æ»æè
ã«å¿
èŠãªã®ã¯ããããã¯ãŒã¯ã«äŸµå
¥ããããã®æéãšåæ©ã ãã§ãã ããããç§ãã¡ã®ä»äºã¯ã圌ããããè¡ãã®ãé²ãããšããŸãã¯å°ãªããšããã®äœæ¥ãå¯èœãªéãå°é£ã«ããããšã§ãã ãŸããActive Directory (以äžãAD ãšåŒã³ãŸã) ã®åŒ±ç¹ãç¹å®ããããšããå§ããå¿
èŠããããŸããæ»æè
ã¯ããã®åŒ±ç¹ãå©çšããŠãæ€åºãããã«ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ãã移åããããšãã§ããŸãã ãã®èšäºã§ã¯ãäŸãšã㊠AD Varonis ããã·ã¥ããŒãã䜿çšããŠãçµç¹ã®ãµã€ããŒé²åŸ¡ã«ãããæ¢åã®è匱æ§ãåæ ãããªã¹ã¯ææšãèŠãŠãããŸãã
æ»æè ã¯ãã¡ã€ã³å ã§ç¹å®ã®æ§æã䜿çšããŸã
æ»æè ã¯ããŸããŸãªå·§åŠãªææ³ãšè匱æ§ãå©çšããŠäŒæ¥ãããã¯ãŒã¯ã«äŸµå ¥ããæš©éãææ ŒãããŸãã ãããã®è匱æ§ã®äžéšã¯ãç¹å®ããããšç°¡åã«å€æŽã§ãããã¡ã€ã³æ§æèšå®ã§ãã
ããªã (ãŸãã¯ã·ã¹ãã 管çè ) ãå æ KRBTGT ãã¹ã¯ãŒããå€æŽããŠããªãå ŽåããŸãã¯èª°ããããã©ã«ãã®çµã¿èŸŒã¿ç®¡çè ã¢ã«ãŠã³ãã§èªèšŒããå ŽåãAD ããã·ã¥ããŒãã¯ããã«èŠåãçºããŸãã ããã XNUMX ã€ã®ã¢ã«ãŠã³ãã¯ããããã¯ãŒã¯ãžã®ç¡å¶éã®ã¢ã¯ã»ã¹ãæäŸããŸããæ»æè ã¯ãç¹æš©ãã¢ã¯ã»ã¹èš±å¯ã®å¶éãç°¡åã«åé¿ããããã«ããããã®ã¢ã«ãŠã³ãã«ã¢ã¯ã»ã¹ããããšããŸãã ãã®çµæãèå³ã®ããããããããŒã¿ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã
ãã¡ããããããã®è匱æ§ãèªåã§çºèŠããããšãã§ããŸããããšãã°ãã«ã¬ã³ããŒã®ãªãã€ã³ããŒãèšå®ããŠãã§ãã¯ããããPowerShell ã¹ã¯ãªãããå®è¡ããŠãã®æ å ±ãåéãããã§ããŸãã
Varonis ããã·ã¥ããŒããæŽæ°ãããŠããŸã èªåçã« æœåšçãªè匱æ§ãæµ®ã圫ãã«ããéèŠãªææšãè¿ éã«å¯èŠåããŠåæã§ãããããè匱æ§ã«å¯ŸåŠããããã®æªçœ®ãããã«è¬ããããšãã§ããŸãã
3 ã€ã®äž»èŠãªãã¡ã€ã³ ã¬ãã«ã®ãªã¹ã¯ææš
以äžã¯ãVaronis ããã·ã¥ããŒãã§å©çšã§ããå€æ°ã®ãŠã£ãžã§ããã§ãããããã䜿çšãããšãäŒæ¥ãããã¯ãŒã¯ãš IT ã€ã³ãã©ã¹ãã©ã¯ãã£å šäœã®ä¿è·ãå€§å¹ ã«åŒ·åãããŸãã
1. Kerberos ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒããé·æéå€æŽãããŠããªããã¡ã€ã³ã®æ°
