FAQ: Microsoft Enhanced Security Administrative Environment and Centrify - The Basics
- A Windows service configured with a credential is started.
- And many more.
- Principle # 1 (P1) Perform the basic steps to secure your Active Directory
- Reduce the number of Administrators and manage security group membership.
- Establish administrative workstations (or servers).
- Protect Domain Controllers and maintain them up-to-date.
- Monitor your environment.
- Principle #3 (P3) Separate user accounts vs admin accounts.
- Principle #4 (P4) Implement distinct admin passwords per workstation.
- Principle #5 (P5) Use "Privilege Access Worksations" for administration (using the clean source principle).
- Conditional Access
- Centrify Zone-based access control (this layers an additional access model to Windows leveraging AD)
- Secure Privilege Elevation (use token manipulation instead of password replay)
- Audit Trail to enrich security operations
- Session Capture and Replay
- Principle #6 (P6) Control the privileges of service accounts.Why: control privileges, reduce the attack surface.
This is another hard goal to achieve because it's deeply tied to how
- Principle #7 (P7) Don't allow regular users to have administrative rights in endpoints (desktops, laptops, etc.) all users and workstations. It's about reducing the attack surface.
Unfortunately, organizations struggle with this concept because the security industry has not embraced temporary access in a way that makes it easy to request spot administrative rights in Windows workstations.
We have some capabilities already and are working focused in this area. In the next few articles we'll discuss in-depth.
8. I see Centrify provides MFA capabilities, can it protect me against Windows Credential Theft techniques like PtH?
Same response as above. MFA can't help you against a compromised Windows system running malware. You have to replay your password! If your system, group or policy allows for you to issue an NTLM hash, you are done (in the case of PtH).
MFA can absolutely protect you against credential theft if the credential is being used interactively on a resource being protected by MFA. The difference here is that most of the time, when a credential is harvested, it tends to be used programmatically.
9. I see Centrify supports Smart Card authentication, we are deploying it as a technique to prevent Windows Credential Theft techniques like PtH. Am I in the right track?
Same response as above. MFA can't help you against a compromised Windows system running malware. In the case of Smart Cards, there is still a password generated for you by the AD domain controllers. Great control to prevent interactive theft.