Upload
armando-leon
View
5.860
Download
0
Embed Size (px)
DESCRIPTION
Best Practices for Securing Active Directory.
Citation preview
Best Practices for Securing Active Directory
Best Practices for Securing Active Directory
Dana J. WillisSecurity EngineerNetIQ Corporation
Dana J. WillisSecurity EngineerNetIQ Corporation
Securing Active Directory AgendaSecuring Active Directory Agenda
Planning Creating
Establish Secure AD Boundaries Deploy Secure Domain Controllers Establish Secure Domain and DC Policies Establish Secure Administrative Practices Secure DNS
Maintaining Maintain Secure Domain Controller Operations Staying Current with Service Packs and Security Hotfixes Monitor the AD Infrastructure
Best Practices Summary AD Security Solutions to Invest In
Planning Creating
Establish Secure AD Boundaries Deploy Secure Domain Controllers Establish Secure Domain and DC Policies Establish Secure Administrative Practices Secure DNS
Maintaining Maintain Secure Domain Controller Operations Staying Current with Service Packs and Security Hotfixes Monitor the AD Infrastructure
Best Practices Summary AD Security Solutions to Invest In
Active Directory Security FundamentalsActive Directory Security Fundamentals
Forests Domains Trusts Kerberos OUs Group policy (GPO’s) Configuration NC
Forests Domains Trusts Kerberos OUs Group policy (GPO’s) Configuration NC
Schema NC ACLs Authentication Authorization Replication FSMOs Delegation
Schema NC ACLs Authentication Authorization Replication FSMOs Delegation
Planning AD SecurityPlanning AD Security
Considerations upon deployment of AD DC’s Datacenter
Centralized & Secure High End Performance
Branch Offices Lack of IT Expertise Slow connectivity to rest of organization
Considerations upon deployment of AD DC’s Datacenter
Centralized & Secure High End Performance
Branch Offices Lack of IT Expertise Slow connectivity to rest of organization
Planning AD SecurityPlanning AD Security
Identifying Types of Threats Spoofing Data Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Social Engineering
Identifying Sources of Threats Anonymous Users Authenticated Users Service Administrators Data Administrators Users with Physical Access
Identifying Types of Threats Spoofing Data Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Social Engineering
Identifying Sources of Threats Anonymous Users Authenticated Users Service Administrators Data Administrators Users with Physical Access
Establishing Secure AD BoundariesEstablishing Secure AD Boundaries
Delegation of Administration Needs to be flexible, limited, secure, dynamic and meet
the needs of the organization based upon need for autonomy and isolation
Forest/Domain Model Establish Secure Trusts
Delegation of Administration Needs to be flexible, limited, secure, dynamic and meet
the needs of the organization based upon need for autonomy and isolation
Forest/Domain Model Establish Secure Trusts
Deploying Secure Domain ControllersDeploying Secure Domain Controllers
Establish secure domain controller build practices Limit physical access to trusted personnel Restricted access area Build automated process for installation of DC’s
SYSPREP, RIS, Unattended Setup
Establish secure domain controller build practices Limit physical access to trusted personnel Restricted access area Build automated process for installation of DC’s
SYSPREP, RIS, Unattended Setup
Deploying Secure Domain ControllersDeploying Secure Domain Controllers
Ensure predictable, repeatable, and secure domain controller deployments. Create strong administrator password
9 characters, non-dictionary, symbols, etc. Use TCP/IP only if possible Disable non-essential services
IIS, Messenger, SMTP, Telnet, etc. Format partitions with NTFS Install latest service packs and security updates Prohibit the use of cached credentials when unlocking DC
console Install anti-virus scanning software Maintain Secure Physical Access to Domain Controllers