KRBTGT ã¢ã«ãŠã³ãã¯ããã¹ãŠã«çœ²åãã AD ã®ç¹å¥ãªã¢ã«ãŠã³ãã§ãã
XNUMX æ¥ã¯ãæ»æè ããããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããã®ã«ååãªæéã§ãã ãã ãããã®ãã¹ã¯ãŒããå®æçã«å€æŽããããã»ã¹ã匷å¶ããã³æšæºåãããšãæ»æè ãäŒæ¥ãããã¯ãŒã¯ã«äŸµå ¥ããããšãã¯ããã«å°é£ã«ãªããŸãã
Microsoft ã® Kerberos ãããã³ã«ã®å®è£
ã«åŸã£ãŠã次ã®ããšãè¡ãå¿
èŠãããããšã«æ³šæããŠãã ããã
å°æ¥çã«ã¯ããã® AD ãŠã£ãžã§ããã¯ããããã¯ãŒã¯äžã®ãã¹ãŠã®ãã¡ã€ã³ã® KRBTGT ãã¹ã¯ãŒããå床å€æŽããææãæ¥ãããšãéç¥ããŸãã
2. çµã¿èŸŒã¿ã®ç®¡çè ã¢ã«ãŠã³ããæè¿äœ¿çšããããã¡ã€ã³ã®æ°
ã«ãã
çµã¿èŸŒã¿ã®ç®¡çè ã¢ã«ãŠã³ãã¯ãã·ã¹ãã 管çããã»ã¹ãç°¡çŽ åããããã«ãã䜿çšãããŸãã ãããæªãç¿æ £ãšãªãããããã³ã°ã«ã€ãªããå¯èœæ§ããããŸãã çµç¹å ã§ãããçºçãããšããã®ã¢ã«ãŠã³ãã®é©åãªäœ¿çšãšæœåšçã«æªæã®ããã¢ã¯ã»ã¹ãšãåºå¥ããããšãå°é£ã«ãªããŸãã
ãŠã£ãžã§ããã«ãŒã以å€ã®å€ã衚瀺ãããå Žåã¯ã管çè
ã¢ã«ãŠã³ããæ£ããåäœããŠããŸããã ãã®å Žåãçµã¿èŸŒã¿ç®¡çè
ã¢ã«ãŠã³ããä¿®æ£ããŠã¢ã¯ã»ã¹ãå¶éããæé ãå®è¡ããå¿
èŠããããŸãã
ãŠã£ãžã§ããå€ã XNUMX ã«éããã·ã¹ãã 管çè
ããã®ã¢ã«ãŠã³ããæ¥åã«äœ¿çšããªããªããšãå°æ¥çã«ãã®ã¢ã«ãŠã³ãã«å€æŽãå ãããããšããµã€ããŒæ»æã®å¯èœæ§ã瀺ãããŸãã
3. ä¿è·ããããŠãŒã¶ãŒã®ã°ã«ãŒããæããªããã¡ã€ã³ã®æ°
AD ã®å€ãããŒãžã§ã³ã§ã¯ã匱ãæå·åã¿ã€ã RC4 ããµããŒããããŠããŸããã ããã«ãŒã¯äœå¹Žãåã« RC4 ããããã³ã°ããŸããããçŸåšã§ã RC4 ã䜿çšããŠããã¢ã«ãŠã³ããæ»æè ããããã³ã°ããã®ã¯éåžžã«ç°¡åãªäœæ¥ã§ãã Windows Server 2012 ã§å°å ¥ããã Active Directory ã®ããŒãžã§ã³ã§ã¯ãProtected Users Group ãšåŒã°ããæ°ããã¿ã€ãã®ãŠãŒã¶ãŒ ã°ã«ãŒããå°å ¥ãããŸããã è¿œå ã®ã»ãã¥ãªã㣠ããŒã«ãæäŸããRC4 æå·åã䜿çšãããŠãŒã¶ãŒèªèšŒãé²ããŸãã
ãã®ãŠã£ãžã§ããã¯ãçµç¹å ã®ãã¡ã€ã³ã«ãã®ãããªã°ã«ãŒããæ¬ èœããŠãããã©ããã瀺ããä¿®æ£ã§ããããã«ããŸãã ä¿è·ããããŠãŒã¶ãŒã®ã°ã«ãŒããæå¹ã«ããããã䜿çšããŠã€ã³ãã©ã¹ãã©ã¯ãã£ãä¿è·ããŸãã
