Designing and Operating a Secure Active Directory.

Similar documents
70-647: Windows Server Enterprise Administration Course 01 Planning for Active Directory

Security Fundamentals for your Privileged Account Security Deployment

Windows Server 2008 Administration

20413B: Designing and Implementing a Server Infrastructure

Identity with Windows Server 2016

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

70-742: Identity in Windows Server Course Overview

Install and Configure Active Directory Domain Services

Course Outline 20742B

Advanced Security Measures for Clients and Servers

Identity with Windows Server 2016

Microsoft - Configuring Windows Server 2008 Active Directory Domain Services (M6425)

M20742-Identity with Windows Server 2016

Windows Server 2003 Network Administration Goals

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services (Course 6425A)

20742: Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

The Common Controls Framework BY ADOBE

Identity with Windows Server 2016 (742)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

CS 356 Operating System Security. Fall 2013

Designing and Implementing a Server 2012 Infrastructure

MCITP CURRICULUM Windows 7

What s in Installing and Configuring Windows Server 2012 (70-410):

Identity with Windows Server 2016 (20742)

Server : Manage and Administer 3 1 x

Identity with Microsoft Windows Server 2016 (MS-20742)

MCSA Windows Server 2012

Windows Server 2008 Active Directory Resource Kit

Ten Things to Know Before Deploying Active Directory. written by Dmitry Sotnikov. White Paper

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Microsoft Certified Solutions Expert (MCSE)

TestOut Server Pro 2016: Identity - English 4.0.x LESSON PLAN. Revised

Designing and Implementing a Server Infrastructure

Microsoft Designing and Implementing a Server Infrastructure

DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

PRAGATHI TECHNOLOGIES BTM Marathahalli Ph:

Designing Windows Server 2008 Network and Applications Infrastructure

Independent DeltaV Domain Controller

AUTHORITY FOR ELECTRICITY REGULATION

At Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning

8 Administering Groups

COURSE OUTLINE. COURSE OBJECTIVES After completing this course, students will be able to: 1 - INSTALLING & CONFIGURING DCS

PROPOSAL OF WINDOWS NETWORK

70-647: Windows Server Enterprise Administration. Course Overview. Course Outline

(Installation, Storage, and Compute with Windows Server 2016)

COURSE OUTLINE: 20413C Designing and Implementing a Server Infrastructure

Describe the functionality of AD DS in an enterprise in relation to identity and access.

ISO27001 Preparing your business with Snare

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Active Directory trust relationships

Course Outline. Pearson: MCSA Cert Guide: Identity with Windows Server 2016 (Course & Lab)

Education Network Security

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Course Outline. Pearson: MCSA Cert Guide: Identity with Windows Server

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Windows Server 2016 MCSA Bootcamp

NETLOGIC TRAINING CENTER

: Administration of Symantec Endpoint Protection 14 Exam

HIPAA Controls. Powered by Auditor Mapping.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Course Content of MCSA ( Microsoft Certified Solutions Associate )

SEVENMENTOR TRAINING PVT.LTD

Determine Schema Master Domain Controller 2008

6 Months Training Module in MS SQL SERVER 2012

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Microsoft Windows Server Administration Fundamentals.

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

WHITE PAPER- Managed Services Security Practices

SQL Server Solutions GETTING STARTED WITH. SQL Secure

Managing and Maintaining a Microsoft Windows Server 2003 Environment

SECURITY & PRIVACY DOCUMENTATION

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

This course provides students with the knowledge and skills to administer Windows Server 2012.

Information Security for Mail Processing/Mail Handling Equipment

CISNTWK-11. Microsoft Network Server. Chapter 4

Planning and Administering SharePoint 2016

Pass Microsoft Exam

Microsoft Windows Server 2008 Functionality Changes. Powered by Microsoft TechNet

MOC 20411B: Administering Windows Server Course Overview

Quest GPOADmin 5.6. User Guide

MCSA Windows Server A Success Guide to Prepare- Microsoft Upgrading Your Skills to MCSA Windows Server edusum.

