Best Practices Validated Principles 2011 Traducida [Modo de ad
RAllen AD Security Best Practices
-
Upload
zeeshan-dawoodani -
Category
Documents
-
view
217 -
download
0
Transcript of RAllen AD Security Best Practices
-
7/31/2019 RAllen AD Security Best Practices
1/24
Active Directory Security
Best Practices
Robbie AllenCisco Systems
mailto:[email protected]://www.rallenhome.com/http://www.rallenhome.com/mailto:[email protected] -
7/31/2019 RAllen AD Security Best Practices
2/24
Agenda
What we are up against
AD Security best practices
Preparing for the worst Additional resources
Q/A
-
7/31/2019 RAllen AD Security Best Practices
3/24
-
7/31/2019 RAllen AD Security Best Practices
4/24
AD Design with Security in Mind
Design dictates security
The fewer the better philosophy
AD Functional Boundaries:
Use forests to establish isolatingboundaries Use domains to establish replication, security
policy, and managementboundaries
Use application partitions to establish customized
replicationboundaries Use OUs to establish policyand delegation
boundaries
-
7/31/2019 RAllen AD Security Best Practices
5/24
The Empty Root Domain
Creates a framework for adding newdomains without creating a separatenamespace
Provides almost no additional security
Tends not to be so empty over time
Increases support costs
-
7/31/2019 RAllen AD Security Best Practices
6/24
Basic Attack Strategies
Social engineering
Escalation of privilege
Denial of service Spoofing
Repudiation
Sniffing Data access
Data modification
-
7/31/2019 RAllen AD Security Best Practices
7/24
SomeAD Attack Vectors
Admin groups
Admin accounts
LocalSystem account
Backups
ACLs
Group Policy
SIDHistory
Replication
Quotas
FSMOs
Global catalogs
DNS
DHCP
Terminal services
Physical server
Hard drives
-
7/31/2019 RAllen AD Security Best Practices
8/24
Best Practices
-
7/31/2019 RAllen AD Security Best Practices
9/24
Administrators
Rename default Administrator account Create separate admin and user accounts
Store admin accounts in separate OU
Establish secure admin workstations Limit access to Administrator account
password
Change password frequently and make itrandom (dont forget the DSRM password)
Have process to quickly disable/deleteadmin accounts
-
7/31/2019 RAllen AD Security Best Practices
10/24
Domain Controllers
Ensure physical security
Automate the build process
Build DCs in a controlled environment
Create a reserve disk space file
Disable all unnecessary services
Run virus scanning software
-
7/31/2019 RAllen AD Security Best Practices
11/24
Group Memberships
Limit membership of admin groups
Set ACLs on groups so that only adminscan modify admin groups
Create separate OUs to store admin groups
Remove everyone from the SchemaAdmins group
Add accounts as needed
Audit changes to admin groups
-
7/31/2019 RAllen AD Security Best Practices
12/24
Delegation
KISS Create a role-based model
Don't assign perms to individual accts
Don't assign perms on individual objects
Document your delegation model
Get familiar with dsrevoke.exe
-
7/31/2019 RAllen AD Security Best Practices
13/24
DNS
Use AD-integrated zones Enable secure dynamic updates to prevent name hijacking
Use Application partitions in W2K3 to decrease replication
Enable scavenging to remove stale records
Use forwarders or stub zones instead ofsecondaries
Eliminate text-based zone files and zone transfers
Create a split DNS namespace Hide internal namespace from the Internet
Lots of infrastructure information in AD RRs
Use quotas to restrict the number of recordsAuthenticated Users can create
-
