200308 Active Directory Security

4,517 views
4,340 views

Published on

Best Practices for Securing Active Directory.

Published in: Business, Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,517
On SlideShare
0
From Embeds
0
Number of Embeds
231
Actions
Shares
0
Downloads
554
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

200308 Active Directory Security

  1. 1. Best Practices for Securing Active Directory Dana J. Willis Security Engineer NetIQ Corporation [email_address]
  2. 2. Securing Active Directory Agenda <ul><li>Planning </li></ul><ul><li>Creating </li></ul><ul><ul><li>Establish Secure AD Boundaries </li></ul></ul><ul><ul><li>Deploy Secure Domain Controllers </li></ul></ul><ul><ul><li>Establish Secure Domain and DC Policies </li></ul></ul><ul><ul><li>Establish Secure Administrative Practices </li></ul></ul><ul><ul><li>Secure DNS </li></ul></ul><ul><li>Maintaining </li></ul><ul><ul><li>Maintain Secure Domain Controller Operations </li></ul></ul><ul><ul><li>Staying Current with Service Packs and Security Hotfixes </li></ul></ul><ul><ul><li>Monitor the AD Infrastructure </li></ul></ul><ul><li>Best Practices Summary </li></ul><ul><li>AD Security Solutions to Invest In </li></ul>
  3. 3. Active Directory Security Fundamentals <ul><li>Forests </li></ul><ul><li>Domains </li></ul><ul><li>Trusts </li></ul><ul><li>Kerberos </li></ul><ul><li>OUs </li></ul><ul><li>Group policy (GPO’s) </li></ul><ul><li>Configuration NC </li></ul><ul><li>Schema NC </li></ul><ul><li>ACLs </li></ul><ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Replication </li></ul><ul><li>FSMOs </li></ul><ul><li>Delegation </li></ul>
  4. 4. Planning AD Security <ul><li>Considerations upon deployment of AD DC’s </li></ul><ul><ul><li>Datacenter </li></ul></ul><ul><ul><ul><li>Centralized & Secure </li></ul></ul></ul><ul><ul><ul><li>High End Performance </li></ul></ul></ul><ul><ul><li>Branch Offices </li></ul></ul><ul><ul><ul><li>Lack of IT Expertise </li></ul></ul></ul><ul><ul><ul><li>Slow connectivity to rest of organization </li></ul></ul></ul>
  5. 5. Planning AD Security <ul><li>Identifying Types of Threats </li></ul><ul><ul><li>Spoofing </li></ul></ul><ul><ul><li>Data Tampering </li></ul></ul><ul><ul><li>Repudiation </li></ul></ul><ul><ul><li>Information Disclosure </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Elevation of Privilege </li></ul></ul><ul><ul><li>Social Engineering </li></ul></ul><ul><li>Identifying Sources of Threats </li></ul><ul><ul><li>Anonymous Users </li></ul></ul><ul><ul><li>Authenticated Users </li></ul></ul><ul><ul><li>Service Administrators </li></ul></ul><ul><ul><li>Data Administrators </li></ul></ul><ul><ul><li>Users with Physical Access </li></ul></ul>
  6. 6. Establishing Secure AD Boundaries <ul><li>Delegation of Administration </li></ul><ul><ul><li>Needs to be flexible, limited, secure, dynamic and meet the needs of the organization based upon need for autonomy and isolation </li></ul></ul><ul><li>Forest/Domain Model </li></ul><ul><li>Establish Secure Trusts </li></ul>
  7. 7. Deploying Secure Domain Controllers <ul><li>Establish secure domain controller build practices </li></ul><ul><ul><li>Limit physical access to trusted personnel </li></ul></ul><ul><ul><li>Restricted access area </li></ul></ul><ul><ul><li>Build automated process for installation of DC’s </li></ul></ul><ul><ul><ul><li>SYSPREP, RIS, Unattended Setup </li></ul></ul></ul>
  8. 8. Deploying Secure Domain Controllers <ul><li>Ensure predictable, repeatable, and secure domain controller deployments. </li></ul><ul><ul><li>Create strong administrator password </li></ul></ul><ul><ul><ul><li>9 characters, non-dictionary, symbols, etc. </li></ul></ul></ul><ul><ul><li>Use TCP/IP only if possible </li></ul></ul><ul><ul><li>Disable non-essential services </li></ul></ul><ul><ul><ul><li>IIS, Messenger, SMTP, Telnet, etc. </li></ul></ul></ul><ul><ul><li>Format partitions with NTFS </li></ul></ul><ul><ul><li>Install latest service packs and security updates </li></ul></ul><ul><ul><li>Prohibit the use of cached credentials when unlocking DC console </li></ul></ul><ul><ul><li>Install anti-virus scanning software </li></ul></ul><ul><ul><li>Maintain Secure Physical Access to Domain Controllers </li></ul></ul>
