Академический Документы
Профессиональный Документы
Культура Документы
Networksecurity:Minimumsessionsecurityfor
NTLMSSPbased(includingsecureRPC)servers
Enabled
RequireNTLMv2sessionsecurity Enabled
Require128-bitencryption Enabled
UserConfiguration(Enabled)
Nosettingsdefined.
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 155 of 161
Aldo Elam Majiah
The last artifact is also the result of the risk assessment; it is a list of threat-countermeasure
pairs.
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 156 of 161
Aldo Elam Majiah
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 157 of 161
Aldo Elam Majiah
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 158 of 161
Aldo Elam Majiah
Appendix 8: Experts Opinion
Identification Opinion
Expert 01 She suggested that one of AD components, security of network, might potentially
have a broader scope than the AD security itself since security of network could be
interpreted as a very wide subject ranging from physical security of router/switch,
port security, etc. She suggested renaming of the component into security of
network segmentation. Additionally, she mentioned that threat caused by
virtualization could be added to AD characterization step. Virtualization threats
include inter-VM attack at the hypervisor level, multi-tenancy for AD, and lack of
hardening at VM hosts.
Expert 02 He suggested the components of AD should have strong background theory and
that AD Design & Boundary component is a critical component, which means that
if this component fails, all other components will likely fail also. It is also suggested
that the thesis also discusses ISO 31000 risk frameworks series to strengthen AD
risk framework which is derived from NIST 800-30. Additionally, expert 02 also
commented that GPO policy implementation may not be sufficient to secure a
server / workstation; administrators may need to run Security Configuration
Wizard to really secure a host.
Expert 03 He raised the concern of pass-the-hash attack on Windows platforms. He
suggested that this attack should be added to the list of threats, as it could be
used against DC and AD computer members. Pass-the-hash attack is a technique
that allows an adversary to authenticate to a remote server/service by using the
underlying NTLM and/or LanMan password hash instead of plaintext password. He
also suggested that to prevent pass-the-has attack, administrators can define high
privilege domain accounts, such as domain admins, to be able to login from
certain hosts only. Although this countermeasure does not completely thwart the
threat, it can limit pass-the-hash attack on domain accounts, thus preventing
further escalation of privilege to the domain. This feature is available using ADUC.
Another attack on Windows platform that can be added to the list of threat events
is WPAD configuration poisoning, a threat that comes from Internet Explorer
configuration flaw. Basically, an adversary could create a host, WINS entry, or DNS
entry called WPAD and redirect traffic from IE to this host. WPAD threat can
potentially enables adversary to take control of others proxy settings and retrieve
users credentials for that proxy. To prevent this threat, administrators could
create a DNS entry for WPAD tha points to corporate proxy server or they can
also disable AutoDetect proxy settings on IE clients altogether using GPO.
A comment was also added as a countermeasure for MITM attack on the network,
by implementing static ARP configuration in the switch. A static ARP entry is a
permanent entry in the ARP cache, it can be managed from a Cisco device or a
Windows hosts.
Implementation of IDS was also commented as not effective as IDS can only detect
and log the attack, but take no action on the real time attack. It is preferably to
replace IDS implementation with IPS.
Screensaver implementation on unattended workstations is also deemed a
necessary security countermeasure to prevent should surfing attack or disable the
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 159 of 161
Aldo Elam Majiah
Identification Opinion
ability of an adversary to access unattended workstations.
There was also a concern of data theft attack from Expert 03. Countermeasure of
data theft, defined as disabling the use portable media, is not considered
sufficient. Adversary can use other ways to steal and send the data outside the
organizations premises. Adversary could use email, ftp, or simply uploading the
data to their servers. In order to truly prevent data theft, an organization can use a
DLP solution. DLP solution is an integrated system designed to detect potential
data breach or data ex-filtration. DLP prevent data theft by monitoring, detecting,
and blocking sensitive data while the data are in-use in workstations, in-motion in
network traffic, and at-rest at data storage.
Last comment from Expert 03 was about environmental threat. Environmental
threats should be placed outside Security of AD computer members component
as both of these threats are different in nature, thus creating a new AD
component called Environmental threat.
Expert 04 Expert 04 suggested that environmental threats should not be included in AD
components. Environmental threat may be a threat for the organization, but it
does not really relate to AD implementation in an organization. The security GPO
resulted from the assessment may also be too restrictive for this organization. He
mentioned that the GPO may not be suitable to be implemented in all
environments, but it could be implemented in a more sensitive environment and
highest security environment such as those handling more sensitive data, those
subject to stricter compliance rules, top-secret government or military, and
organizations which handling sensitive data.
