RAllen AD Security Best Practices

7/31/2019 RAllen AD Security Best Practices

1/24

Active Directory Security

Best Practices

Robbie AllenCisco Systems

[email protected]
mailto:[email protected]://www.rallenhome.com/http://www.rallenhome.com/mailto:[email protected]


2/24

Agenda

What we are up against

AD Security best practices

Preparing for the worst Additional resources

Q/A


3/24


4/24

AD Design with Security in Mind

Design dictates security

The fewer the better philosophy

AD Functional Boundaries:

Use forests to establish isolatingboundaries Use domains to establish replication, security

policy, and managementboundaries

Use application partitions to establish customized

replicationboundaries Use OUs to establish policyand delegation

boundaries


5/24

The Empty Root Domain

Creates a framework for adding newdomains without creating a separatenamespace

Provides almost no additional security

Tends not to be so empty over time

Increases support costs


6/24

Basic Attack Strategies

Social engineering

Escalation of privilege

Denial of service Spoofing

Repudiation

Sniffing Data access

Data modification


7/24

SomeAD Attack Vectors

Admin groups

Admin accounts

LocalSystem account

Backups

ACLs

Group Policy

SIDHistory

Replication

Quotas

FSMOs

Global catalogs

DNS

DHCP

Terminal services

Physical server

Hard drives


8/24

Best Practices


9/24

Administrators

Rename default Administrator account Create separate admin and user accounts

Store admin accounts in separate OU

Establish secure admin workstations Limit access to Administrator account

password

Change password frequently and make itrandom (dont forget the DSRM password)

Have process to quickly disable/deleteadmin accounts


10/24

Domain Controllers

Ensure physical security

Automate the build process

Build DCs in a controlled environment

Create a reserve disk space file

Disable all unnecessary services

Run virus scanning software


11/24

Group Memberships

Limit membership of admin groups

Set ACLs on groups so that only adminscan modify admin groups

Create separate OUs to store admin groups

Remove everyone from the SchemaAdmins group

Add accounts as needed

Audit changes to admin groups


12/24

Delegation

KISS Create a role-based model

Don't assign perms to individual accts

Don't assign perms on individual objects

Document your delegation model

Get familiar with dsrevoke.exe


13/24

DNS

Use AD-integrated zones Enable secure dynamic updates to prevent name hijacking

Use Application partitions in W2K3 to decrease replication

Enable scavenging to remove stale records

Use forwarders or stub zones instead ofsecondaries

Eliminate text-based zone files and zone transfers

Create a split DNS namespace Hide internal namespace from the Internet

Lots of infrastructure information in AD RRs

Use quotas to restrict the number of recordsAuthenticated Users can create


14/24

DHCP

Avoid the name hijacking problem

Configure so that:

Client updates A record

DHCP service updates PTR record

Dont run DHCP on a DC

If necessary, use a service account

See MS KB 255134 - http://tinyurl.com/5ek6n
http://tinyurl.com/5ek6nhttp://tinyurl.com/5ek6n


15/24

Trusts

Consider operational security of other forest

Consider Admin membership in other forest

sIDHistory and SID filtering Use netdom to enable SID filtering


16/24

Backup and Restore

Secure backup handling and storage

Document backup lifecycle

Treat backup admins as service admins Periodically test restore process

Perform object, tree, and forest authoritativerestores


17/24

Auditing

See Best Practice Guide

Audit changes to admin accounts, groupsand other important objects

Coming soon: Audit Collection Services(ACS)

Provides consolidation of audit logs

Populates a SQL Server or MSDE database


18/24

Monitoring

Monitor for any unexpected DC outages

Can indicate an attack

Monitor for disk space use and objectgrowth

Can indicate a replicating DOS attack

Monitor for LDAP and DNS traffic

Can indicate a DOS attack

Keep an eye on new DC/GC promotions


19/24

Prepare for the worst

Form a response plan to handle:

Object flooding

Rogue administrator

Physical breach

Forest/data corruption

Document recovery scenarios

See the Forest Recovery whitepaper Periodically perform a forest recovery to test

process, backups, etc.


20/24

Conclusion

Securing AD is a big job

Design dictates security

Automate as much as possible

Monitor, monitor, monitor

Periodically test recovery scenarios

Read up


21/24

Additional Resources

Best Practice Guide for Securing Active DirectoryInstallations (Windows Server 2003)

Whitepaper - http://tinyurl.com/3c928

Best Practice Guide for Securing Active Directory

Installations and Day-to-Day Operations (Windows 2000) Part I - http://tinyurl.com/4etnu Part II - http://tinyurl.com/5zcan

Best Practices for Delegating Active DirectoryAdministration

Whitepaper - http://tinyurl.com/vzlg Appendices - http://tinyurl.com/wcwn
http://tinyurl.com/3c928http://tinyurl.com/4etnuhttp://tinyurl.com/5zcanhttp://tinyurl.com/vzlghttp://tinyurl.com/wcwnhttp://tinyurl.com/wcwnhttp://tinyurl.com/vzlghttp://tinyurl.com/5zcanhttp://tinyurl.com/4etnuhttp://tinyurl.com/3c928


22/24

Additional Resources (contd)

Securing Windows 2000 Active Directory Part 1 - http://tinyurl.com/4jf5p Part 2 - http://tinyurl.com/5yyk9 Part 3 - http://tinyurl.com/2j5ga

Best Practices: Active Directory Forest Recovery Whitepaper - http://tinyurl.com/3rk7b

Active Directory in Networks Segmented by Firewalls Whitepaper - http://tinyurl.com/3gkyc
http://tinyurl.com/4jf5phttp://tinyurl.com/5yyk9http://tinyurl.com/2j5gahttp://tinyurl.com/3rk7bhttp://tinyurl.com/3gkychttp://tinyurl.com/3gkychttp://tinyurl.com/3rk7bhttp://tinyurl.com/2j5gahttp://tinyurl.com/5yyk9http://tinyurl.com/4jf5p


23/24


24/24

Q/A

Thank you for your time!

Email: [email protected]

Preso: http://www.rallenhome.com/
mailto:[email protected]://www.rallenhome.com/http://www.rallenhome.com/mailto:[email protected]

RAllen AD Security Best Practices

Documents

Transcript of RAllen AD Security Best Practices