Best Practices for Securing Active ackler/CS_I.WS-Security/Lectures/2.5... 7 Best Practices for Securing

  • View
    0

  • Download
    0

Embed Size (px)

Text of Best Practices for Securing Active ackler/CS_I.WS-Security/Lectures/2.5... 7 Best Practices for...

  • Best Practices for

    Securing Active Directory

    Microsoft IT

    Information Security and Risk Management

    Published: April, 2013

    For the latest information, please see

    http://aka.ms/bpsad

    http://aka.ms/bpsad

  • 2 Best Practices for Securing Active Directory

    Contents

    Foreword ............................................................................................................................................... 5

    Acknowledgements .............................................................................................................................. 6

    Executive Summary .............................................................................................................................. 7

    Introduction ........................................................................................................................................ 14

    Account and Group Naming Conventions ....................................................................................................................... 15

    About this Document ....................................................................................................................................................... 16

    Microsoft IT and ISRM................................................................................................................................................. 16

    Active Directory Security Assessments ....................................................................................................................... 16

    Content Origin and Organization ................................................................................................................................ 16

    Avenues to Compromise ................................................................................................................... 21

    Initial Breach Targets ...................................................................................................................................................... 23

    Gaps in Antivirus and Antimalware Deployments ...................................................................................................... 23

    Incomplete Patching ................................................................................................................................................... 24

    Outdated Applications and Operating Systems .......................................................................................................... 25

    Misconfiguration ......................................................................................................................................................... 26

    Lack of Secure Application Development Practices .................................................................................................... 30

    Attractive Accounts for Credential Theft ......................................................................................................................... 33

    Activities that Increase the Likelihood of Compromise .............................................................................................. 34

    Privilege Elevation and Propagation ........................................................................................................................... 37

    Reducing the Active Directory Attack Surface ................................................................................ 39

    Privileged Accounts and Groups in Active Directory ........................................................................................................ 40

    Built-in Privileged Accounts and Groups ..................................................................................................................... 40

    Implementing Least-Privilege Administrative Models ..................................................................................................... 45

    The Privilege Problem ................................................................................................................................................. 46

    Reducing Privilege ....................................................................................................................................................... 48

    Implementing Secure Administrative Hosts .................................................................................................................... 66

    Principles for Creating Secure Administrative Hosts .................................................................................................. 66

    Sample Approaches to Implementing Secure Administrative Hosts .......................................................................... 70

    Securing Domain Controllers Against Attack .................................................................................................................. 75

    Physical Security for Domain Controllers .................................................................................................................... 75

    Domain Controller Operating Systems ....................................................................................................................... 77

    Secure Configuration of Domain Controllers .............................................................................................................. 77

    Monitoring Active Directory for Signs of Compromise ................................................................. 80

  • 3 Best Practices for Securing Active Directory

    Windows Audit Policy ...................................................................................................................................................... 81

    Windows Audit Categories.......................................................................................................................................... 81

    Auditing Subcategories Descriptions .......................................................................................................................... 85

    Configuring Windows Audit Policy .............................................................................................................................. 92

    Enforcing Traditional Auditing or Advanced Auditing ................................................................................................. 96

    Audit Policy Recommendations ....................................................................................................................................... 98

    Recommended Audit Policies by Operating System ................................................................................................... 99

    Events to Monitor ..................................................................................................................................................... 109

    Active Directory Objects and Attributes to Monitor ................................................................................................. 110

    Additional Information for Monitoring Active Directory Domain Services ............................................................... 111

    General List of Security Event ID Recommendation Criticalities .............................................................................. 111

    Planning For Compromise ............................................................................................................... 113

    Rethinking the Approach ............................................................................................................................................... 115

    Identifying Principles for Segregating and Securing Critical Assets .......................................................................... 117

    Defining a Limited, Risk-Based Migration Plan ......................................................................................................... 118

    Leveraging “Nonmigratory” Migrations .................................................................................................................... 118

    Implementing Creative Destruction .......................................................................................................................... 120

    Isolating Legacy Systems and Applications ............................................................................................................... 120

    Simplifying Security for End Users ............................................................................................................................ 121

    Maintaining a More Secure Environment ..................................................................................................................... 123

    Creating Business-Centric Security Practices for Active Directory ............................................................................ 123

    Summary of Best Practices .............................................................................................................. 127

    Appendices........................................................................................................................................ 130

    Appendix A: Patch and Vulnerability Management Software ....................................................................................... 132

    Appendix B: Privileged Accounts and Groups in Active Directory