Expert 05 Expert 05 recommended to rate the countermeasures in accordance to their
threats risk level and also grouped them into people, process, and technology. As
shown in the threat-countermeasure pairs, may be proper AD documentation is a
countermeasure for a medium threat but privilege control is a countermeasure for
high risk threat. Also, he stated, a vulnerability assessment can be grouped into
process while lack of education can be grouped into people.
He also stated that there should be two separated threats related to anti-virus,
one is incorrect configuration of anti-virus, which is already in the list, and the
other is anti-virus not update. The latter threat may still exist even though the
anti-virus is correctly configured.
For threat insufficient log monitoring, the countermeasure should include
enablement of DNS logging. DNS logging is important because it can ease
investigation in detecting from which computers attacker launches an attack by
reviewing DNS requests. For example if there is a device that tries, say 500,
different DNS requests and only one or two are valid then this device is most likely
used in an attack.
Minimizing surface attack is not really a threat but a countermeasure instead. It
is a countermeasure for lack of basic security hardening implementation threat.
And for this threat there should also be a countermeasure called lack of security
hardening standards, which recommend us to have a proper documentation on
hardening OS or application.
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 160 of 161
Aldo Elam Majiah
Identification Opinion
Mishandling of information threat needs more control such as encryption of
sensitive information.
Three of the threats related to passwords; rarely changed passwords,
inadequate password policy implementation, and inadequate account lockout
policy implementation should be combined into one threat called weak
password. A countermeasure for weak password threat includes all
countermeasures for the three original threats and one additional
countermeasure: implementation of dual custody.
Expert 06 He began with noting that there should be more information on how to
implement the countermeasures. More specific guidelines are needed for
implementing each of the countermeasures.
He noted that for patch management, two solutions are needed; one is the
monitoring (process side) and the other one is from the administrators that
monitor it (people side).
For MITM-based attack, he also added that static ARP implementation is not
enough, there should be another countermeasure implemented in the switch that
for DHCP snooping which allows only clients with specific IP/MAC addresses to
have access to the network.
In relation to sniffing threat, two countermeasures should be added. The first is to
upgrade to a more secure protocol and the second is to perform a hardening on
the switches physical access.
Next comment is about installation of unauthorized applications. From network
point of view, the organization can disable the use of unauthorized applications by
performing whitelisting in the networks firewall. As additional note, this would
require a firewall that has the capabilities of identifying applications by their
network signature.
RAT (remote administration tools) and threat caused by these tools are considered
important and deserve to be listed as a new item. These tools can use the existing
infrastructure to make connection to outside the organizations network. The
countermeasures for this threat are anti-virus implementation and application-
based firewall.
Finding Countermeasures For AD Threats Using NIST 800-30 Frameworks Page 161 of 161
Aldo Elam Majiah
CURRICULLUM VITAE
Name : Aldo Elam Majiah
Place / Date of birth : Sukabumi / November 18
th
, 1976
Mobile / Email : +6281319265243 / aldoelam@gmail.com
Description
Aldo is an IT technologist interested in IT security and infrastructure. He works as an IT
security consultant, performing various penetration testing projects mainly on Banking and
Telcos IT infrastructure and web applications. His job also consists of hardening on Active
Directory and Windows servers. Previously he worked as administrator for Active Directory,
Windows servers / workstations, and Citrix systems.
Formal education :
ST, Bachelor of Engineering Physics engineering ITB
SS, Bachelor of Art English language UNPAD
IT certifications :
ECSA: EC-Council Certified Security Analyst v4
CEH: Certified Ethical Hacker version 5.0
CISSP: Certified Information Systems Security Professional
MCITP: Enterprise Administrator on Windows Server 2008
MCSE: Microsoft Certified System Engineer: Windows Server 2003
MCSA: Microsoft Certified System Administrator: Windows Server 2003
Microsoft Certified Solutions Associate: Windows Server 2008
CCA: Citrix Certified Administrator XenApp 5.0 on 2008
MCTS: Windows Server Virtualization (Hyper-V)
MCTS: System Center Configuration Manager (SCCM) 2007
MCTS: Windows Server 2008 Active Directory
MCTS: Windows Server 2008 Applications Infrastructure
MCTS: Windows Server 2008 Network Infrastructure
MCITP: Consumer Support Technician
MCTS: Windows Vista
Working experience:
May 2012 Now, company name: ITSEC Asia, position: Principal Consultant.
Sept 2011 Apr 2012, company: PT Paserda Indonesia, position: IT Specialist Server.
Aug 2010 Sept 2011, company: PT Carrefour Indonesia, position: SysAdmin Manager
July2005 Aug 2010, company: PT Mitra Integrasi Informatika, last position: Solution
Architect / Pre-sales consultant