Welcome to the GIG Event 1

MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2

What is ADS? Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain. 3

Active Directory Structure Hierarchical Base object Domain OU Domain OU Objects Domain Tree Domain Tree Forest

Authentication Administration Storage Compliance Authentication Administration Storage Compliance Audio Conferencing and Calendaring and Calendaring Web Conferencing Web Conferencing Telephony Video Conferencing Video Conferencing Voice Mail Instant Messaging (IM) Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Telephony and Voice Mail Telephony and Voice Mail Instant Messaging and Calendaring Unified Conferencing: Audio, Video, Web On-Premises Hybrid In the Cloud On-Premises Hybrid In the Cloud Communications Today Future of Communications

Domain Controllers on VM’s How do you backup your domain controllers running on virtual machines??  Taking snapshot? What are the side effects?? 6

Active Directory Security Fundamentals Forests Domains Trusts Kerberos OUs Group policy (GPO’s) ACLs Authentication Authorization Replication FSMOs Delegation 7

Securing Active Directory Planning Creating Maintaining Best Practices 8

Planning AD Security Considerations upon deployment of AD DC’s – Datacenter (Microsoft Online Services) Centralized & Secure (ADFS and Single sign 0n) High End Performance (uptime guarantee) – Branch Offices Lack of IT Expertise Slow connectivity to rest of organization 9

Planning AD Security Identifying Types of Threats – Spoofing – Data Tampering – Repudiation – Information Disclosure – Denial of Service – Elevation of Privilege Identifying Sources of Threats – Anonymous Users – Authenticated Users – Service Administrators – Data Administrators – Users with Physical Access 10

Establishing Secure AD Boundaries Delegation of Administration – Needs to be flexible, limited, secure, dynamic and meet the needs of the organization based upon need for autonomy and isolation Forest/Domain Model Establish Secure Trusts 11

Deploying Secure Domain Controllers Ensure predictable, repeatable, and secure domain controller deployments. – Create strong administrator password 9 characters, non-dictionary, symbols, etc. – Use TCP/IP only if possible – Disable non-essential services IIS, Messenger, SMTP, Telnet, etc. – Format partitions with NTFS – Install latest service packs and security updates – Prohibit the use of cached credentials when unlocking DC console – Install anti-virus scanning software – Maintain Secure Physical Access to Domain Controllers 12

Best Practices Domain Policies – Password Policies History Age Length Complexity – Lockout Policy Duration Threshold Reset 13

Best Practices Domain Controller Policies – User Rights Log on locally System Shutdown – Enable Auditing Account logon Account Management Directory Service Access Logon events Policy changes System events – Event Logging Security log size set to 128 MB Retention – set to overwrite events as needed 14

Best Practices Secure Service Admin Accounts – Enterprise Admins – Schema Admins – Administrators – Domain Admins – rename this acct – Server Operators – Account Operators – Backup Operators Best Practices – Rename the administrator account – Limit the number of service admin accts – Separate administrator accts from end user accts 15

Deploy Secure DNS Protecting DNS Servers – Use Active Directory–integrated DNS zones. – Implement secure updates between DNS clients and servers – Protect the DNS cache on domain controllers. – Monitor network activity. – Close all unused firewall ports. Protecting DNS Data – Use secure dynamic update. – Ensure that third-party DNS servers support secure dynamic update. – Ensure that only trusted individuals are granted DNS administrator privileges – Set ACLs on DNS data. – Use separate internal and external namespaces. 16

Maintaining Secure AD Operations Maintain Baseline Information – Create a baseline database of Active Directory infrastructure information. Audit Policies List of GPO’s and their assignments List of Trusts List of Domain Controllers, Administrative workstations Service Administrators Operations Masters (FSMO roles) Replication topology Database size (.DIT file) OS version, Service Packs, Hotfixes, Anti-Virus version – Detect and verify infrastructure changes 17

Maintaining Secure AD Operations Monitoring the AD Infrastructure – Collect information in real time or at specified time intervals. Security Event Logs – Compare this data with previous data or against a threshold value. – Respond to a security alert as directed in your organization’s practices. – Summarize security monitoring in one or more regularly scheduled reports 18

Maintaining Secure AD Operations Monitoring the AD Infrastructure – Monitoring Forest-level Changes Detect changes in the Active Directory schema. Identify when domain controllers are added or removed. Detect changes in replication topology. Detect changes in LDAP policies. Detect changes in forest-wide operations master roles. 19

Maintaining Secure AD Operations Monitoring Domain-level Changes – Detect changes in domain-wide operations master roles. – Detect changes in trusts. – Detect changes in GPOs for the Domain container and the Domain Controllers OU. – Detect changes in GPO assignments for the Domain container and the Domain Controllers OU. – Detect changes in the membership of the built-in groups. – Detect changes in the audit policy settings for the domain. 20

Best Practices DNS Use AD-integrated zones if at all possible Use forwarders instead of secondaries – Eliminates text-based zone files Treat DNS admins as service admins 21

Best Practices DHCP Configure so that: – Client updates A record – DHCP service updates PTR record 22

Best Practices DC policies Enable auditing Disable anonymous connections Digitally sign client communications Disable cached credentials 23

Best Practices FSMO placement Implications per role Availability Survivability 24

Best Practices Group Memberships Severely limit membership in administrative groups Set ACLs on groups so that only service admins can modify service admin groups Remove everyone from the Schema Administrators group – Add someone back in when needed Audit changes to service admin groups 25

Best Practices Monitoring Monitor for any unexpected DC outages – Can indicate an attack Monitor for unexpected query loads – Can indicate a DOS attack Monitor for disk space use – Can indicate a replicating DOS attack Monitor for DNS request traffic – Can indicate a DOS attack on DNS 26

Best Practices Service Administration Create separate admin and user accounts Create a separate service admin OU Establish secure admin workstations – Don’t give admin privileges on workstation Use secure updates (NTLM) between admin workstations and DCs Use the “logon locally” policy to limit service admin logons to specific admin workstations 27

Best Practices Data Administration Always use NTFS Use encryption where appropriate 28

Thank You Q And A? 29