  9. 9. Establish Secure Domain and Domain Controller Policy Settings <ul><li>Domain Policies </li></ul><ul><ul><li>Password Policies </li></ul></ul><ul><ul><ul><li>History </li></ul></ul></ul><ul><ul><ul><li>Age </li></ul></ul></ul><ul><ul><ul><li>Length </li></ul></ul></ul><ul><ul><ul><li>Complexity </li></ul></ul></ul><ul><ul><li>Lockout Policy </li></ul></ul><ul><ul><ul><li>Duration </li></ul></ul></ul><ul><ul><ul><li>Threshold </li></ul></ul></ul><ul><ul><ul><li>Reset </li></ul></ul></ul>
  10. 10. Establish Secure Domain and Domain Controller Policy Settings <ul><li>Domain Controller Policies </li></ul><ul><ul><li>User Rights </li></ul></ul><ul><ul><ul><li>Log on locally </li></ul></ul></ul><ul><ul><ul><li>System Shutdown </li></ul></ul></ul><ul><ul><li>Enable Auditing </li></ul></ul><ul><ul><ul><li>Account logon </li></ul></ul></ul><ul><ul><ul><li>Account Management </li></ul></ul></ul><ul><ul><ul><li>Directory Service Access </li></ul></ul></ul><ul><ul><ul><li>Logon events </li></ul></ul></ul><ul><ul><ul><li>Policy changes </li></ul></ul></ul><ul><ul><ul><li>System events </li></ul></ul></ul><ul><ul><li>Event Logging </li></ul></ul><ul><ul><ul><li>Security log size set to 128 MB </li></ul></ul></ul><ul><ul><ul><li>Retention – set to overwrite events as needed </li></ul></ul></ul>
  11. 11. Establishing Secure Administrative Practice <ul><li>Secure Service Admin Accounts </li></ul><ul><ul><li>Enterprise Admins </li></ul></ul><ul><ul><li>Schema Admins </li></ul></ul><ul><ul><li>Administrators </li></ul></ul><ul><ul><li>Domain Admins – rename this acct </li></ul></ul><ul><ul><li>Server Operators </li></ul></ul><ul><ul><li>Account Operators </li></ul></ul><ul><ul><li>Backup Operators </li></ul></ul><ul><li>Best Practices </li></ul><ul><ul><li>Rename the administrator account </li></ul></ul><ul><ul><li>Limit the number of service admin accts </li></ul></ul><ul><ul><li>Separate administrator accts from end user accts </li></ul></ul><ul><ul><li>Use delegation solution from 3 rd Party </li></ul></ul>
  12. 12. Deploy Secure DNS <ul><li>Protecting DNS Servers </li></ul><ul><ul><li>Use Active Directory–integrated DNS zones. </li></ul></ul><ul><ul><li>Implement IPSec between DNS clients and servers </li></ul></ul><ul><ul><li>Protect the DNS cache on domain controllers. </li></ul></ul><ul><ul><li>Monitor network activity. </li></ul></ul><ul><ul><li>Close all unused firewall ports. </li></ul></ul><ul><li>Protecting DNS Data </li></ul><ul><ul><li>Use secure dynamic update. </li></ul></ul><ul><ul><li>Ensure that third-party DNS servers support secure dynamic update. </li></ul></ul><ul><ul><li>Ensure that only trusted individuals are granted DNS administrator privileges </li></ul></ul><ul><ul><li>Set ACLs on DNS data. </li></ul></ul><ul><ul><li>Use separate internal and external namespaces. </li></ul></ul>
  13. 13. Maintaining Secure AD Operations <ul><li>Domain Controller and Administrative Workstation Security </li></ul><ul><ul><li>DC backup and restore. </li></ul></ul><ul><ul><ul><li>Limit backup services and media to secure location. </li></ul></ul></ul><ul><ul><ul><li>Develop a secure remote backup process. </li></ul></ul></ul><ul><ul><ul><li>Ensure backup media is available when needed. </li></ul></ul></ul><ul><ul><li>DC and administrative workstation hardware retirement. </li></ul></ul><ul><ul><li>DC and administrative workstation virus scans </li></ul></ul><ul><ul><ul><li>Obtain regular virus signature updates. </li></ul></ul></ul>