Ensure predictable, repeatable, and secure domain controller deployments. Create strong administrator password
9 characters, non-dictionary, symbols, etc. Use TCP/IP only if possible Disable non-essential services
IIS, Messenger, SMTP, Telnet, etc. Format partitions with NTFS Install latest service packs and security updates Prohibit the use of cached credentials when unlocking DC
console Install anti-virus scanning software Maintain Secure Physical Access to Domain Controllers
Establish Secure Domain and Domain Controller Policy SettingsEstablish Secure Domain and Domain Controller Policy Settings
Domain Policies Password Policies
History Age Length Complexity
Lockout Policy Duration Threshold Reset
Domain Policies Password Policies
History Age Length Complexity
Lockout Policy Duration Threshold Reset
Establish Secure Domain and Domain Controller Policy SettingsEstablish Secure Domain and Domain Controller Policy Settings
Domain Controller Policies User Rights
Log on locally System Shutdown
Enable Auditing Account logon Account Management Directory Service Access Logon events Policy changes System events
Event Logging Security log size set to 128 MB Retention – set to overwrite events as needed
Domain Controller Policies User Rights
Log on locally System Shutdown
Enable Auditing Account logon Account Management Directory Service Access Logon events Policy changes System events
Event Logging Security log size set to 128 MB Retention – set to overwrite events as needed
Establishing Secure Administrative PracticeEstablishing Secure Administrative Practice
Secure Service Admin Accounts Enterprise Admins Schema Admins Administrators Domain Admins – rename this acct Server Operators Account Operators Backup Operators
Best Practices Rename the administrator account Limit the number of service admin accts Separate administrator accts from end user accts Use delegation solution from 3rd Party
Secure Service Admin Accounts Enterprise Admins Schema Admins Administrators Domain Admins – rename this acct Server Operators Account Operators Backup Operators
Best Practices Rename the administrator account Limit the number of service admin accts Separate administrator accts from end user accts Use delegation solution from 3rd Party
Deploy Secure DNSDeploy Secure DNS
Protecting DNS Servers Use Active Directory–integrated DNS zones. Implement IPSec between DNS clients and servers Protect the DNS cache on domain controllers. Monitor network activity. Close all unused firewall ports.
Protecting DNS Data Use secure dynamic update. Ensure that third-party DNS servers support secure dynamic
update. Ensure that only trusted individuals are granted DNS
administrator privileges Set ACLs on DNS data. Use separate internal and external namespaces.
Protecting DNS Servers Use Active Directory–integrated DNS zones. Implement IPSec between DNS clients and servers Protect the DNS cache on domain controllers. Monitor network activity. Close all unused firewall ports.
Protecting DNS Data Use secure dynamic update. Ensure that third-party DNS servers support secure dynamic
update. Ensure that only trusted individuals are granted DNS
administrator privileges Set ACLs on DNS data. Use separate internal and external namespaces.
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Domain Controller and Administrative Workstation Security DC backup and restore.
Limit backup services and media to secure location. Develop a secure remote backup process. Ensure backup media is available when needed.
DC and administrative workstation hardware retirement. DC and administrative workstation virus scans
Obtain regular virus signature updates.
Domain Controller and Administrative Workstation Security DC backup and restore.
Limit backup services and media to secure location. Develop a secure remote backup process. Ensure backup media is available when needed.
DC and administrative workstation hardware retirement. DC and administrative workstation virus scans
Obtain regular virus signature updates.
