Tracking Privileged Accounts in Windows Environments

Published: 2015-09-20
Last Updated: 2015-09-24 09:47:45 UTC
by Xavier Mertens (Version: 1)
12 comment(s)

While speaking with a customer, he complained about the huge number of privileged users having domain admin rights in his network. It seems to be a recurrent problem for him: The security team reviews all the users at a time t and it reduces the number of privileged accounts to the strict minimum. But quickly, the number of administrators is growing again and, at time t+x, they have to restart the cleaning process. Amongst the SANS 20 Critical Security Controls, the point #12 focuses on controlling administrative privileges. The following controls are already in place by the customer:

  • Auditing privileged accounts usage
  • Auditing privileged accounts changes (creation, removal)
  • Strong password policy

Unfortunately, the control #7 (CSC 12-7) remains a pain: the utilization of privileged accounts for non-administration tasks like reading e-mails or surfing the web. As most of the controls remains technical, a suggestion was to add a extra layer of awareness for administrators to remind them that using privileged accounts can be dangerous. Instead of simply displaying a warning message, the idea was to force the administrator to describe (log) in a few words why he started an administrator session. The information is logged and can be used later to generate activity reports from their SIEM like this example:

Timestamp Host User Reasons of the session
2015-09-12 17:23:00 ServerA a-user1 Installed patch MS-15-xxx
2015-09-14 09:43:12 DC1 administrator Installed agent from xxxx
2015-09-15 12:16:34 SQL-2 a-user2 Emergency reboot

Not valid, funny or empty reasons can we investigated case by case improving the control of privileged users.

There are commercial solutions which implement this like Cyber-Ark or Digital Guardian. I wrote a PowerShell script which can be deployed as a logon script. Details are available on my blog.


Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
12 comment(s)

Using testssl.sh

Published: 2015-09-20
Last Updated: 2015-09-20 20:06:58 UTC
by Basil Alawi S.Taher (Version: 1)
1 comment(s)

Testssl project has announced the release of testssl 2.6. testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws.

 

Here is some examples of how to use testssl.sh:

First you have to download the script from:

https://testssl.sh/

Running the script without any option will run all the tests:

testssl.sh google.com

If you like to check for a specific vulnerability such as heartbleed you can run the following option

testssl.sh -B isc.sans.edu

To check the supported ciphers suites you can use the –f option:

./testssl.sh –f Microsoft.com


Another neat option is –H which will give you some information about the http header and it will mark the security features

./testssl.sh –H isc.sans.edu


 

Keywords:
1 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives