Ready to learn?

Protected Users Group

๐Ÿ”’ Secure Bits ๐Ÿ’ก
Want to ๐—น๐—ผ๐—ฐ๐—ธ ๐—ฑ๐—ผ๐˜„๐—ป ๐—ฐ๐—ฟ๐—ฒ๐—ฑ๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐˜๐—ต๐—ฒ๐—ณ๐˜ ๐—ถ๐—ป ๐—”๐—ฐ๐˜๐—ถ๐˜ƒ๐—ฒ ๐——๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ๐˜†?

Start using the ๐—ฃ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐—ด๐—ฟ๐—ผ๐˜‚๐—ฝโ€”but only if you understand what it enforces.

๐—›๐—ฒ๐—ฟ๐—ฒโ€™๐˜€ ๐˜„๐—ต๐—ฎ๐˜ ๐—ฏ๐—ฒ๐—ถ๐—ป๐—ด ๐—ถ๐—ป ๐—ฃ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐—ฑ๐—ผ๐—ฒ๐˜€ ๐—ฏ๐˜† ๐—ฑ๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜:
โœ” Prevents NTLM authentication (no NT hashes ever used)
โœ” Disables DES/RC4 encryption in Kerberos pre-auth
โœ” Disables CredSSP, Digest, and cached credentials
โœ” Forces Kerberos TGTs to 4โ€‘hour lifetime, no renewals
โœ” Prevents both constrained and unconstrained delegation
โœ” Disallows offline logonโ€”no cached verifier stored
(๐˜€๐—ฒ๐—ฒ ๐—ณ๐˜‚๐—น๐—น ๐—ฑ๐—ฒ๐˜๐—ฎ๐—ถ๐—น๐˜€ ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฒ๐—ป๐˜๐˜€)

๐Ÿ›  ๐—ฅ๐—ฒ๐—พ๐˜‚๐—ถ๐—ฟ๐—ฒ๐—บ๐—ฒ๐—ป๐˜๐˜€ & ๐—ด๐—ผ๐˜๐—ฐ๐—ต๐—ฎ๐˜€:
โ€“ Domain functional level โ‰ฅ Server 2012โ€ฏR2
โ€“ Accounts must support AES keys (reset older passwords if needed)
โ€“ Donโ€™t add service/computer accountsโ€”theyโ€™ll usually break
โ€“ Avoid mass-adding Domain Admins until fully tested

By implementing Protected Users, ๐˜†๐—ผ๐˜‚ ๐˜๐—ฎ๐—ธ๐—ฒ ๐—ฟ๐—ฒ๐—ฎ๐—น ๐˜€๐˜๐—ฒ๐—ฝ๐˜€ ๐—ฎ๐—ด๐—ฎ๐—ถ๐—ป๐˜€๐˜ pass-the-hash and credential replayโ€”without extra tools.

How have you handled these limitations in production? Any surprises or workarounds? ๐Ÿ‘‡

Author: Martin Handl โ€“ full article: https://iqunit.com/protected-users/

buy a course