æ»æè ã®æ Œå¥œã®ã¿ãŒã²ãã
ãŠãŒã¶ãŒ ã¢ã«ãŠã³ãã¯ãæåã®äŸµå ¥ã®è©Šã¿ããç¶ç¶çãªæš©éææ Œãã¢ã¯ãã£ããã£ã®é èœã«è³ããŸã§ãæ»æè ã«ãšã£ãŠæ倧ã®ã¿ãŒã²ããã§ãã æ»æè ã¯ãæ€åºãå°é£ãªããšãå€ãåºæ¬ç㪠PowerShell ã³ãã³ãã䜿çšããŠããããã¯ãŒã¯äžã®åçŽãªã¿ãŒã²ãããæ¢ããŸãã ãã®ãããªç°¡åãªã¿ãŒã²ããã AD ããã§ããã ãå€ãåé€ããŠãã ããã
æ»æè ã¯ãç¡æéã®ãã¹ã¯ãŒããæã€ãŠãŒã¶ãŒ (ãŸãã¯ãã¹ã¯ãŒããå¿ èŠãšããªããŠãŒã¶ãŒ)ã管çè ã§ãããã¯ãããž ã¢ã«ãŠã³ããåŸæ¥ã® RC4 æå·åã䜿çšããã¢ã«ãŠã³ããæ¢ããŠããŸãã
ãããã®ã¢ã«ãŠã³ãã¯ã©ãããã¢ã¯ã»ã¹ããã®ãç°¡åããéåžžã¯ç£èŠãããŠããŸããã æ»æè ã¯ãããã®ã¢ã«ãŠã³ããä¹ã£åããã€ã³ãã©ã¹ãã©ã¯ãã£å ãèªç±ã«ç§»åããããšãã§ããŸãã
æ»æè ãã»ãã¥ãªãã£å¢çã«äŸµå ¥ãããšãå°ãªããšã XNUMX ã€ã®ã¢ã«ãŠã³ãã«ã¢ã¯ã»ã¹ã§ããå¯èœæ§ããããŸãã æ»æãæ€åºããé»æ¢ãããåã«ã圌ããæ©å¯ããŒã¿ã«ã¢ã¯ã»ã¹ããã®ãé»æ¢ã§ããã§ãããã?
Varonis AD ããã·ã¥ããŒãã¯è匱ãªãŠãŒã¶ãŒ ã¢ã«ãŠã³ããææãããããåé¡ãç©æ¥µçã«ãã©ãã«ã·ã¥ãŒãã£ã³ã°ã§ããŸãã ãããã¯ãŒã¯ãžã®äŸµå ¥ãå°é£ã§ããã°ããã»ã©ãé倧ãªæ害ãåŒãèµ·ããåã«æ»æè ãç¡ååã§ããå¯èœæ§ãé«ããªããŸãã
ãŠãŒã¶ãŒã¢ã«ãŠã³ãã® 4 ã€ã®äž»èŠãªãªã¹ã¯ææš
以äžã¯ãæãè匱ãªãŠãŒã¶ãŒ ã¢ã«ãŠã³ãã匷調衚瀺ãã Varonis AD ããã·ã¥ããŒã ãŠã£ãžã§ããã®äŸã§ãã
1. æå¹æéã®ãªããã¹ã¯ãŒããæã€ã¢ã¯ãã£ã ãŠãŒã¶ãŒã®æ°
æ»æè
ããã®ãããªã¢ã«ãŠã³ãã«ã¢ã¯ã»ã¹ããããšã¯ãåžžã«å€§æåã§ãã ãã¹ã¯ãŒãã®æå¹æéãåããªããããæ»æè
ã¯ãããã¯ãŒã¯å
ã«æ°žç¶çãªè¶³å Žãç¯ãããããæªçšããããšãã§ããŸãã
æ»æè
ã¯ãã¯ã¬ãã³ã·ã£ã« ã¹ã¿ããã£ã³ã°æ»æã«äœ¿çšããäœçŸäžãã®ãŠãŒã¶ãŒãšãã¹ã¯ãŒãã®çµã¿åããã®ãªã¹ããæã£ãŠããããã®å¯èœæ§ã¯æ¬¡ã®ãšããã§ãã
ãŠãŒã¶ãŒãšãæ°žä¹
ããã¹ã¯ãŒãã®çµã¿åããããããã®ãªã¹ãã®ããããã«å«ãŸããŠããããŒããããã¯ããã«å€§ããããšãããããŸãã
