222 Best Practices for Delegating Active Directory Administration:Appendices
Best Practices forSecuring Active DirectoryMicrosoft ITInformation Security and Risk Management
Published: April, 2013
For the latest information, please see http://aka.ms/bpsad
ContentsForeword5Acknowledgements6Executive Summary7Introduction14Account and Group Naming Conventions15About this Document16Microsoft IT and ISRM16Active Directory Security Assessments16Content Origin and Organization16Avenues to Compromise21Initial Breach Targets23Gaps in Antivirus and Antimalware Deployments23Incomplete Patching24Outdated Applications and Operating Systems25Misconfiguration26Lack of Secure Application Development Practices30Attractive Accounts for Credential Theft33Activities that Increase the Likelihood of Compromise34Privilege Elevation and Propagation37Reducing the Active Directory Attack Surface39Privileged Accounts and Groups in Active Directory40Built-in Privileged Accounts and Groups40Implementing Least-Privilege Administrative Models45The Privilege Problem46Reducing Privilege48Implementing Secure Administrative Hosts66Principles for Creating Secure Administrative Hosts66Sample Approaches to Implementing Secure Administrative Hosts70Securing Domain Controllers Against Attack75Physical Security for Domain Controllers75Domain Controller Operating Systems77Secure Configuration of Domain Controllers77Monitoring Active Directory for Signs of Compromise80Windows Audit Policy81Windows Audit Categories81Auditing Subcategories Descriptions85Configuring Windows Audit Policy92Enforcing Traditional Auditing or Advanced Auditing96Audit Policy Recommendations98Recommended Audit Policies by Operating System99Events to Monitor109Active Directory Objects and Attributes to Monitor110Additional Information for Monitoring Active Directory Domain Services111General List of Security Event ID Recommendation Criticalities111Planning For Compromise113Rethinking the Approach115Identifying Principles for Segregating and Securing Critical Assets117Defining a Limited, Risk-Based Migration Plan118Leveraging Nonmigratory Migrations118Implementing Creative Destruction120Isolating Legacy Systems and Applications120Simplifying Security for End Users121Maintaining a More Secure Environment123Creating Business-Centric Security Practices for Active Directory123Summary of Best Practices127Appendices130Appendix A: Patch and Vulnerability Management Software132Appendix B: Privileged Accounts and Groups in Active Directory133Rights, Privileges, and Permissions in Active Directory133Built-in Privileged Accounts and Groups137Appendix C: Protected Accounts and Groups in Active Directory160Protected Groups160Appendix D: Securing Built-In Administrator Accounts in Active Directory170Appendix E: Securing Enterprise Admins Groups in Active Directory185Appendix F: Securing Domain Admins Groups in Active Directory197Appendix G: Securing Administrators Groups in Active Directory208Appendix H: Securing Local Administrator Accounts and Groups220Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory229Creating Management Accounts for Protected Accounts and Groups in Active Directory229Appendix J: Third-Party RBAC Vendors260The Dot Net Factory260IBM261Oracle262Centrify263Appendix K: Third-Party PIM Vendors264Cyber-Ark264Quest266Lieberman Software266Novell268CA269Appendix L: Events to Monitor271Appendix M: Document Links and Recommended Reading301Document Links301Recommended Reading312
ForewordIn todays information rich environment, senior executives are faced with the challenge of harnessing information technology to help their business: Execute its strategy Improve its operations Enhance the perceived value of its own products and servicesIn support of these challenges, consumer-centric computing models that leverage highly scalable platforms (the cloud) and a plethora of devices are being utilized. The new business paradigm is obsessed with speed, agility, and execution. The evolution of these models requires even more comprehensive and agile security and risk management programs to ensure success.This document provides a practitioners perspective and contains a set of practical techniques to help IT executives protect an enterprise Active Directory environment. Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. The methods discussed are based largely on the Microsoft Information Security and Risk Management (ISRM) organizations experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500 customers.Key tenets of this paper are understanding the avenues for establishing a healthy Active Directory, implementing monitoring systems, actions to reduce the attack surface, and managing a resilient environment. This risk-based approach assumes that the corporate infrastructure, and more specifically the Active Directory, is a critical target. With this mindset, resiliency and recovery become critical components of an Active Directory protection programThis document encompasses experience from several hundred Active Directory Security Assessments, critical incident responses, and recovery engagements, and proven techniques for mitigating IT risks. Based on numerous requests from Microsoft customers and partners, this document reflects a comprehensive guide, and it contains best practices for protecting Active Directory. Information security and risk management executives will find the techniques explained in this document to be a significant contribution to their understanding of best practices, in addition to practical implementation programs for their Active Directory environments.
Bret ArsenaultMicrosoft Chief Information Security OfficerAcknowledgementsAuthorsLaura A. Robinson, Lead AuthorKhurram ChaudharyRoger GrimesEric Leonard ContributorsAhmad Mahdi Ashish PopliDan Kaufman Jenn LeMond Joost van HaarenRob LabbReviewersAlan von WeltinAndrew IdellBret ArsenaultDavid Shaw Dean WellsFernando CimaGeorgeo Pulikkathara Joost van HaarenJoseph LindstromLaura Hunter Lesley KiplingMark SimosMichiko ShortNeil CarpenterPatrick JunglesPaul RichRob LabbSean FinneganTim RainsTodd Thompson
Executive SummaryNo organization with an information technology (IT) infrastructure is immune from attack, but if appropriate policies, processes, and controls are implemented to protect key segments of an organizations computing infrastructure, it might be possible to prevent a breach event from growing to a wholesale compromise of the computing environment.This executive summary is intended to be useful as a standalone document summarizing the content of the document, which contains recommendations that will assist organizations in enhancing the security of their Active Directory installations. By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organizations computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of the IT environment.Although this document discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, it also contains recommendations for recovery in the event of complete compromise. The only sure way to recover in the event of a complete compromise of Active Directory is to be prepared for the compromise before it happens.The major sections of this document are: Avenues to Compromise Reducing the Active Directory Attack Surface Monitoring Active Directory for Signs of Compromise Planning for Compromise Avenues to CompromiseThis section provides information about some of the most commonly leveraged vulnerabilities used by attackers to compromise customers infrastructures. It contains general categories of vulnerabilities and how theyre used to initially penetrate customers infrastructures, propagate compromise across additional systems, and eventually target Active Directory and domain controllers to obtain complete control of the organizations forests. It does not provide detailed recommendations about addressing each type of vulnerability, particularly in the areas in which the vulnerabilities are not used to directly target Active Directory. However, for each type of vulnerability, we have provided links to additional information to use to develop countermeasures and reduce the organizations attack surface.Included are the following subjects: Initial breach targets - Most information security breaches start with the compromise of small pieces of an organizations infrastructureoften one or two systems at a time. These initial events, or entry points into the network, often exploit vulnerabilities that could have been fixed, but werent. Commonly seen vulnerabilities are: Gaps in antivirus and antimalware deployments Incomplete patching Outdated applications and operating systems Misconfiguration Lack of secure application development practices Attractive Accounts for Credential Theft - Credential theft attacks are those in which an attacker initially gains privileged access to a computer on a network and then uses freely available tooling to extract credentials from the sessions of other logged-on accounts.Included in this section are the following: Activities that Increase the Likelihood of Compromise - Because the target of credential theft is usually highly privileged domain accounts and very important person (VIP) accounts, it is important for administrators to be conscious of activities that increase the likelihood of a success of a credential-theft attack. These activities are: Logging on to unsecured computers with privileged accoun