Objectives of the Security Policy Project for the University of Cyprus

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

MySQL for Database Administrators Ed 4

Troubleshooting Active Directory. Presented by: Shawn Barker - Product Manager, Quest Software

Implementing Security in Windows 2003 Network (70-299)

Overview of AdminSDHolder, protected groups and SDPROP Controlling groups that are protected by AdminSDHolder Security Descriptor propagator

Vendor: Microsoft. Exam Code: Exam Name: Administering Windows Server Version: Demo

MCSA: Windows Server MCSA 2016 Windows 2016 Server 2016 MCSA 2016 MCSA : Installation, Storage, and Compute with Windows Server 2016

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

A: PLANNING AND ADMINISTERING SHAREPOINT 2016

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Installation, Storage, and Compute with Windows Server

Windows Server Security Best Practices

Projectplace: A Secure Project Collaboration Solution

"Charting the Course... MOC 6435 B Designing a Windows Server 2008 Network Infrastructure Course Summary

Active Directory Services with Windows Server

Transcription:

Designing and Operating a Secure Active Directory

Introduction Gil Kirkpatrick, CTO, NetPro Architect of NetPro Active Directory products Author of Active Directory Programming from SAMS Founder of the Directory Experts Conference

Before we get started

Part I Securing Active Directory Terminology and concepts Secure Active Directory design Secure Active Directory operations Resources

Active Directory Fundamentals Forests Domains Trusts Kerberos OUs Group policy Configuration NC Schema NC DACLs SACLs Authentication Authorization Replication FSMOs Global Catalogs

Security Fundamentals * Courtesy of Stuart Kwan, Microsoft

Security Fundamentals

STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege

The First Law of Computer Security There is no such thing as a secure computer Perhaps if the computer is: Unplugged In a locked room And has no disk drive Corollary There is no such thing as a secure computer network Corollary Even if there was, you couldn t afford it

Administrative Roles Data administration Administering the stuff in the directory Creating accounts Maintaining groups Resetting passwords Service administration Adding domain controllers Upgrading device drivers Running backups Those with physical access to DCs

Security Requirements Autonomy The ability to perform administrative tasks independently of others Isolation The ability to prevent other administrators from performing administrative tasks

Delegation of Administration Assigning the ability to perform administrative functions to support: Organizational structure Operational requirements Legal requirements HIPAA SEC Intellectual property Security accreditation requirement DITSCAP STIGs DISA readiness scripts IATO

Service administrators in Windows Forest level Enterprise Admins Schema Admins Domain level Administrators Domain Administrators Server Operators Account Operators Backup Operators Print Operators DS Restore Mode level Administrator

Physical Access to Domain Controllers Active Directory: Is the repository of nearly all security-related information Provides a vector for illicit data access Provides a vector for enterprise-wide denial-of-service attacks DCs must be physically secured! If you can t physically secure a DC, don t deploy it!

AD Design Guidelines Clearly defined requirements Administrative model Data owners Service owners Regulatory requirements Start with the least complicated design that fulfills the requirement Single domain forest Determine if requirements merit additional forests Add complexity to satisfy requirements Requirement drive additional domains [ideally] Understand the cost of adding a domain

Which Security Threats Should You Mitigate? Security requirements must be well defined Assets Threats Vulnerabilities All must be prioritized with respect to Consequences Likelihood and frequency Organizational priorities Multi-Attribute Risk Assessment http://www-2.cs.cmu.edu/~compose/ftp/butlerfishbeck-02.pdf

Pop Quiz What constitutes a security boundary in Active Directory? A. Forest B. Domain C. OU D. Site A. Forest

AD Design Guidelines Use forests to establish isolation boundaries Use domains to establish replication and boundaries Use OUs to establish administration boundaries

Comments on Delegation and OUs 1. Delegate data and service administration separately 2. Identify roles and tasks 3. Identify the minimum set of permissions needed to delegate set the tasks assigned to the role 4. Identify the scope of administrative authority 5. Create one security group to represent every instance of a specific role

Comments on Delegation and OUs 6. Enable the role by granting appropriate permissions to the corresponding security group 7. Delegate the role by adding delegated users to the security groups representing the role 8. Use security groups representing the roles solely for the purpose of delegating the role 9. Delegate permissions only on OUs

The Empty Root Debate What is an empty root? Why is it a good idea? Why is it not?

