- Posts: 90
- Liked: 17 times
- Joined: May 21, 2014 12:15 pm
- Full Name: Remko de Koning
Also Veeam was present on this convention.
One of the things that was really an eye opener was they way penetration testers try to gain access to your network (the ethical hacker you hire to secure your network)
One of the tools that was used was called Mimikatz (https://github.com/gentilkiwi/mimikatz/releases)
This tool tries to read user names and passwords from the memory.
I have tried this tool myself on an isolated vanilla windows 7 machine VM and indeed the "admin" password displayed in cleartext.
The tool isself is intercepted by most antivirus scanners and also Windows Defender but in theory this tool could be used to aquire priviledged accounts.
So this started to make me think.
Veeam uses "guest OS credentials" to gain access to the machine when it tries to backup the machine.
This is often an account with many priviledges. You also often use the same account for many machines
What if one machine in your network would be compromised? What if a hacker would have gained access to this one machine and waits for a backup to occur.
Could it, in theory, be possible to read the account using this tool and gain access to more PC's or servers?
To be honest, I didn't have the time yet to test this out.
But.... It made me even wonder some more...
For all our machines we use Microsoft LAPS.
Microsoft LAPS gives every single PC or server its unique local admin account with random password.
We also use this realy nice software deployment program called PDQ Deploy and PDQ Inventory.
Just recently they introduced new functionality to use the LAPS credentials to deploy or inventory the software on each PC.
So basically what it does is use a specific account to read the password for a specific PC from Active Directory and then use these credentials to contact the PC.
So each PC/Server is contacted using their own unique local administrator account
If the account would be compromised, then only the account for that specific PC is compromised.
With this in mind I was wondering if it would be benificial for future releases of Veeam to integrate the use of LAPS to inject for the Guest OS credentials.
Any thoughts people might have on this would be great.
Perhaps there is no need to worry. I do not have enough knowledge on the subject to verify this, but I have seen stuff hapenning on this security convention and its making me nervous. These guys are really really good and I think it will be hard to keep these guys out.
- Service Provider
- Posts: 191
- Liked: 38 times
- Joined: Apr 28, 2009 8:33 am
- Location: Strasbourg, FRANCE
Use of LAPS on Windows Servers ? if your AD is down (that store LAPS local admin password), How do you access your servers local admin ?
Can I ask this question => Is the use of LAPS a good idea on servers side ?
- Service Provider
- Posts: 9
- Liked: 8 times
- Joined: Oct 19, 2018 7:02 am
- Full Name: Michael Engl
Of course you could also assign and document an individual password per server, but in practice nobody does that.
If my AD would be down I can get the passwords using Veeam AD explorer. They are stored in plaintext as AD attribute of the computer account (of course only readably by admins )
One could also write a script to export those passwords on regular basis to a secure location in DR site.
- SVP, Product Management
- Posts: 26498
- Liked: 4150 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
Users browsing this forum: Bing [Bot] and 26 guests