A typical business network has at least one of them and probably more than the admins want to admit: a legacy server or workstation running an ancient piece of business software that you just can’t wean yourself off. If you are lucky, it’s on a virtual machine that you can move at a moment’s notice. If you aren’t, it’s on ancient hardware that you hope will continue to work.
As Microsoft’s Aaron Margosis notes in his blog, you should ideally retire legacy applications and upgrade to a new supported, secure application. In reality, organizations use legacy systems. Jessica Payne discussed protecting these legacy systems on a Windows network at a recent Microsoft virtual security summit. This is some of the advice she and Margosis offer:
Check log-in credentials
Review if you log onto that system with domain administrator credentials. Legacy systems often keep hash values of credentials on the system that can be easily harvested using widely available credential harvesting tools such as mimikatz. Ensure that you do not log into these systems with high-privileged credentials.
Review network connections
Review how legacy systems connect to your Windows network and what ports and protocols the legacy application needs. Use such tools as Wireshark and Process Monitor to determine the TCP ports and protocols the legacy system is using. Then use Windows Firewall to limit the legacy system to listen and respond only to those ports. Block the network perimeter from legacy systems to ensure that they cannot be used for attackers to gain a toe-hold into your network.
Identify application registry keys and folders
To better protect the application, especially if it demands administrator rights, use LUA Buglight to identify the registry keys and folders that an application needs opened to run without administrator rights. LUA Buglight is effective to help determine the necessary adjustments to make to an operating system to make older legacy applications work on modern systems.
Put appropriate permissions in place
To get the application to work without administrator rights, as Aaron Margosis points out, you could:
“…modify the installer via transforms or post-install scripts (for ‘run-once’ issues where the app needs to be executed with admin rights only the first time it is run). Another option is to add junctions or directory symbolic links. You could let UAC file/registry virtualization do its magic. (For older apps where file/reg virtualization would work, but were rebuilt with newer versions of Visual Studio, which adds an embedded manifest that declares compatibility with UAC and turns off virtualization.) For writes to .ini files in protected directories, use an IniFileMapping redirection; for writes to HKCR, pre-create equivalent keys under HKCU\Software\Classes.”
The final option, for with you can use LUA Buglight, is to "surgically change permissions on files, directories, registry keys, or other objects." Unlike the other options, this one introduces risk of unauthorized elevation of privilege, so caution is required.
View your network like an attacker
You’ll want to know how your network looks to an attacker, especially if a legacy server is part of your network infrastructure. The BloodHound tool will search Active Directory for unusual relationships that the attacker can use against you. BloodHound is compiled in several platforms including Linux, MacOS and Windows.
As noted in this blog post, you’ll need to install the Neo4J database to use Bloodhound. The easiest path to get started working with BloodHound is to use the desktop version of Neo4J. This will install the needed Java environment. Once you’ve installed NeoJ, launch the program to set the database password. This database will contain key critical information about your network, so set a strong password.
Next, download and install the BloodHound software. When extracting the software, set the root folder with a short file name as you may hit “long file path name” issues if you use the default settings. You’ll need to remember your Neo4j password for later.
Last, and certainly the most difficult step in my setup, download the SharpHound3 tool that does the analysis of your network. I had to download it on a Windows 7 machine as my Windows 10 with Advanced Threat Protection enabled would stop the install and not allow me to run it in my network. Your antivirus program may do the same. You may need to “run as admin” or “unblock” the file as it will have mark of the web attributes and will not collect data until these settings are in place.
Once you’ve run SharpHound, it prepares a zip file that contains an analysis of your network. Launch BloodHound and you’ll be prompted that you have a blank database. On the right side find the upload button and upload your SharpHound zip file. In the queries section you can review the common queries that attackers can use against you. These common queries include “Find shortest paths to domain admins”, “Find principals with DCSync rights”, “Map Domain Trusts”, “Shortest Paths from Kerberoastable Users”, and so on.
For deeper analysis into your network there are additional resources such as FireEye’s Commando virtual machine that is prebuilt for penetration testing. The Github download gives you native support for Windows and Active Directory using a virtual machine, from which it is much safer to use and analyze your network. With the Linux subsystem for Windows being enhanced in Windows 10 2004, you can even run Linux from inside Windows. You can also use Docker (a set of platform-as-a-service products that uses operating system virtualization to deliver software in containers) to use for pentesting platforms as well.
Take the time to look how you look to attackers. See where your squishy parts are and what attackers can easily harvest from these older systems. I know I’ll be doing things such as shutting down non- multi-factor authentication RDP on older systems to ensure that attackers can’t harvest credentials from them.