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Stay Current with Security Hotfixes and Service Packs Select a Security Update Strategy Select Notification, Deployment, and Auditing Methods
Microsoft Security Notification Service Newsletter Windows Update Service Software Update Services
Stay Current with Security Hotfixes and Service Packs Select a Security Update Strategy Select Notification, Deployment, and Auditing Methods
Microsoft Security Notification Service Newsletter Windows Update Service Software Update Services
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Deploying Security Hotfixes and Service Packs Obtain notification and download most current
Windows Update and SUS Evaluate the threat Arrange to install Test the updates on Domain Controllers in a test lab Distribute and Deploy to production environment
Windows Update and SUS
Deploying Security Hotfixes and Service Packs Obtain notification and download most current
Windows Update and SUS Evaluate the threat Arrange to install Test the updates on Domain Controllers in a test lab Distribute and Deploy to production environment
Windows Update and SUS
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Maintain Baseline Information Create a baseline database of Active Directory infrastructure
information. Audit Policies List of GPO’s and their assignments List of Trusts List of Domain Controllers, Administrative workstations Service Administrators Operations Masters (FSMO roles) Replication topology Database size (.DIT file) OS version, Service Packs, Hotfixes, Anti-Virus version
Detect and verify infrastructure changes Update Baseline information
Maintain Baseline Information Create a baseline database of Active Directory infrastructure
information. Audit Policies List of GPO’s and their assignments List of Trusts List of Domain Controllers, Administrative workstations Service Administrators Operations Masters (FSMO roles) Replication topology Database size (.DIT file) OS version, Service Packs, Hotfixes, Anti-Virus version
Detect and verify infrastructure changes Update Baseline information
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Monitoring the AD Infrastructure Collect information in real time or at specified time
intervals. Security Event Logs
Compare this data with previous data or against a threshold value.
Respond to a security alert as directed in your organization’s practices.
Summarize security monitoring in one or more regularly scheduled reports
Monitoring the AD Infrastructure Collect information in real time or at specified time
intervals. Security Event Logs
Compare this data with previous data or against a threshold value.
Respond to a security alert as directed in your organization’s practices.
Summarize security monitoring in one or more regularly scheduled reports
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Monitoring the AD Infrastructure Monitoring Forest-level Changes
Detect changes in the Active Directory schema. Identify when domain controllers are added or
removed. Detect changes in replication topology. Detect changes in LDAP policies. Detect changes in dSHeuristics. Detect changes in forest-wide operations master
roles.
Monitoring the AD Infrastructure Monitoring Forest-level Changes
Detect changes in the Active Directory schema. Identify when domain controllers are added or
removed. Detect changes in replication topology. Detect changes in LDAP policies. Detect changes in dSHeuristics. Detect changes in forest-wide operations master
roles.
Maintaining Secure AD OperationsMaintaining Secure AD Operations
Monitoring Domain-level Changes Detect changes in domain-wide operations master roles. Detect changes in trusts. Detect changes in AdminSDHolder. Detect changes in GPOs for the Domain container and
the Domain Controllers OU. Detect changes in GPO assignments for the Domain
container and the Domain Controllers OU. Detect changes in the membership of the built-in groups. Detect changes in the audit policy settings for the
domain.
Monitoring Domain-level Changes Detect changes in domain-wide operations master roles. Detect changes in trusts. Detect changes in AdminSDHolder. Detect changes in GPOs for the Domain container and
the Domain Controllers OU. Detect changes in GPO assignments for the Domain
container and the Domain Controllers OU. Detect changes in the membership of the built-in groups. Detect changes in the audit policy settings for the
domain.
Maintaining Secure AD OperationsMaintaining Secure AD Operations Monitoring Service Admin and Admin Workstation Changes
Detect changes in service administrator accounts. Detect changes in GPOs for the Service Administrators controlled subtree. Detect changes in GPO assignments for the Service Administrators
controlled subtree. Monitoring for Disk Space Consumed by Active Directory Objects
Monitor for an inordinately large number of normal-sized objects. Monitor for a limited number of extraordinarily large-sized objects.
Monitoring Domain Controller Availability Monitor domain controllers for active status. Monitor domain controllers for restarts.
Monitoring Changes in Domain Controller Performance Counters Detect changes in domain controller system resources. Detect changes in LDAP responsiveness.
