Designing and Operating a Secure Active Directory
Introduction Gil Kirkpatrick, CTO, NetPro Architect of NetPro Active Directory products Author of Active Directory Programming from SAMS Founder of the Directory Experts Conference
Before we get started
Part I Securing Active Directory Terminology and concepts Secure Active Directory design Secure Active Directory operations Resources
Active Directory Fundamentals Forests Domains Trusts Kerberos OUs Group policy Configuration NC Schema NC DACLs SACLs Authentication Authorization Replication FSMOs Global Catalogs
Security Fundamentals * Courtesy of Stuart Kwan, Microsoft
Security Fundamentals
STRIDE Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
The First Law of Computer Security There is no such thing as a secure computer Perhaps if the computer is: Unplugged In a locked room And has no disk drive Corollary There is no such thing as a secure computer network Corollary Even if there was, you couldn t afford it
Administrative Roles Data administration Administering the stuff in the directory Creating accounts Maintaining groups Resetting passwords Service administration Adding domain controllers Upgrading device drivers Running backups Those with physical access to DCs
Security Requirements Autonomy The ability to perform administrative tasks independently of others Isolation The ability to prevent other administrators from performing administrative tasks
Delegation of Administration Assigning the ability to perform administrative functions to support: Organizational structure Operational requirements Legal requirements HIPAA SEC Intellectual property Security accreditation requirement DITSCAP STIGs DISA readiness scripts IATO
Service administrators in Windows Forest level Enterprise Admins Schema Admins Domain level Administrators Domain Administrators Server Operators Account Operators Backup Operators Print Operators DS Restore Mode level Administrator
Physical Access to Domain Controllers Active Directory: Is the repository of nearly all security-related information Provides a vector for illicit data access Provides a vector for enterprise-wide denial-of-service attacks DCs must be physically secured! If you can t physically secure a DC, don t deploy it!
AD Design Guidelines Clearly defined requirements Administrative model Data owners Service owners Regulatory requirements Start with the least complicated design that fulfills the requirement Single domain forest Determine if requirements merit additional forests Add complexity to satisfy requirements Requirement drive additional domains [ideally] Understand the cost of adding a domain
Which Security Threats Should You Mitigate? Security requirements must be well defined Assets Threats Vulnerabilities All must be prioritized with respect to Consequences Likelihood and frequency Organizational priorities Multi-Attribute Risk Assessment http://www-2.cs.cmu.edu/~compose/ftp/butlerfishbeck-02.pdf
Pop Quiz What constitutes a security boundary in Active Directory? A. Forest B. Domain C. OU D. Site A. Forest
AD Design Guidelines Use forests to establish isolation boundaries Use domains to establish replication and boundaries Use OUs to establish administration boundaries
Comments on Delegation and OUs 1. Delegate data and service administration separately 2. Identify roles and tasks 3. Identify the minimum set of permissions needed to delegate set the tasks assigned to the role 4. Identify the scope of administrative authority 5. Create one security group to represent every instance of a specific role
Comments on Delegation and OUs 6. Enable the role by granting appropriate permissions to the corresponding security group 7. Delegate the role by adding delegated users to the security groups representing the role 8. Use security groups representing the roles solely for the purpose of delegating the role 9. Delegate permissions only on OUs
The Empty Root Debate What is an empty root? Why is it a good idea? Why is it not?
Resources for Active Directory Design Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations, Parts 1 and 2 http://www.microsoft.com/downloads/details.aspx?displaylang= en&familyid=f937a913-f26e-49b5-a21e-20ba5930238d Multi-forest Considerations http://www.microsoft.com/downloads/details.aspx?familyid=b7 17bfcd-6c1c-4af6-8b2c-b604e60067ba&DisplayLang=en
Resources for Active Directory Design Windows Server 2003 Active Directory Branch Office Guide http://www.microsoft.com/downloads/details.aspx?familyid=93 53a4f6-a8a8-40bb-9fa7-3a95c9540112&displaylang=en
Secure Active Directory Operations Domain controller deployment Physical access control Backup and disaster recovery Configuration management Auditing Intrusion detection and response
Building DCs Build DCs in a controlled environment Locked room Clean format and install Put DIT, SYSVOL, logs on a separate device Create a reserve disk space file Use AD-integrated DNS Disable all unnecessary services Change file system ACLs to Administrator
Deployment of FSMO role owners Consider denial of service scenarios Schema master schema updates Domain naming master domain operations such as add/remove/rename PDC master time sync, password reset, adminsdholder, etc RID master creation of new security principals Infrastructure master cross-domain reference updates Provide for failover of PDC and RID masters At least manual procedure
Physical Security of Domain Controllers Data center Maintain and use physical access list Sign-in/sign-out Cleared personnel Segregated equipment rack Tamper proof cages Special administration workstations Highly restricted No local admin access IPSEC to DCs Separate admin IDs with smart-card Cabling Concrete harden
Backup and Disaster Recovery Secure backup handling and storage Treat backup admins as service admins Practice likely disaster recovery scenarios Consider hot backup DCs and lag sites for DC failure and data corruption scenarios
Configuration Management Create a Configuration Control Board Test all changes in a test lab Include 3 rd -party application testing Perform a limited pilot test Log all changes Deploy and monitor carefully
Monitoring for Active Directory Attacks Unexpected domain controller unavailability Sudden disk space consumption on DCs Drastic increase in replication traffic (including FRS) Sudden appearance of new domain controllers
Monitoring for Active Directory Attacks Unexplained configuration changes Replication topology Schema changes LDAP query policies FSMO roles Trusts AdminSDHolder and dsheuristics Group policies Critical group memberships Executable files on DCs (.EXEs and.dlls)
Using Auditing and WMI Scripts Detect changes in directory configuration using auditing Collect audit log information with Microsoft Audit Consolidation Services (MACS) Detect changes in DC availability, performance, and capacity using WMI scripts and PERFMON
Intrusion Detection and Response Vigilant monitoring and auditing is the only way to detect intrusions early enough Establish a Corporate Emergency Response Team (CERT) to direct response Have a playbook for typical incidents Virus Administrator screwups Critical hardware/site failures Rogue administrators Denial-of-service attacks
Attack and Response Resources Active Directory Operations Guide http://www.microsoft.com/technet/prodtechnol/windows2000ser v/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts KB216243
Questions?
Unsolicited Product Pitch #1 Mitigates some of the risks associated with deploying remote DCs Mitigates some of the risks associated with untrusted administrators Alerts network managers to unexpected DC shutdowns and unexpected modifications to the Configuration naming context
Unsolicited Product Pitch #2 Automatically creates a complete change log of Active Directory configuration changes, including Who made the change What configuration item was changed What the old value and new values are When the change was made Where the change was made Why the change was made
The only complete change auditing solution for Active Directory Tracks, audits, reports & alerts on AD configuration changes in real-time From GPO to Schema to DC changes All key changes tracked Displays previous value and new value for each change Details the 5 W s of each change Features a powerful reporting engine Dispatches instant change alerts Provides tight integration with MOM
Thank You!