Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Active Directory - ESAE Model

2,303 views

Published on

A draft presentation of the Enhanced Security Administrative Environment (ESAE) model for System Administrators and Active Directory Engineers on how to design and implement it. This is not a ''how-to'' implement ESAE, but more of how it should look like when you have implemented it. What the requirements are etc.

Auditors can use this in advise their clients on implementing this, because many (big) companies haven't done it (yet).

Published in: Engineering
  • DOWNLOAD FULL eBOOK INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc eBook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Active Directory - ESAE Model

  1. 1. Enhanced Security Admin Environment 1 Replacing the photo 1. If replacing the photo on this slide, first, click on and delete the photo. 2. Then, click on the icon in the placeholder to select a new image. Use images from our library, see O:drive Templates_fact_sheets > Content > Images > Header pictures for PowerPoint 16_9 Red Forest is the project name for Enhanced Security Administrative Environment or ESAE. It’s not a new product but rather a highly descriptive security architecture using existing Microsoft tools to better prevent privileged identities from being compromised. The general focus is around a three-tier model of isolation.
  2. 2. About me: - Huy Kha - Information Security @ International Law Firm - Likes: Improving security and IT services 2
  3. 3. Disclaimer 1/2 - This is a draft presentation and the purpose of this presentation is to create a plan and overview about how this design would look like in AD. And which steps needs to be taken to implement it. - Yes, again. It is a draft, so it might be a bit inaccurate of course. Goal is to make sure that SysAdmins & AD Engineers have a feeling how it might be implemented and how it would look like in Active Directory. Yes feel free to do it better if you see/think that I forget a few important steps besides of Credential Guard. This is a example! - I want to share something of my work with my followers. So they know a bit of what I’m currently working on. - This design requires a lot of work and effort so it needs to be tested properly. Make sure that you have a test environment to do this. You can’t finish this in just a weeks. It might take months. 3
  4. 4. Disclaimer 2/2 - You should only implement this model if you’re done proper audits and assessments on the security posture of your Active Directory. - You’ve reach a maturity level of understanding how to secure AD. - All your high-privilege users have a second account for administrative tasks. Usually the IT department. - All your high-privilege should not browse the internet or read their outlook mails. Please use a second account. If you haven’t done that yet. Please get the basic first, before thinking about this. - Especially for auditors, you can use this security design of Microsoft to advise/audit your clients. It will definitely add value to their security. Most of the (big) companies are not aware of this model and have not implemented it (yet). 4
  5. 5. Big 4 - Auditors: You can use this model to audit & advise your clients. 5
  6. 6. 6 Direct Control of enterprise. This tier focuses on the privileged identities and assets used to manage AD environment by itself. Control of enterprise servers and applications. You can think of server admins and application owners. Control of user workstations and devices. You can think of helpdesk staff and workstation admins.
  7. 7. 7 Tier 0 accounts are only allowed to log on approved workstations that is in the OU ‘’Workstations’’ to manage AD. Which are Drake, Jay, Kendrick and the Built-in Administrator.
  8. 8. 8 PAW Users - Add the Tier 0 administrators with Domain or Enterprise Admin PAW Maintenance - Add at least one account that will be used for PAW maintenance and troubleshooting tasks. The PAW Maintenance Account(s) will be used only rarely. You need to create this user by the way. We need to create these two groups to separate access to the ‘’Workstations’’ in Tier 0.
  9. 9. 9 Create a GPO and link it to Tier 0Workstations with the specific hardening Delete all members and users in Built-in Administrators and add Administrator and pawmaint, but don’t use the browse button.
  10. 10. 10 Make sure that only Administrator and pawmaint are member of the Built-in Administrators group Ensure that all these groups are empty Cryptographic Operators Network Configuration Operators Power Users Remote Desktop Users Replicators Make sure that this is done for all the groups that have been mentioned
  11. 11. 11 This configuration means that PAWUsers which contains the 3 Domain Admins and members of Local Administrators, which contain Built-in Administrator and pawmaint account can log on locally on the workstations in Tier 0 Block Inbound Network Traffic - This setting will ensure that no unsolicited inbound network traffic is allowed to the Download here: pawfirewall.wf
  12. 12. 12
  13. 13. We’re done with PAWConfiguration-Computer GPO - Make a back-up of the GPO and store it somewhere on a safe place. 13
  14. 14. 14 Create a new GPO ‘’PAWConfiguration- User’’ to ensure that the Tier 0 accounts have protection This GPO is configured to block internet access of Tier 0 accounts Create two new registrey key Key Path: SoftwareMicrosoftWindowsCurrentVersionInternet Settings
  15. 15. 15 You should see something like this now Enable ‘’Disable changing Automatic Configuration settings’’ Enable ‘’Prevent changing proxy settings’’
  16. 16. We’re done with PAWConfiguration-User GPO - Make a back-up of the GPO and store it somewhere on a safe place. 16
  17. 17. 17 All the servers, not DC’s. Needs to be in the Tier 1 OU=Servers All the user accounts in the domain All the clients workstations in the Tier 2 OU=Clients All the helpdesk staff & workstation admins All the server admins and application owners who can manage these servers All server admins and application owners including the nested groups
  18. 18. Now create a new GPO: RestrictWorkstationLogon 18
  19. 19. Now configure the GPO RestrictWorkstationLogon 19 List of groups where the access needs to be denied. Enterprise Admins, Domain Admins, Schema Admins, DOMAINAdministrators, Account Operators, Backup Operators, Print Operators Server Operators, Domain Controllers, Read-Only Domain Controllers, Group Policy Creators Owners, Cryptographic Operators
  20. 20. Now configure the GPO RestrictWorkstationLogon 20 Deny access to this computer from the network Deny log on as a batch job Deny log on as a service Deny log on through Remote Desktop Services
  21. 21. You can’t deny all “Administrators” 21 So that means that you can’t deny access for ‘’Administrators’’ at: - Deny log on locally
  22. 22. Now you will see something like this 22
  23. 23. Link GPO to domain client computers 23
  24. 24. Tier 0 can’t log on Tier 2 (lower trust workstations) 24
  25. 25. 25
  26. 26. 26 Originally introduced for Windows 8.1 and Server 2012 R2, Restricted Admin mode is a Windows feature that prevents storing an RDP user's credentials in memory on the machine to which an RDP connection is made
  27. 27. 27
  28. 28. 28 This setting enforce that RDP always need to be on restricted admin mode. Succesfull RDP restricted admin connection!
  29. 29. Now next - RestrictedAdminModeRDP is a GPO that we have been created - Link this to the Tier 1 ‘’Servers’’ and Tier 2 ‘’Clients’’ or better known as the workstations of domain users. - Now RDP is on a ‘’secure’’ way :D 29
  30. 30. Groups 30 OU Groups in both Tier 1 & Tier 2 should be able to administer servers / workstations. Add Server Admins & Application Owners in Tier1- Admins group in Tier 1 ‘’Groups’’ Add Helpdesk Staff & Workstation Admins in Tier2- Admins group in Tier 2 ‘’Groups’’
  31. 31. Create two new GPO - GPO name: - Tier1-Admins - GPO name: - Tier2-Admins 31
  32. 32. Edit GPO: Tier1-Admins 32
  33. 33. Link Tier1-Admins GPO to ‘’Servers’’ 33
  34. 34. Edit GPO: Tier2-Admins 34
  35. 35. Link Tier-2Admins GPO to ‘’Clients’’ in Tier 2 35 Don’t forget to back-up your created GPO’s 
  36. 36. There is no place like LSASS 36 What is stored in LSASS? When are credentials exposed in LSASS?
  37. 37. Conclusion 37
  38. 38. Credits - https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged- access/privileged-access-workstations - Some random WordPress website, idk which one anymore. 38
  39. 39. 39

×