æå¹æéã®ãªããã¹ã¯ãŒããæã€ã¢ã«ãŠã³ãã¯ç®¡çãç°¡åã§ãããå®å šã§ã¯ãããŸããã ãã®ãŠã£ãžã§ããã䜿çšããŠããã®ãããªãã¹ã¯ãŒããæã€ãã¹ãŠã®ã¢ã«ãŠã³ããæ€çŽ¢ããŸãã ãã®èšå®ãå€æŽãããã¹ã¯ãŒããæŽæ°ããŠãã ããã
ãã®ãŠã£ãžã§ããã®å€ããŒãã«èšå®ãããšããã®ãã¹ã¯ãŒãã§äœæãããæ°ããã¢ã«ãŠã³ããããã·ã¥ããŒãã«è¡šç€ºãããŸãã
2. SPN ãæã€ç®¡çè ã¢ã«ãŠã³ãã®æ°
SPN (ãµãŒãã¹ ããªã³ã·ãã«å) ã¯ããµãŒãã¹ ã€ã³ã¹ã¿ã³ã¹ã®äžæã®èå¥åã§ãã ãã®ãŠã£ãžã§ããã«ã¯ãå®å šãªç®¡çè æš©éãæã€ãµãŒãã¹ ã¢ã«ãŠã³ãã®æ°ã衚瀺ãããŸãã ãŠã£ãžã§ããã®å€ã¯ãŒãã§ãªããã°ãªããŸããã 管çè æš©éãæ〠SPN ã¯ããã®ãããªæš©éãä»äžããããšããœãããŠã§ã¢ ãã³ããŒãã¢ããªã±ãŒã·ã§ã³ç®¡çè ã«ãšã£ãŠäŸ¿å©ã§ããããã«çºçããŸãããã»ãã¥ãªã㣠ãªã¹ã¯ãçããŸãã
ãµãŒãã¹ ã¢ã«ãŠã³ãã«ç®¡çè æš©éãä»äžãããšãæ»æè ã¯äœ¿çšãããŠããªãã¢ã«ãŠã³ããžã®ãã« ã¢ã¯ã»ã¹ãååŸã§ããããã«ãªããŸãã ããã¯ãSPN ã¢ã«ãŠã³ãã«ã¢ã¯ã»ã¹ã§ããæ»æè ããã¢ã¯ãã£ããã£ãç£èŠãããããšãªãã€ã³ãã©ã¹ãã©ã¯ãã£å ã§èªç±ã«æŽ»åã§ããããšãæå³ããŸãã
ãã®åé¡ã¯ããµãŒãã¹ ã¢ã«ãŠã³ãã®ã¢ã¯ã»ã¹èš±å¯ãå€æŽããããšã§è§£æ±ºã§ããŸãã ãã®ãããªã¢ã«ãŠã³ãã«ã¯æå°ç¹æš©ã®ååãé©çšããããã®æäœã«å®éã«å¿ èŠãªã¢ã¯ã»ã¹ã®ã¿ãä»äžãããå¿ èŠããããŸãã
ãã®ãŠã£ãžã§ããã䜿çšãããšã管çè
æš©éãæã€ãã¹ãŠã® SPN ãæ€åºãããã®ãããªæš©éãåé€ããæå°ç¹æš©ã¢ã¯ã»ã¹ã®åãååã䜿çšã㊠SPN ãç£èŠã§ããŸãã
æ°ãã衚瀺ããã SPN ãããã·ã¥ããŒãã«è¡šç€ºããããã®ããã»ã¹ãç£èŠã§ããããã«ãªããŸãã
3. KerberosäºåèªèšŒãå¿ èŠãšããªããŠãŒã¶ãŒã®æ°
çæ³çã«ã¯ãKerberos ã¯ãçŸåšã§ã解èªäžå¯èœãª AES-256 æå·åã䜿çšããŠèªèšŒãã±ãããæå·åããŸãã
ãã ããå€ãããŒãžã§ã³ã® Kerberos ã§ã¯ RC4 æå·åã䜿çšãããŠãããçŸåšã§ã¯æ°åã§è§£èªã§ããããã«ãªã£ãŠããŸãã ãã®ãŠã£ãžã§ããã¯ãã©ã®ãŠãŒã¶ãŒ ã¢ã«ãŠã³ãããŸã RC4 ã䜿çšããŠãããã瀺ããŸãã Microsoft ã¯äžäœäºææ§ã®ããã« RC4 ãåŒãç¶ããµããŒãããŠããŸãããAD 㧠RCXNUMX ã䜿çšããå¿ èŠããããšããæå³ã§ã¯ãããŸããã
ãã®ãããªã¢ã«ãŠã³ããç¹å®ããããAD ã®ãKerberos äºåèªèšŒãå¿