Monitoring Service Admin and Admin Workstation Changes Detect changes in service administrator accounts. Detect changes in GPOs for the Service Administrators controlled subtree. Detect changes in GPO assignments for the Service Administrators
controlled subtree. Monitoring for Disk Space Consumed by Active Directory Objects
Monitor for an inordinately large number of normal-sized objects. Monitor for a limited number of extraordinarily large-sized objects.
Monitoring Domain Controller Availability Monitor domain controllers for active status. Monitor domain controllers for restarts.
Monitoring Changes in Domain Controller Performance Counters Detect changes in domain controller system resources. Detect changes in LDAP responsiveness.
Best Practices SummaryBest Practices Summary
Maintaining Secure Active Directory OperationsMaintaining Secure Active Directory Operations
Best PracticesIP InfrastructureBest PracticesIP Infrastructure
Virtual Private Network Private vice Public Firewalls
IPSec Protect DC communications
DMZ Protected private assets Intrusion detection system (IDS)
Virtual Private Network Private vice Public Firewalls
IPSec Protect DC communications
DMZ Protected private assets Intrusion detection system (IDS)
Best Practices DNSBest Practices DNS
Use AD-integrated zones if at all possible Secure dynamic updates ACLs on resource records Improved replication Application partitions in WS2K3
Use forwarders instead of secondaries Eliminates text-based zone files
Treat DNS admins as service admins Create a split DNS namespace
Use AD-integrated zones if at all possible Secure dynamic updates ACLs on resource records Improved replication Application partitions in WS2K3
Use forwarders instead of secondaries Eliminates text-based zone files
Treat DNS admins as service admins Create a split DNS namespace
Best Practices DHCPBest Practices DHCP
Configure so that: Client updates A record DHCP service updates PTR record
Don’t run DHCP on a DC If necessary, use a service account
Configure so that: Client updates A record DHCP service updates PTR record
Don’t run DHCP on a DC If necessary, use a service account
Best PracticesBuilding DCsBest PracticesBuilding DCs
Build DCs in a controlled environment Put DIT, SYSVOL, logs on a separate
device Create a reserve disk space file Enable DNS Disable all unnecessary services
IIS DHCP
Change FS ACLs to Administrator
Build DCs in a controlled environment Put DIT, SYSVOL, logs on a separate
device Create a reserve disk space file Enable DNS Disable all unnecessary services
IIS DHCP
Change FS ACLs to Administrator
Best PracticesPhysical SecurityBest PracticesPhysical Security
Data center Access list Cleared personnel Segregated equipment rack Tamper proof cages
Domain controllers Highly restricted
Cabling Concrete harden
Data center Access list Cleared personnel Segregated equipment rack Tamper proof cages
Domain controllers Highly restricted
Cabling Concrete harden
Best PracticesDC policiesBest PracticesDC policies
Enable auditing Disable anonymous connections Digitally sign client communications Disable cached credentials See Best Practice Guide
Enable auditing Disable anonymous connections Digitally sign client communications Disable cached credentials See Best Practice Guide
Best PracticesDomain PoliciesBest PracticesDomain Policies
Consider the impact Test Controlled application Part of CCB process
Password policies Account lockout Kerberos
Consider the impact Test Controlled application Part of CCB process
Password policies Account lockout Kerberos
Best Practices FSMO placementBest Practices FSMO placement
Implications per role Availability Survivability
Implications per role Availability Survivability
Best PracticesCreating TrustsBest PracticesCreating Trusts
Consider operational security of the other forest
Admin membership sIDHistory and SID filtering
Use NETDOM to enable SID filtering
Consider operational security of the other forest
Admin membership sIDHistory and SID filtering
Use NETDOM to enable SID filtering
Best PracticesGroup MembershipsBest PracticesGroup Memberships
Severely limit membership in administrative groups
Set ACLs on groups so that only service admins can modify service admin groups
Remove everyone from the Schema Administrators group Add someone back in when needed
Audit changes to service admin groups
Severely limit membership in administrative groups
Set ACLs on groups so that only service admins can modify service admin groups
