credentials.
Admin passwords should be rotated regularly, ideally after every session, to protect them from being captured by malware and so that, on Windows machines, password hashes are invalidated as soon as possible.
Soldato
- Joined
- 3 Jun 2005
- Posts
- 3,286
- Location
- The South
Out of interest, have you got a source or standard that backs that statement up?
Can't say i've heard of that before and would assume that's impractically in a lot of situations.
I said 'ideally' - it's not a defined standard by any of the usual bodies.
Yes, it's impractical, unless you have a tool that manages your admin sessions and enforces the rotation - there are plenty out there that can do just this. Manually changing passwords after each would be an almost impossible task, especially if multiple admins are using the same access.
As mentioned above there are tools that do this.
I worked somewhere whereby admin credentials were checked out when you wanted to use them (and needed two people to put in their halves of the password that allowed you to do so), then when you logged out it changed the password with a new one it had generated.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,253
- Location
- The Land of Roundabouts
How secure is the mechanism that's resetting the admin password?
Either way it seems a bit extreme
, you don't need the password, you just need a user account capable of resetting the password (EoP)How secure is the mechanism that's resetting the admin password?
Either way it seems a bit extreme
You store the admin password on a secure server. The secure server has the ability to remote-connect to the target server by SSH or Powershell Remote or whatever. The secure server rotates the password by logging on to the target server as the admin account and resetting it using standard command like passwd. You don't need another account.
It's not extreme when you realise that the majority of hacks involve stolen admin credentials, captured using keyloggers, ram scrapers, network taps or stealing them from plaintext password stores (eg Excel) or config files. Keeping these credentials away from hackers means keeping them away from users desktops.
Either way it seems a bit extreme
Depends what it is you are protecting...
A great recent example is Bangladesh Central Bank. Hackers managed to get malware on user's desktops (not picked up by AV) that was able to scan for and find privileged credentials for an application called SWIFT, which controls inter-bank transactions. They were also able to record the steps that people went through to actually use SWIFT, and learn how to use it for themselves.
They then were able to use the stolen credentials to execute $1billion of transactions. Fortunately most were stopped by intermediary banks (due to obvious spelling mistakes in some transactions!) but about $80million found its way to a dodgy casino in the Philippines.
You can also look up Target (40 million sets of credit card details stolen) and 'Kemuri Water Company' (hackers were able to change the mix of chemicals going in to the consumer water supply) to see what can happen when the bad guys manage to steal an admin password.
So yeah, lock them up tight.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,253
- Location
- The Land of Roundabouts
passwords, you don't need no sticking passwords when there are gaping holes in your software
Some Friday reading
https://boris.in/blog/2016/the-bank-job/
This is one of the most interesting things I've read in a while and scary just how much it exposed.
http://www.economyofmechanism.com/office365-authbypass.html
You don't need to lock them passwords up so secure (other than to appease auditors) because at the end of the day bypassing them or resetting them is far simpler.
Some Friday reading
https://boris.in/blog/2016/the-bank-job/
This is one of the most interesting things I've read in a while and scary just how much it exposed.
http://www.economyofmechanism.com/office365-authbypass.html
You don't need to lock them passwords up so secure (other than to appease auditors) because at the end of the day bypassing them or resetting them is far simpler.
Those are interesting vulnerabilities, for sure. However I disagree when you say you don't need to lock up passwords. The research from organisations like Mandiant shows that almost every attack involves credential theft at some point. Engineering attacks like the two you mentioned is pretty difficult, and once the flaw is repaired (as your examples were) then you're forced to find a new point of entry.
If I steal a password and log on, I'm immediately bypassing all of the security measures in place, and there's no patch that will stop users coughing up passwords sooner or later.
Associate
- Joined
- 28 Nov 2015
- Posts
- 1,491
- Location
- Tewkesbury, UK
I have it working on R2, pretty sure I just googled the method, wasn't complex