Resources for Active Directory Design Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations, Parts 1 and 2 http://www.microsoft.com/downloads/details.aspx?displaylang= en&familyid=f937a913-f26e-49b5-a21e-20ba5930238d Multi-forest Considerations http://www.microsoft.com/downloads/details.aspx?familyid=b7 17bfcd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en

Resources for Active Directory Design Windows Server 2003 Active Directory Branch Office Guide http://www.microsoft.com/downloads/details.aspx?familyid=93 53a4f6-a8a8-40bb-9fa7-3a95c9540112&displaylang=en

Secure Active Directory Operations Domain controller deployment Physical access control Backup and disaster recovery Configuration management Auditing Intrusion detection and response

Building DCs Build DCs in a controlled environment Locked room Clean format and install Put DIT, SYSVOL, logs on a separate device Create a reserve disk space file Use AD-integrated DNS Disable all unnecessary services Change file system ACLs to Administrator

Deployment of FSMO role owners Consider denial of service scenarios Schema master schema updates Domain naming master domain operations such as add/remove/rename PDC master time sync, password reset, adminsdholder, etc RID master creation of new security principals Infrastructure master cross-domain reference updates Provide for failover of PDC and RID masters At least manual procedure

Physical Security of Domain Controllers Data center Maintain and use physical access list Sign-in/sign-out Cleared personnel Segregated equipment rack Tamper proof cages Special administration workstations Highly restricted No local admin access IPSEC to DCs Separate admin IDs with smart-card Cabling Concrete harden

Backup and Disaster Recovery Secure backup handling and storage Treat backup admins as service admins Practice likely disaster recovery scenarios Consider hot backup DCs and lag sites for DC failure and data corruption scenarios

Configuration Management Create a Configuration Control Board Test all changes in a test lab Include 3 rd -party application testing Perform a limited pilot test Log all changes Deploy and monitor carefully

Monitoring for Active Directory Attacks Unexpected domain controller unavailability Sudden disk space consumption on DCs Drastic increase in replication traffic (including FRS) Sudden appearance of new domain controllers

Monitoring for Active Directory Attacks Unexplained configuration changes Replication topology Schema changes LDAP query policies FSMO roles Trusts AdminSDHolder and dsheuristics Group policies Critical group memberships Executable files on DCs (.EXEs and.dlls)

Using Auditing and WMI Scripts Detect changes in directory configuration using auditing Collect audit log information with Microsoft Audit Consolidation Services (MACS) Detect changes in DC availability, performance, and capacity using WMI scripts and PERFMON

Intrusion Detection and Response Vigilant monitoring and auditing is the only way to detect intrusions early enough Establish a Corporate Emergency Response Team (CERT) to direct response Have a playbook for typical incidents Virus Administrator screwups Critical hardware/site failures Rogue administrators Denial-of-service attacks

Attack and Response Resources Active Directory Operations Guide http://www.microsoft.com/technet/prodtechnol/windows2000ser v/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts KB216243

Questions?

Unsolicited Product Pitch #1 Mitigates some of the risks associated with deploying remote DCs Mitigates some of the risks associated with untrusted administrators Alerts network managers to unexpected DC shutdowns and unexpected modifications to the Configuration naming context

Unsolicited Product Pitch #2 Automatically creates a complete change log of Active Directory configuration changes, including Who made the change What configuration item was changed What the old value and new values are When the change was made Where the change was made Why the change was made

The only complete change auditing solution for Active Directory Tracks, audits, reports & alerts on AD configuration changes in real-time From GPO to Schema to DC changes All key changes tracked Displays previous value and new value for each change Details the 5 W s of each change Features a powerful reporting engine Dispatches instant change alerts Provides tight integration with MOM

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback