The 5-Step Security Checkup


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Enterprise Admins (exists in forest root domains only) Domain Admins (exists in all domains) Schema Admins (exists in forest root domains only) Group Policy Creator Owners (exists in forest root domains only) Administrators group Administrator account DS Restore Mode Administrator (available in Directory Services Restore Mode only. This account is local to the domain controller and is not a domain-wide account. The password for this account is set when you install Active Directory on the computer.)
  • The 5-Step Security Checkup

    1. 1. The 5-Step Security Checkup for Education Barbara Chung Security Advisor, Education Microsoft Corporation
    2. 2. Agenda <ul><li>Secure Administrative Accounts </li></ul><ul><li>Implement Zones of Trust </li></ul><ul><li>Build a Baseline </li></ul><ul><li>Patch </li></ul><ul><li>Agile Processes </li></ul>
    3. 3. #1 Secure Administrative Rights <ul><li>The keys to the kingdom, using them inappropriately can forfeit everything else you do for security </li></ul><ul><ul><li>Two general types of problems: </li></ul></ul><ul><ul><ul><li>Attackers who obtain admin credentials </li></ul></ul></ul><ul><ul><ul><li>Users who have been granted admin credentials, but may not understand the implications of using them carelessly or incorrectly </li></ul></ul></ul>
    4. 4. #1 Secure Administrative Rights <ul><li>Forest is the security boundary, not the domain. </li></ul><ul><li>You must trust ALL domain admins </li></ul><ul><li>Admin accounts not email-enabled, not used as desktop accounts, use restricted to trusted machines </li></ul>
    5. 5. Administrative Accounts <ul><li>Administrator </li></ul><ul><li>Created accounts assigned to admin groups </li></ul><ul><li>Accounts that use: </li></ul><ul><ul><li>EFS Data Recovery certificates </li></ul></ul><ul><ul><li>Enrollment Agent certificates </li></ul></ul><ul><ul><li>Key Recovery Agent certificates </li></ul></ul>
    6. 6. Administrative Groups <ul><ul><li>… in Builtin container: for example, Account Operators, Server Operators </li></ul></ul><ul><ul><li>… in User container: for example, Domain Admins, Group Policy Creator/Owners </li></ul></ul><ul><ul><li>Anything that you create and assign admin privileges </li></ul></ul>
    7. 7. Administrative Groups Default Domain Groups <ul><ul><li>Enterprise Admins </li></ul></ul><ul><ul><li>Domain Admins </li></ul></ul><ul><ul><li>Schema Admins </li></ul></ul><ul><ul><li>Group Policy Creator Owners </li></ul></ul><ul><ul><li>Administrators group </li></ul></ul><ul><ul><li>Administrator account </li></ul></ul><ul><ul><li>DS Restore Mode Administrator </li></ul></ul>
    8. 8. Admin Account Types <ul><li>Local admin accounts </li></ul><ul><li>Domain admin accounts </li></ul><ul><li>Forest admin accounts </li></ul>
    9. 9. Principle of Least Privilege <ul><li>Always grant minimum privileges required to complete the current task </li></ul><ul><li>Requires some work, but helps to understand your organization </li></ul><ul><li>Don’t do it: logging on as Domain Admin to troubleshoot a workstation with suspected security problems </li></ul>
    10. 10. Best Practices <ul><li>Separate domain administrator and enterprise administrator roles. </li></ul><ul><li>Separate user and administrator accounts. </li></ul><ul><li>Use the Secondary Logon service. </li></ul><ul><li>Run a separate Terminal Services session for administration. </li></ul><ul><li>Rename the default Administrator account. </li></ul><ul><li>Create a decoy Administrator account. </li></ul><ul><li>Create a secondary Administrator account and disable the built-in Administrator account. </li></ul>
    11. 11. <ul><li>Best Practices, cont… </li></ul><ul><li>Enable Account Lockout for Remote Administrator Logons. (passprop.exe) </li></ul><ul><li>Create a strong Administrator password. </li></ul><ul><li>Automate scanning for weak passwords. </li></ul><ul><li>Use administrative credentials on trusted computers only. </li></ul><ul><li>Audit accounts and passwords on a regular basis. </li></ul><ul><li>Prohibit account delegation. </li></ul><ul><li>Control the administrative logon process </li></ul>
    12. 12. References <ul><ul><li>The Administrator Accounts Security Planning Guide: </li></ul></ul><ul><ul><li>The Services and Service Accounts Security Planning Guide </li></ul></ul>
    13. 13. #2 Zoning <ul><li>The concept is simple: enforce zones of trust on/within the network </li></ul><ul><ul><li>Blue Zone………. controlled risk </li></ul></ul><ul><ul><li>Orange Zone……. reduced risk </li></ul></ul><ul><ul><li>Red Zone……….. High risk </li></ul></ul><ul><li>Why? </li></ul><ul><ul><li>You’re clear about what you’re going to manage for security (not EVERYTHING ) </li></ul></ul><ul><ul><li>Time = Opportunity </li></ul></ul>
    14. 14. #2 Zoning <ul><li>Firewalls </li></ul><ul><li>802.1x: use it to control access to the wired/wireless network </li></ul><ul><li>IPSec: control end-to-end communication </li></ul>
    15. 15. Zoning 802.1x at the Border <ul><li>Standards-based, services and clients built into newer versions of Windows, but you can mix-and-match </li></ul><ul><li>Components: Authentication directory or directories, RADIUS services, network device (switch, WAP), client software </li></ul>
    16. 16. #2 IPSec Domain and Server Isolation <ul><li>Protect trusted assets from unmanaged, rogue and guest PCs </li></ul><ul><li>Complement to other security mechanisms (firewall, antivirus, IDS) </li></ul><ul><li>Restrict communication to domain-managed computers </li></ul>
    17. 17. IPsec Domain And Server Isolation <ul><li>Two scenarios </li></ul><ul><ul><li>Domain isolation </li></ul></ul><ul><ul><li>Server isolation </li></ul></ul><ul><li>Protects corporate hosts or servers from unmanaged, rogue, and guest PCs </li></ul><ul><li>Allows communication between hosts to be restricted between domain-managed computers </li></ul>
    18. 18. IPsec Domain And Server Isolation (2) <ul><li>Provides ability to identify and control communications with critical client or server PCs </li></ul><ul><li>Complements other host security mechanisms </li></ul><ul><li>Complements network access protections </li></ul>
    19. 19. Domain Isolation <ul><li>Allows host to host communication to be limited to domain members (managed computers) </li></ul><ul><li>Requires IPsec authentication and protection for any communication with domain members (managed computers) </li></ul><ul><ul><li>Managed computers can initiate communication with managed and unmanaged computers </li></ul></ul><ul><ul><li>Unmanaged computers cannot initiate communication with managed computers </li></ul></ul>
    20. 20. Scenario: Domain isolation
    21. 21. Server Isolation <ul><li>Requires IPsec authentication and protection for communications from hosts to specific servers </li></ul><ul><ul><li>Managed computers can initiate communication with specific servers </li></ul></ul><ul><ul><li>Unmanaged computers cannot initiate communication with specific servers </li></ul></ul><ul><li>Group-specific server isolation </li></ul><ul><ul><li>Only managed computers that are members of a specific security group can initiate communication with specific servers </li></ul></ul>
    22. 22. Scenario: Server Isolation
    23. 23. Additional resources <ul><li>Microsoft Windows Server 2003 site at ipsec / </li></ul><ul><li>“ How to isolate servers by using Internet Protocol security” Support WebCast (see Knowledge Base article 889383 ) </li></ul>
    24. 24. 2) Zoning <ul><li>Won’t protect against trusted users/machines! (See #1: Secure Administrative Privileges </li></ul>
    25. 25. Building a Baseline for Trusted Machines <ul><li>Create visibility for security incidents </li></ul><ul><li>Automate deployment of lock-down images with tools like RIS, ADS </li></ul><ul><li>Use Security Configuration Wizard to develop role-based templates </li></ul><ul><li>Use Group Policy to enforce security settings </li></ul>
    26. 26. Patching <ul><li>…. </li></ul>
    27. 27. Agility <ul><li>Agile processes are critical to maintaining a secure environment </li></ul><ul><ul><li>Who do users notify when there’s a problem? </li></ul></ul><ul><ul><li>Who can call a security crisis? </li></ul></ul><ul><ul><li>What happens when a crisis is called? </li></ul></ul><ul><ul><li>What’s the timeline? </li></ul></ul><ul><ul><li>How does you security group interface with operations group? </li></ul></ul>
    28. 28. Questions?