  14. 14. Maintaining Secure AD Operations <ul><li>Stay Current with Security Hotfixes and Service Packs </li></ul><ul><ul><li>Select a Security Update Strategy </li></ul></ul><ul><ul><li>Select Notification, Deployment, and Auditing Methods </li></ul></ul><ul><ul><ul><li>Microsoft Security Notification Service Newsletter </li></ul></ul></ul><ul><ul><ul><li>Windows Update Service </li></ul></ul></ul><ul><ul><ul><li>Software Update Services </li></ul></ul></ul>
  15. 15. Maintaining Secure AD Operations <ul><li>Deploying Security Hotfixes and Service Packs </li></ul><ul><ul><li>Obtain notification and download most current </li></ul></ul><ul><ul><ul><li>Windows Update and SUS </li></ul></ul></ul><ul><ul><li>Evaluate the threat </li></ul></ul><ul><ul><li>Arrange to install </li></ul></ul><ul><ul><li>Test the updates on Domain Controllers in a test lab </li></ul></ul><ul><ul><li>Distribute and Deploy to production environment </li></ul></ul><ul><ul><ul><li>Windows Update and SUS </li></ul></ul></ul>
  16. 16. Maintaining Secure AD Operations <ul><li>Maintain Baseline Information </li></ul><ul><ul><li>Create a baseline database of Active Directory infrastructure information. </li></ul></ul><ul><ul><ul><li>Audit Policies </li></ul></ul></ul><ul><ul><ul><li>List of GPO’s and their assignments </li></ul></ul></ul><ul><ul><ul><li>List of Trusts </li></ul></ul></ul><ul><ul><ul><li>List of Domain Controllers, Administrative workstations </li></ul></ul></ul><ul><ul><ul><li>Service Administrators </li></ul></ul></ul><ul><ul><ul><li>Operations Masters (FSMO roles) </li></ul></ul></ul><ul><ul><ul><li>Replication topology </li></ul></ul></ul><ul><ul><ul><li>Database size (.DIT file) </li></ul></ul></ul><ul><ul><ul><li>OS version, Service Packs, Hotfixes, Anti-Virus version </li></ul></ul></ul><ul><ul><li>Detect and verify infrastructure changes </li></ul></ul><ul><ul><li>Update Baseline information </li></ul></ul>
  17. 17. Maintaining Secure AD Operations <ul><li>Monitoring the AD Infrastructure </li></ul><ul><ul><li>Collect information in real time or at specified time intervals. </li></ul></ul><ul><ul><ul><li>Security Event Logs </li></ul></ul></ul><ul><ul><li>Compare this data with previous data or against a threshold value. </li></ul></ul><ul><ul><li>Respond to a security alert as directed in your organization’s practices. </li></ul></ul><ul><ul><li>Summarize security monitoring in one or more regularly scheduled reports </li></ul></ul>
  18. 18. Maintaining Secure AD Operations <ul><li>Monitoring the AD Infrastructure </li></ul><ul><ul><li>Monitoring Forest-level Changes </li></ul></ul><ul><ul><ul><li>Detect changes in the Active Directory schema. </li></ul></ul></ul><ul><ul><ul><li>Identify when domain controllers are added or removed. </li></ul></ul></ul><ul><ul><ul><li>Detect changes in replication topology. </li></ul></ul></ul><ul><ul><ul><li>Detect changes in LDAP policies. </li></ul></ul></ul><ul><ul><ul><li>Detect changes in dSHeuristics. </li></ul></ul></ul><ul><ul><ul><li>Detect changes in forest-wide operations master roles. </li></ul></ul></ul>
  19. 19. Maintaining Secure AD Operations <ul><li>Monitoring Domain-level Changes </li></ul><ul><ul><li>Detect changes in domain-wide operations master roles. </li></ul></ul><ul><ul><li>Detect changes in trusts. </li></ul></ul><ul><ul><li>Detect changes in AdminSDHolder. </li></ul></ul><ul><ul><li>Detect changes in GPOs for the Domain container and the Domain Controllers OU. </li></ul></ul><ul><ul><li>Detect changes in GPO assignments for the Domain container and the Domain Controllers OU. </li></ul></ul><ul><ul><li>Detect changes in the membership of the built-in groups. </li></ul></ul><ul><ul><li>Detect changes in the audit policy settings for the domain. </li></ul></ul>
