1 00:00:00,120 --> 00:00:05,390 Quickly let's talk about the token impersonation mitigation strategies. 2 00:00:05,400 --> 00:00:11,450 So with this we can limit user and group token creation permissions. 3 00:00:11,490 --> 00:00:13,390 That one's a little tricky. 4 00:00:13,410 --> 00:00:15,570 It will not fully prevent everything. 5 00:00:15,570 --> 00:00:24,540 I don't believe not in my opinion the better idea here in the beating down you know some of the repetition 6 00:00:24,570 --> 00:00:31,920 that we're gonna have here account hearing very important your domain administrators should be logging 7 00:00:31,920 --> 00:00:37,290 into the machines that they need to access which should only be domain controllers. 8 00:00:37,290 --> 00:00:44,010 If for some reason that domain administrator logs into a user computer or a server and that user computer 9 00:00:44,040 --> 00:00:45,620 or server gets compromised. 10 00:00:45,630 --> 00:00:46,290 Guess what. 11 00:00:46,290 --> 00:00:51,210 We can impersonate that token if we compromised the domain controller. 12 00:00:51,210 --> 00:00:53,160 What do we need to impersonate the token for. 13 00:00:53,160 --> 00:00:55,290 We've already compromised that domain controller. 14 00:00:55,320 --> 00:01:00,960 So yes we can still do a token impersonation attack on the domain controller but you know there's no 15 00:01:00,960 --> 00:01:01,780 point there. 16 00:01:01,920 --> 00:01:08,220 But if we you know somewhere else in the network on a user or a server a different server then we can 17 00:01:08,520 --> 00:01:16,110 compromise that become domain Avrin Advent and leverage that so that's one to local Advent restriction 18 00:01:16,110 --> 00:01:23,400 comes into play yet again if users are not local admins on their computers we cannot get a shell on 19 00:01:23,400 --> 00:01:29,940 that computer with their account that prevents us from getting onto the computer and utilizing this 20 00:01:29,940 --> 00:01:31,210 kind of attack. 21 00:01:31,230 --> 00:01:36,790 So we need to have a hearing we need to have a local admin restriction in the network. 22 00:01:36,930 --> 00:01:43,620 And when I say account hearing as well it should be noted that users typically have two accounts when 23 00:01:43,620 --> 00:01:47,820 we have accounts hearing you might have Bob and then you may have Bob dash a. 24 00:01:47,820 --> 00:01:53,130 So Bob will have his everyday regular user account and then when he wants to go access the Domain Controller 25 00:01:53,340 --> 00:01:58,860 he's in a log in as Bob dash a which stands for admin and he's only going to log in the Domain Controller 26 00:01:59,130 --> 00:02:02,890 and isolate his accounts with this hearing. 27 00:02:02,910 --> 00:02:07,770 So that way anywhere else that Bob has access or privilege to you're not going to be able to get a domain 28 00:02:07,770 --> 00:02:10,590 controller if you compromised Bob's regular user account. 29 00:02:10,800 --> 00:02:16,440 And typically the domain admin accounts have a longer password policies and are more strict with their 30 00:02:16,440 --> 00:02:17,510 permissions. 31 00:02:17,520 --> 00:02:23,040 So something to think about in terms of defeating this and it's just beating a dead horse in a lot of 32 00:02:23,040 --> 00:02:23,650 this right. 33 00:02:23,970 --> 00:02:27,250 Just a lot of repetition on some very simple policies. 34 00:02:27,380 --> 00:02:33,300 And if these policies are in place which in most networks they're not then you can stop an attacker 35 00:02:34,080 --> 00:02:35,680 with a lot of attacks. 36 00:02:35,790 --> 00:02:37,230 So that's it for that. 37 00:02:37,410 --> 00:02:39,920 We're gonna go ahead and move on to cover us now. 38 00:02:40,050 --> 00:02:41,850 So I will see you over in the next video.