slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SLAM PowerPoint Presentation
Download Presentation
SLAM

Loading in 2 Seconds...

play fullscreen
1 / 15

SLAM - PowerPoint PPT Presentation


  • 186 Views
  • Uploaded on

SLAM. David Frye. A system for strong local account management. Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551. This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SLAM' - uri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SLAM

David Frye

A system for strong local account management.

Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551

This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

the subject local accounts
The Subject: Local Accounts
  • All computers have a local account database
  • Allows people or code to authenticate locally
  • Enable access to resources locally
  • At least 1 administrator (full permissions)
  • Maintained independently
    • No linkage to Active Directory
    • No centralized management

UCRL: LLNL-PRES-413302

the problem common passwords
The Problem: Common Passwords
  • Admin Password typically set build time
  • Typically the same on all machines (imaging)
  • Password is seldom if ever changed
  • Often neglected when joined to Domain

UCRL: LLNL-PRES-413302

the problem illustrated
The Problem: Illustrated
  • Typical AD Environment
  • Machines built from images
  • Local Administrator enabled
  • Password is common

UCRL: LLNL-PRES-413302

the problem illustrated5
The Problem: Illustrated
  • Machine hack = site hack
  • AD is immune
  • AD can’t help

Hacker

UCRL: LLNL-PRES-413302

disable local accounts
Disable Local Accounts?
  • Offline without cached credentials
  • Temporary administration
    • Scientists on travel w/ need to install sw.
  • Dropped from domain
    • OS Virtualization
  • Re-enable via Recovery Console requires physical access.

UCRL: LLNL-PRES-413302

the options
The Options:
  • Disable all local accounts
    • Best option
    • Not feasible in most environments
  • Deny “Access This Computer From The Network”
    • Force physical login
    • Kills remote management capability
  • Enabled accounts with common static passwords
    • Most typical
    • Most dangerous
  • Other options
    • Commercial solutions (expensive)

UCRL: LLNL-PRES-413302

strong local admin manager slam
Strong Local Admin Manager (SLAM)

UCRL: LLNL-PRES-413302

slide9

How it works:

SHA-256 HMAC

Computer Last Password Change Date + GUID

  • Crypto-Random 256 bits
  • RSA 1024 bit encrypted

Local Administrator Password

UCRL: LLNL-PRES-413302

slide10

How it works:

  • OU Administrator uses AD Users & Computers (ADUC)
  • Custom Context Menu Option for SLAM Recovery
  • ADUC connects to Web Service & returns password

UCRL: LLNL-PRES-413302

slide11

How it works:

  • Passwords are NOT random
  • Passwords are calculated
  • Only the master hashing key & computer password change dates are stored

How it works:

  • SLAM Recovery leverages existing authorization in AD
  • Permissions Required: Full Control of computer object

UCRL: LLNL-PRES-413302

slide12

Master Key

  • Computer Password Change Date

SLAM Client

AD OU Administrator

  • Small .NET app
  • Daily process
  • Requests new Local Admin Pwd
  • Creates local account if needed

ADUC

SSL

SSL

  • Copy to clipboard
  • Historical passwords
  • Print
  • Checks for recently expired Computer pwd
  • Checks for recently recovered Admin pwd
  • Validates Authorization
  • Calculates and returns password

Web Service

UCRL: LLNL-PRES-413302

slam rollout @ llnl
SLAM Rollout @ LLNL
  • Developed in April 2008 by David Frye and Joe Taitt
  • Started deployment in June 2008
  • Became mandated in 2009 for all unclassified Windows computers (except DCs)
  • ~9,000 Total SLAM Clients
  • ~200 Password Recoveries per Month

UCRL: LLNL-PRES-413302

slam next steps
SLAM Next Steps
  • SLAM Client for MAC (Daniel Hoit)
    • Client is developed & currently in test
  • Remove/Disable non-SLAM local accounts
    • Necessary next step to gain full benefit
    • Need exception policies and procedures
    • Need to be careful

UCRL: LLNL-PRES-413302

questions on slam
Questions on SLAM?

UCRL: LLNL-PRES-413302