  20. 20. Maintaining Secure AD Operations <ul><li>Monitoring Service Admin and Admin Workstation Changes </li></ul><ul><ul><li>Detect changes in service administrator accounts. </li></ul></ul><ul><ul><li>Detect changes in GPOs for the Service Administrators controlled subtree. </li></ul></ul><ul><ul><li>Detect changes in GPO assignments for the Service Administrators controlled subtree. </li></ul></ul><ul><li>Monitoring for Disk Space Consumed by Active Directory Objects </li></ul><ul><ul><li>Monitor for an inordinately large number of normal-sized objects. </li></ul></ul><ul><ul><li>Monitor for a limited number of extraordinarily large-sized objects. </li></ul></ul><ul><li>Monitoring Domain Controller Availability </li></ul><ul><ul><li>Monitor domain controllers for active status. </li></ul></ul><ul><ul><li>Monitor domain controllers for restarts. </li></ul></ul><ul><li>Monitoring Changes in Domain Controller Performance Counters </li></ul><ul><ul><li>Detect changes in domain controller system resources. </li></ul></ul><ul><ul><li>Detect changes in LDAP responsiveness. </li></ul></ul>
  21. 21. Best Practices Summary Maintaining Secure Active Directory Operations
  22. 22. Best Practices IP Infrastructure <ul><li>Virtual Private Network </li></ul><ul><ul><li>Private vice Public </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><li>IPSec </li></ul><ul><ul><li>Protect DC communications </li></ul></ul><ul><li>DMZ </li></ul><ul><ul><li>Protected private assets </li></ul></ul><ul><ul><li>Intrusion detection system (IDS) </li></ul></ul>
  23. 23. Best Practices DNS <ul><li>Use AD-integrated zones if at all possible </li></ul><ul><ul><li>Secure dynamic updates </li></ul></ul><ul><ul><li>ACLs on resource records </li></ul></ul><ul><ul><li>Improved replication </li></ul></ul><ul><ul><li>Application partitions in WS2K3 </li></ul></ul><ul><li>Use forwarders instead of secondaries </li></ul><ul><ul><li>Eliminates text-based zone files </li></ul></ul><ul><li>Treat DNS admins as service admins </li></ul><ul><li>Create a split DNS namespace </li></ul>
  24. 24. Best Practices DHCP <ul><li>Configure so that: </li></ul><ul><ul><li>Client updates A record </li></ul></ul><ul><ul><li>DHCP service updates PTR record </li></ul></ul><ul><li>Don’t run DHCP on a DC </li></ul><ul><ul><li>If necessary, use a service account </li></ul></ul>
  25. 25. Best Practices Building DCs <ul><li>Build DCs in a controlled environment </li></ul><ul><li>Put DIT, SYSVOL, logs on a separate device </li></ul><ul><li>Create a reserve disk space file </li></ul><ul><li>Enable DNS </li></ul><ul><li>Disable all unnecessary services </li></ul><ul><ul><li>IIS </li></ul></ul><ul><ul><li>DHCP </li></ul></ul><ul><li>Change FS ACLs to Administrator </li></ul>
  26. 26. Best Practices Physical Security <ul><li>Data center </li></ul><ul><ul><li>Access list </li></ul></ul><ul><ul><li>Cleared personnel </li></ul></ul><ul><ul><li>Segregated equipment rack </li></ul></ul><ul><ul><li>Tamper proof cages </li></ul></ul><ul><li>Domain controllers </li></ul><ul><ul><li>Highly restricted </li></ul></ul><ul><li>Cabling </li></ul><ul><ul><li>Concrete harden </li></ul></ul>
  27. 27. Best Practices DC policies <ul><li>Enable auditing </li></ul><ul><li>Disable anonymous connections </li></ul><ul><li>Digitally sign client communications </li></ul><ul><li>Disable cached credentials </li></ul><ul><li>See Best Practice Guide </li></ul>
  28. 28. Best Practices Domain Policies <ul><li>Consider the impact </li></ul><ul><ul><li>Test </li></ul></ul><ul><ul><li>Controlled application </li></ul></ul><ul><ul><li>Part of CCB process </li></ul></ul><ul><li>Password policies </li></ul><ul><li>Account lockout </li></ul><ul><li>Kerberos </li></ul>
  29. 29. Best Practices FSMO placement <ul><li>Implications per role </li></ul><ul><li>Availability </li></ul><ul><li>Survivability </li></ul>
  30. 30. Best Practices Creating Trusts <ul><li>Consider operational security of the other forest </li></ul><ul><li>Admin membership </li></ul><ul><li>sIDHistory and SID filtering </li></ul><ul><ul><li>Use NETDOM to enable SID filtering </li></ul></ul>
