Embed Size (px)
Citation preview
Spark the future.
Jess Dodson
Righting the Right RightsActive Directory & Domain Security, Administration & Maintenance
WIN341B
Security
Accounts
Accounts – you need more than one!
Different Accounts
Standard accountDesktop admin accountServer admin accountDomain admin account
Domain admin accountsnever
logon to desktops
Limit access to your accounts
Keep accounts out of your
admin groups
Who actually needs to be a Domain Admin anyway?
Passwords
Do not use the default
Don’t use the same password…for everything
Make sure passwords EXPIRE
Longer password
= longer time
between changes
XKC
D.c
om
Use fine-grained
password policies(FGPPs)
Passwords do not belong in GPP’s…
EVER
(MS14-025)
Randomise your local admin passwords – LAPS!
Prevent local admin accounts from remotely accessing other
systems
Servers
Patch your servers!
Only DA’s can access the console of DC’s
Trusts – who actually requires access?
Workstations
Admin workstation =/=
user workstation
Administration & Maintenance
• Replication• FSMO Roles• Time Synchronization• Trusts• DNS & Networking• Event Logs• Account Administration
Replication
repadmin /replsummary
repadmin /showrepl * /errorsonly
repadmin /showutdvec * dc=<domain>,dc=<com>
repadmin /queue *
repadmin /failcache
FSMO Roles
netdom query fsmo
Time Settings
w32tm /config /manualpeerlist:<list of time servers> /syncfromflags:manual /reliable:yes
/update
W32tm /config /syncfromflags:domhier /update
w32tm /query /configuration
Trusts
nltest /domain_trusts
DNS & Networking
type %systemroot%\debug\netlogon.log | findstr NO_CLIENT_SITE
Ports
389 - LDAP636 – LDAP SSL3268 – LDAP GC3269 – LDAP GC SSL135 – EPC, EPM
53 - DNS88 - Kerberos445 – SMB/IP139 – NetBIOS Session Port123 – NTP Time Services
Event Logs
System events
29: Time synchronization failure55: Possible file system corruption1056: DHCP service is running on a DC without credentials16645: RID Pool depleted16650: Account-identifier failed to initialize
DNS events
5774: DNS registration failure5775: DNS de-registration failure5781: DNS registration or deregistration failure
Security & Directory Service events
ALL events
Account Monitoring & Administration
Account lockout failures &failed login attempts
Check admin group memberships & monitor addition/removal from security groups
EnterpriseSchemaDomain
Everything!
dcdiag /c
Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.
Continue your Ignite learning pathPass-the-Hash Attacks: http://www.microsoft.com/security/sir/strategy/default.aspx#!pass_the_hash_attacks
Securing Active Directory – Best Practices: http://aka.ms/bpsad
Microsoft Security Compliance Manager: http://aka.ms/scm
Regular AD Maintenance & Checks: http://girl-germs.com/?p=564
Contact me!Twitter: @girlgerms (best way!)
Linkedin: https://au.linkedin.com/in/jrdodson
Email: [email protected]
Blog: http://girl-germs.com
Questions?
© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS PRESENTATION.