Remove everyone from the Schema Administrators group Add someone back in when needed
Audit changes to service admin groups
Best Practices Vetting AdministratorsBest Practices Vetting Administrators
Security clearance Appropriate levels of training and expertise Organization specific training
CONOPS (Concept of Operations) Policies and procedures Implementation guides
Security clearance Appropriate levels of training and expertise Organization specific training
CONOPS (Concept of Operations) Policies and procedures Implementation guides
Best Practices AD Configuration ChangesBest Practices AD Configuration Changes
Formalized change management CCB Regression testing Limited pilot Operational implementation
Schema changes DCPROMO Replication topology Group policies
Formalized change management CCB Regression testing Limited pilot Operational implementation
Schema changes DCPROMO Replication topology Group policies
Best PracticesMonitoringBest PracticesMonitoring
Monitor for any unexpected DC outages Can indicate an attack
Monitor for unexpected query loads Can indicate a DOS attack
Monitor for disk space use Can indicate a replicating DOS attack
Monitor for DNS request traffic Can indicate a DOS attack on DNS
Monitor for any unexpected DC outages Can indicate an attack
Monitor for unexpected query loads Can indicate a DOS attack
Monitor for disk space use Can indicate a replicating DOS attack
Monitor for DNS request traffic Can indicate a DOS attack on DNS
Best Practices Service AdministrationBest Practices Service Administration
Create separate admin and user accounts Create a separate service admin OU Establish secure admin workstations
Don’t give admin privileges on workstation
Use IPSec between admin workstations and DCs
Use the “logon locally” policy to limit service admin logons to specific admin workstations
Create separate admin and user accounts Create a separate service admin OU Establish secure admin workstations
Don’t give admin privileges on workstation
Use IPSec between admin workstations and DCs
Use the “logon locally” policy to limit service admin logons to specific admin workstations
Best Practices Data AdministrationBest Practices Data Administration
Always use NTFS Use encryption where appropriate Follow MSFT best practices for use of groups
Always use NTFS Use encryption where appropriate Follow MSFT best practices for use of groups
Best PracticesBackup and RestoreBest PracticesBackup and Restore
Secure backup handling and storage Treat backup admins as service admins
Secure backup handling and storage Treat backup admins as service admins
Best PracticesWhat to do in case of AD AttackBest PracticesWhat to do in case of AD Attack
Response plan Have one! Notify ACERT or network security for your organization
Understand the nature and scope of the attack (know before you go) Determine nature and scope of attack Evaluate and test common scenarios Follow CONOPS for restore
Recovery Have a forest recovery plan (see MSFT whitepaper) Authoritative restore issues
Response plan Have one! Notify ACERT or network security for your organization
Understand the nature and scope of the attack (know before you go) Determine nature and scope of attack Evaluate and test common scenarios Follow CONOPS for restore
Recovery Have a forest recovery plan (see MSFT whitepaper) Authoritative restore issues
AD Security Solutions to Invest InAD Security Solutions to Invest In Policy Awareness & Compliance
Formal & well documented policies serve as the foundation of a security strategy
Measuring user’s understanding is vital Administration & Identity Management
Securely granting users access to do their job Enabling self service Knowing who can do what to whom or which resource
Real-Time Monitoring (HIDS, NIDS, HIPS) Reduce exposure time Correllation Incident Management
Audit & Vulnerability Assessment Continuing the process of baselining your environment and staying
aware of changes
Policy Awareness & Compliance Formal & well documented policies serve as the foundation of a
security strategy Measuring user’s understanding is vital
Administration & Identity Management Securely granting users access to do their job Enabling self service Knowing who can do what to whom or which resource
Real-Time Monitoring (HIDS, NIDS, HIPS) Reduce exposure time Correllation Incident Management
Audit & Vulnerability Assessment Continuing the process of baselining your environment and staying
aware of changes
Questions?Questions?