  31. 31. Best Practices Group Memberships <ul><li>Severely limit membership in administrative groups </li></ul><ul><li>Set ACLs on groups so that only service admins can modify service admin groups </li></ul><ul><li>Remove everyone from the Schema Administrators group </li></ul><ul><ul><li>Add someone back in when needed </li></ul></ul><ul><li>Audit changes to service admin groups </li></ul>
  32. 32. Best Practices Vetting Administrators <ul><li>Security clearance </li></ul><ul><li>Appropriate levels of training and expertise </li></ul><ul><li>Organization specific training </li></ul><ul><ul><li>CONOPS (Concept of Operations) </li></ul></ul><ul><ul><li>Policies and procedures </li></ul></ul><ul><ul><li>Implementation guides </li></ul></ul>
  33. 33. Best Practices AD Configuration Changes <ul><li>Formalized change management </li></ul><ul><ul><li>CCB </li></ul></ul><ul><ul><li>Regression testing </li></ul></ul><ul><ul><li>Limited pilot </li></ul></ul><ul><ul><li>Operational implementation </li></ul></ul><ul><li>Schema changes </li></ul><ul><li>DCPROMO </li></ul><ul><li>Replication topology </li></ul><ul><li>Group policies </li></ul>
  34. 34. Best Practices Monitoring <ul><li>Monitor for any unexpected DC outages </li></ul><ul><ul><li>Can indicate an attack </li></ul></ul><ul><li>Monitor for unexpected query loads </li></ul><ul><ul><li>Can indicate a DOS attack </li></ul></ul><ul><li>Monitor for disk space use </li></ul><ul><ul><li>Can indicate a replicating DOS attack </li></ul></ul><ul><li>Monitor for DNS request traffic </li></ul><ul><ul><li>Can indicate a DOS attack on DNS </li></ul></ul>
  35. 35. Best Practices Service Administration <ul><li>Create separate admin and user accounts </li></ul><ul><li>Create a separate service admin OU </li></ul><ul><li>Establish secure admin workstations </li></ul><ul><ul><li>Don’t give admin privileges on workstation </li></ul></ul><ul><li>Use IPSec between admin workstations and DCs </li></ul><ul><li>Use the “logon locally” policy to limit service admin logons to specific admin workstations </li></ul>
  36. 36. Best Practices Data Administration <ul><li>Always use NTFS </li></ul><ul><li>Use encryption where appropriate </li></ul><ul><li>Follow MSFT best practices for use of groups </li></ul>
  37. 37. Best Practices Backup and Restore <ul><li>Secure backup handling and storage </li></ul><ul><li>Treat backup admins as service admins </li></ul>
  38. 38. Best Practices What to do in case of AD Attack <ul><li>Response plan </li></ul><ul><ul><li>Have one! </li></ul></ul><ul><ul><li>Notify ACERT or network security for your organization </li></ul></ul><ul><li>Understand the nature and scope of the attack (know before you go) </li></ul><ul><ul><li>Determine nature and scope of attack </li></ul></ul><ul><ul><li>Evaluate and test common scenarios </li></ul></ul><ul><ul><li>Follow CONOPS for restore </li></ul></ul><ul><li>Recovery </li></ul><ul><ul><li>Have a forest recovery plan (see MSFT whitepaper) </li></ul></ul><ul><ul><li>Authoritative restore issues </li></ul></ul>
  39. 39. AD Security Solutions to Invest In <ul><li>Policy Awareness & Compliance </li></ul><ul><ul><li>Formal & well documented policies serve as the foundation of a security strategy </li></ul></ul><ul><ul><li>Measuring user’s understanding is vital </li></ul></ul><ul><li>Administration & Identity Management </li></ul><ul><ul><li>Securely granting users access to do their job </li></ul></ul><ul><ul><li>Enabling self service </li></ul></ul><ul><ul><li>Knowing who can do what to whom or which resource </li></ul></ul><ul><li>Real-Time Monitoring (HIDS, NIDS, HIPS) </li></ul><ul><ul><li>Reduce exposure time </li></ul></ul><ul><ul><li>Correllation </li></ul></ul><ul><ul><li>Incident Management </li></ul></ul><ul><li>Audit & Vulnerability Assessment </li></ul><ul><ul><li>Continuing the process of baselining your environment and staying aware of changes </li></ul></ul>
  40. 40. Questions?

×