Comprehensive data protection for all workloads
Post Reply
remko.de.koning
Enthusiast
Posts: 90
Liked: 18 times
Joined: May 21, 2014 12:15 pm
Full Name: Remko de Koning
Contact:

Veeam LAPS and Mimikatz...

Post by remko.de.koning » 2 people like this post

Last week I visisted a security convention in the Netherlands and attended a seminar about CyberSecurity.
Also Veeam was present on this convention.

One of the things that was really an eye opener was they way penetration testers try to gain access to your network (the ethical hacker you hire to secure your network)
One of the tools that was used was called Mimikatz (https://github.com/gentilkiwi/mimikatz/releases)
This tool tries to read user names and passwords from the memory.
I have tried this tool myself on an isolated vanilla windows 7 machine VM and indeed the "admin" password displayed in cleartext.
The tool isself is intercepted by most antivirus scanners and also Windows Defender but in theory this tool could be used to aquire priviledged accounts.

So this started to make me think.

Veeam uses "guest OS credentials" to gain access to the machine when it tries to backup the machine.
This is often an account with many priviledges. You also often use the same account for many machines
What if one machine in your network would be compromised? What if a hacker would have gained access to this one machine and waits for a backup to occur.
Could it, in theory, be possible to read the account using this tool and gain access to more PC's or servers?

To be honest, I didn't have the time yet to test this out.

But.... It made me even wonder some more...
For all our machines we use Microsoft LAPS.
Microsoft LAPS gives every single PC or server its unique local admin account with random password.
We also use this realy nice software deployment program called PDQ Deploy and PDQ Inventory.
Just recently they introduced new functionality to use the LAPS credentials to deploy or inventory the software on each PC.
So basically what it does is use a specific account to read the password for a specific PC from Active Directory and then use these credentials to contact the PC.
So each PC/Server is contacted using their own unique local administrator account
If the account would be compromised, then only the account for that specific PC is compromised.

With this in mind I was wondering if it would be benificial for future releases of Veeam to integrate the use of LAPS to inject for the Guest OS credentials.

Any thoughts people might have on this would be great.
Perhaps there is no need to worry. I do not have enough knowledge on the subject to verify this, but I have seen stuff hapenning on this security convention and its making me nervous. These guys are really really good and I think it will be hard to keep these guys out.


Remko

orb
Service Provider
Posts: 67
Liked: 6 times
Joined: Apr 01, 2016 5:36 pm
Full Name: Olivier
Contact:

Re: Veeam LAPS and Mimikatz...

Post by orb »

+1 for LAPS integration

mbfischer
Lurker
Posts: 1
Liked: never
Joined: Jul 18, 2019 3:57 pm
Contact:

Re: Veeam LAPS and Mimikatz...

Post by mbfischer »

+1 for LAPS integration

ntwrkadmn
Novice
Posts: 3
Liked: never
Joined: Apr 03, 2019 3:54 pm
Full Name: Tom
Contact:

Re: Veeam LAPS and Mimikatz...

Post by ntwrkadmn »

+1 for LAPS integration

Steve-nIP
Service Provider
Posts: 76
Liked: 23 times
Joined: Feb 06, 2018 10:08 am
Full Name: Steve
Contact:

Re: Veeam LAPS and Mimikatz...

Post by Steve-nIP »

Not a bad idea at all..

NightBird
Service Provider
Posts: 201
Liked: 42 times
Joined: Apr 28, 2009 8:33 am
Location: Strasbourg, FRANCE
Contact:

Re: Veeam LAPS and Mimikatz...

Post by NightBird » 1 person likes this post

Hello,

Use of LAPS on Windows Servers ? if your AD is down (that store LAPS local admin password), How do you access your servers local admin ?
Can I ask this question => Is the use of LAPS a good idea on servers side ?

mengl
Service Provider
Posts: 11
Liked: 8 times
Joined: Oct 19, 2018 7:02 am
Full Name: Michael Engl
Location: Germany
Contact:

Re: Veeam LAPS and Mimikatz...

Post by mengl »

LAPS is especially useful for servers where you don't want to have a common (maybe weak) local Admin password.
Of course you could also assign and document an individual password per server, but in practice nobody does that.

If my AD would be down I can get the passwords using Veeam AD explorer. They are stored in plaintext as AD attribute of the computer account (of course only readably by admins :) )
One could also write a script to export those passwords on regular basis to a secure location in DR site.

Gostev
SVP, Product Management
Posts: 27173
Liked: 4455 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam LAPS and Mimikatz...

Post by Gostev » 3 people like this post

However, even better is not to have to deal with passwords at all ;) and this is the direction we're currently exploring with MSA accounts.

orb
Service Provider
Posts: 67
Liked: 6 times
Joined: Apr 01, 2016 5:36 pm
Full Name: Olivier
Contact:

Re: Veeam LAPS and Mimikatz...

Post by orb »

@Gostev

Hello!

Could you elaborate what kind of scenario it opens with gMSA approach?
LAPS has the advantage to bypass the UAC without lowering your security since you are using a built-in admin account as you know.

Oli

Gostev
SVP, Product Management
Posts: 27173
Liked: 4455 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam LAPS and Mimikatz...

Post by Gostev »

Hello! This opens the ability to connect to the guest OS for application-aware processing without having to supply a password for whatever account is used. The real win here is that there's no need to store this password in the configuration database any longer, from where hackers can potentially steal it. Thanks!

orb
Service Provider
Posts: 67
Liked: 6 times
Joined: Apr 01, 2016 5:36 pm
Full Name: Olivier
Contact:

Re: Veeam LAPS and Mimikatz...

Post by orb »

Thank you for the clarification. I must apologize my question was a bit dumb since here we are talking about computer account and not user account so UAC doesn't really apply!
let's hope it finds its way soon into the product.

In the meantime, it looks like some people has already so fun with it https://adsecurity.org/?p=4367

Oli

Post Reply

Who is online

Users browsing this forum: No registered users and 34 guests