slam - info.ornl.gov.ppt

Lawrence Livermore National LaboratoryA system for strong local account FryeLawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551This work performed under the auspices of the . Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52- Subject: Local Accounts?puters have a local account database?Allows people or code to authenticate locally?Enable access to resources locally?At least 1 administrator (full permissions)?Maintained independently?No linkage to Active Directory?No centralized managementUCRL: LLNL-PRES-413302The Problem: Common Passwords?Admin Password typically set build time?Typically the same on all machines (imaging)?Password is seldom if ever changed?Often neglected when joined to DomainUCRL: LLNL-PRES-413302The Problem: Illustrated? Typical AD Environment? Machines built from images? Local Administrator enabled? Password monUCRL: LLNL-PRES-413302The Problem: Illustrated? Machine hack = site hack?AD is immune? AD can’t helpHackerUCRL: LLNL-PRES-413302Disable Local Accounts??Offline without cached credentials?Temporary administration?Scientists on travel w/ need to install sw.?Dropped from domain?OS Virtualization?Re-enable via Recovery Console requires physical : LLNL-PRES-413302The Options: ?Disable all local accounts ?Best option?Not feasible in most environments?Deny “Access puter From work”?Force physical login?Kills remote management capability?Enabled accounts mon static passwords?Most typical?Most dangerous?Other mercial solutions (expensive)UCRL: LLNL-PRES-413302Strong Local Admin Manager (SLAM)UCRL: LLNL-PRES-413302How it puter Last Password Change Date + GUIDSHA-256 HMAC? Crypto-Random 256 bits? RSA 1024 bit encryptedLocal Administrator PasswordUCRL: LLNL-PRES-413302How it works:? OU Administrator uses AD Users & Computers (ADUC)? Custom Context Menu Option for SLAM Recovery? ADUC connects to Web Service & returns passwordUCRL: LLNL-PRES-41330