7/31/2019 RAllen AD Security Best Practices
14/24
DHCP
Avoid the name hijacking problem
Configure so that:
Client updates A record
DHCP service updates PTR record
Dont run DHCP on a DC
If necessary, use a service account
See MS KB 255134 - http://tinyurl.com/5ek6n
http://tinyurl.com/5ek6nhttp://tinyurl.com/5ek6n -
7/31/2019 RAllen AD Security Best Practices
15/24
Trusts
Consider operational security of other forest
Consider Admin membership in other forest
sIDHistory and SID filtering Use netdom to enable SID filtering
-
7/31/2019 RAllen AD Security Best Practices
16/24
Backup and Restore
Secure backup handling and storage
Document backup lifecycle
Treat backup admins as service admins Periodically test restore process
Perform object, tree, and forest authoritativerestores
-
7/31/2019 RAllen AD Security Best Practices
17/24
Auditing
See Best Practice Guide
Audit changes to admin accounts, groupsand other important objects
Coming soon: Audit Collection Services(ACS)
Provides consolidation of audit logs
Populates a SQL Server or MSDE database
-
7/31/2019 RAllen AD Security Best Practices
18/24
Monitoring
Monitor for any unexpected DC outages
Can indicate an attack
Monitor for disk space use and objectgrowth
Can indicate a replicating DOS attack
Monitor for LDAP and DNS traffic
Can indicate a DOS attack
Keep an eye on new DC/GC promotions
-
7/31/2019 RAllen AD Security Best Practices
19/24
Prepare for the worst
Form a response plan to handle:
Object flooding
Rogue administrator
Physical breach
Forest/data corruption
Document recovery scenarios
See the Forest Recovery whitepaper Periodically perform a forest recovery to test
process, backups, etc.
-
7/31/2019 RAllen AD Security Best Practices
20/24
Conclusion
Securing AD is a big job
Design dictates security
Automate as much as possible
Monitor, monitor, monitor
Periodically test recovery scenarios
Read up
-
7/31/2019 RAllen AD Security Best Practices
21/24
Additional Resources
Best Practice Guide for Securing Active DirectoryInstallations (Windows Server 2003)
Whitepaper - http://tinyurl.com/3c928
Best Practice Guide for Securing Active Directory
Installations and Day-to-Day Operations (Windows 2000) Part I - http://tinyurl.com/4etnu Part II - http://tinyurl.com/5zcan
Best Practices for Delegating Active DirectoryAdministration
Whitepaper - http://tinyurl.com/vzlg Appendices - http://tinyurl.com/wcwn
http://tinyurl.com/3c928http://tinyurl.com/4etnuhttp://tinyurl.com/5zcanhttp://tinyurl.com/vzlghttp://tinyurl.com/wcwnhttp://tinyurl.com/wcwnhttp://tinyurl.com/vzlghttp://tinyurl.com/5zcanhttp://tinyurl.com/4etnuhttp://tinyurl.com/3c928 -
7/31/2019 RAllen AD Security Best Practices
22/24
Additional Resources (contd)
Securing Windows 2000 Active Directory Part 1 - http://tinyurl.com/4jf5p Part 2 - http://tinyurl.com/5yyk9 Part 3 - http://tinyurl.com/2j5ga
Best Practices: Active Directory Forest Recovery Whitepaper - http://tinyurl.com/3rk7b
Active Directory in Networks Segmented by Firewalls Whitepaper - http://tinyurl.com/3gkyc
http://tinyurl.com/4jf5phttp://tinyurl.com/5yyk9http://tinyurl.com/2j5gahttp://tinyurl.com/3rk7bhttp://tinyurl.com/3gkychttp://tinyurl.com/3gkychttp://tinyurl.com/3rk7bhttp://tinyurl.com/2j5gahttp://tinyurl.com/5yyk9http://tinyurl.com/4jf5p -
7/31/2019 RAllen AD Security Best Practices
23/24
-
7/31/2019 RAllen AD Security Best Practices
24/24
Q/A
Thank you for your time!
Email: [email protected]
Preso: http://www.rallenhome.com/
mailto:[email protected]://www.rallenhome.com/http://www.rallenhome.com/mailto:[email protected]