security in a shared infrastructure björn brolin
TRANSCRIPT
Security in a shared infrastructure
Björn Brolin
What’s the security policy
• What is Your assets?• The unique information and function of Your IT-services
• Who is in control of those assets?• Some companies don’t even have a single employee left
• Do You have a security policy?• Most have but…• Does it really apply to the people in control of Your assets
What’s the security policy
• We’re good, we have a written agreement that the partner will follow our security policy• Lets say the partner have more than a hundred customers.
Is it even realistic to assume they can comply with everyones policy
• We’re good, we use cloud services• No security policy required?
Access entanglement
Partner
Customer 1
Customer 2
Customer 3
Access entanglement
• Information leakage• RDP mapped devices• Shared management of IT-resources• Shared access to backend infrastructure
• Unauthorized access• RDP mapped devices again
Access entanglement
• Weak security settings• Skipping certificate validation• Difficult to solve what CA:s to trust
• Jumphosts can make a huge difference• But will also lead to a more complex administration
Azure web hosting plan modes under the hood• The new portal allows for shell command execution• Specifically stated that privileged commands are
limited• Difficult to screen filter every command with
potential security implications• Virtual Machine is close to identical regardless of
hosting plan
Just enough administration, Just in time• JEA: Package certain administrative tasks and restrict
its use• JIT: Admin rights are available only at certain times.
Just enough administration
LSA protection and identity theft
• Lslsass revisited• Terminal session connect using /restrictedAdmin• DisableRestrictedAdmin
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\• Debated in the security community as a weakness because it enables
passing the hash to the remote desktop service
• RunAsPPL• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa• Lsass is created as a protected process• 3:rd party lsass extensions will not load any more unless they are signed
correctly
Brave new world, F*ck Security!! :)
• Everything gets more interconnected every day• End user equipment is no longer considered to be
strictly for business use• In this fast changing environment, what is the
obvious strategy• Holding back might strand important projects to a degree
so that they fail• Focus the security efforts wisely