èŠãšããªãããã§ãã¯ããã¯ã¹ããªãã«ããŠããã®ã¢ã«ãŠã³ãã§ããè€éãªæå·åã䜿çšããããã«åŒ·å¶ããå¿
èŠããããŸãã
Varonis AD ããã·ã¥ããŒãã䜿çšããã«ãããã®ã¢ã«ãŠã³ããèªåã§æ€åºããã«ã¯ãéåžžã«æéãããããŸãã å®éã«ã¯ãRC4 æå·åã䜿çšããããã«ç·šéããããã¹ãŠã®ã¢ã«ãŠã³ããèªèããããšã¯ããã«å°é£ãªäœæ¥ã§ãã
ãŠã£ãžã§ããã®å€ãå€åããå Žåãããã¯éæ³ãªã¢ã¯ãã£ããã£ã瀺ããŠããå¯èœæ§ããããŸãã
4. ãã¹ã¯ãŒããæããªããŠãŒã¶ãŒã®æ°
æ»æè
ã¯åºæ¬ç㪠PowerShell ã³ãã³ãã䜿çšããŠãã¢ã«ãŠã³ã ããããã£å
ã® AD ãããPASSWD_NOTREQDããã©ã°ãèªã¿åããŸãã ãã®ãã©ã°ã䜿çšãããšããã¹ã¯ãŒãèŠä»¶ãè€éãã®èŠä»¶ããªãããšã瀺ããŸãã
ÐаÑкПлÑкП легкП ÑкÑаÑÑÑ ÑÑеÑÐœÑÑ Ð·Ð°Ð¿ÐžÑÑ Ñ Ð¿ÑПÑÑÑÐŒ ОлО пÑÑÑÑÐŒ паÑПлеЌ? Ð ÑепеÑÑ Ð¿ÑеЎÑÑавÑÑе, ÑÑП ПЎМа Оз ÑÑОÑ
ÑÑеÑÐœÑÑ
запОÑей ÑвлÑеÑÑÑ Ð°ÐŽÐŒÐžÐœÐžÑÑÑаÑПÑПЌ.
誰ã§ãå
¬éãããäœåãã®æ©å¯ãã¡ã€ã«ã® XNUMX ã€ãä»åŸã®è²¡åå ±åæžã ã£ããã©ããªãã§ãããã?
å¿ é ã®ãã¹ã¯ãŒãèŠä»¶ãç¡èŠããããšã¯ãéå»ã«ãã䜿çšãããŠãããã XNUMX ã€ã®ã·ã¹ãã 管çã·ã§ãŒãã«ããã§ãããçŸåšã§ã¯èš±å®¹ããããå®å šã§ããããŸããã
ãããã®ã¢ã«ãŠã³ãã®ãã¹ã¯ãŒããæŽæ°ããŠããã®åé¡ã解決ããŠãã ããã
ä»åŸãã®ãŠã£ãžã§ãããç£èŠãããšããã¹ã¯ãŒãã®ãªãã¢ã«ãŠã³ããé¿ããããšãã§ããŸãã
ãŽã¡ããã¹ã¯ç¢ºçãåçã«ãã
以åã¯ããã®èšäºã§èª¬æãããŠããã¡ããªã¯ã¹ã®åéãšåæã®äœæ¥ã«ã¯äœæéãããããPowerShell ã«é¢ããæ·±ãç¥èãå¿ èŠã§ãã£ããããã»ãã¥ãªã㣠ããŒã ã¯ãã®ãããªã¿ã¹ã¯ã«æ¯é±ãŸãã¯æ¯æãªãœãŒã¹ãå²ãåœãŠãå¿ èŠããããŸããã ãããããã®æ å ±ãæåã§åéããŠåŠçãããšãæ»æè ã¯äŸµå ¥ããŠããŒã¿ãçãã®ã«æå©ãªã¹ã¿ãŒããåãããšãã§ããŸãã
С
ãµã€ããŒæ»æã®å®è¡ã¯åžžã«æ»æè
ãšé²åŸ¡è
ã®éã®ç«¶äºã§ãããæ»æè
ã¯ã»ãã¥ãªãã£å°é家ãããŒã¿ãžã®ã¢ã¯ã»ã¹ããããã¯ããåã«ããŒã¿ãçãããšããŸãã 匷åãªãµã€ããŒé²åŸ¡ãšçµã¿åãããŠãæ»æè
ãšãã®éæ³è¡çºãæ©æã«æ€åºããããšããããŒã¿ãå®å
šã«ä¿ã€éµãšãªããŸãã
åºæïŒ habr.com