Brian Desmond Moran Technology Consulting www.morantechnology.com www.briandesmond.com.

Slides:



Advertisements
Similar presentations
What’s New in Windows Server 2008 AD?
Advertisements

What’s New in Active Directory: Windows Server 2008 R2 Brian Desmond Thursday, March 4 th, 2009.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Lesson 16: Configuring Domain Controllers
Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Security and Policy Enforcement Mark Gibson Dave Northey
Michael Kleef Technology Advisor | Microsoft Australia
Chapter 6: Configuring Security. Options for Managing Security Configurations LGPO (Local Group Policy Object) –Used if Computer is not part of a domain.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Chapter 4 Introduction to Active Directory and Account Management
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Windows Server 2012 What’s new ? AuthorKrzysztof Pytko Wroclaw 2012
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Understanding Active Directory
Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.
Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students.
Efi Bregman Principal Consultant Microsoft Consulting Services Israel.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Chapter 2: Installing and Upgrading to Windows Server 2008 R2 BAI617.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 3: Introducing Active Directory.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
(ITI310) By Eng. BASSEM ALSAID SESSIONS
Hands-On Microsoft Windows Server 2008
Managing Active Directory Domain Services Objects
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop
Module 6: Designing Active Directory Security in Windows Server 2008.
Chapter 7: WORKING WITH GROUPS
Module 9: Active Directory Domain Services. Overview Describe new features in AD DS List manageability and reliability enhancements in AD DS.
Introduction to Active Directory Domain Services
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz
Welcome Thank you for taking our training. Collection 6425: Configure Windows 2008 Active Directory Domain Services Course 6710 – 6719 at
Troubleshooting Windows Vista Security Chapter 4.
Securing AD DS Module A 3: Securing AD DS
SERVER I SLIDE: 6. SERVER I Topics: Objective 4.3: Deploy and configure the DNS service Objective 5.1: Install domain controllers.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Maintaining Active Directory Domain Services
Lesson 17-Windows 2000/Windows 2003 Server Security Issues.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.
IAM304: Active Directory (AD) Design with Longhorn Server Directory Services Kamal Janardhan Lead Program Manager Directory Services.
NT4 SP4 Security Jack Schmidt - Fermilab
Jose Luis Auricchio Microsoft Switzerland
Introduction to Active Directory Domain Services
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Module 1: Implementing Active Directory ® Domain Services.
Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
Understand Encryption LESSON 2.5_A Security Fundamentals.
Installing a Domain Controller
OVERVIEW OF ACTIVE DIRECTORY
Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Sander Berkouwer Microsoft MVP Directory Services Microsoft Netherlands Virtual Technical Evangelist Blogger on DirTeam.com ServerCore.Net.
Windows Vista Configuration MCTS : NTFS Security Features and File Sharing.
SmartCenter for Pointsec - MI
Assignment # 8.
Network Administration
Bethesda Cybersecurity Club
Presentation transcript:

Brian Desmond Moran Technology Consulting

About Me  Chicago based  Active Directory & Exchange consultant  MS MVP for Active Directory since 2003  Author of Active Directory, 4 th Ed from O’Reilly You should own a copy! website & blog:

Agenda  BitLocker  Server Core  Managed Service Accounts  Read-Only Domain Controllers  Fine Grained Password Policies  Deleted Object Management

BitLocker  New feature in Windows Vista  Addresses the missing pieces from EFS Encrypts the system volume, including the page file and hibernation files  Whole drive/volume encryption Prevents the “remove the hard drive from a stolen laptop” attack Encrypts “early boot components” and detects any changes (either from the above or from malware) Trusted Platform Management (TPM) chip or pin/USB key

BitLocker – Administrative Issues  High security environments can require a pin # or USB key before the system will boot Do you have 24x7 data center coverage? If not, be wary of this feature on a server.  BitLocker is not a replacement for EFS!

BitLocker Recovery Passwords  All Bitlocker deployments require a copy of the recovery password to be stored somewhere  Out of the box, your users must save their own recovery password This probably isn’t the best plan…

 Requires Windows Server 2003 SP1 or newer domain controllers  What about deleted computer accounts? Sales guy who’s always on the road High-powered exec who goes on a 3-month sabbatical  Possible Increase in size for NTDS.DIT Test labs, “Ghosted” environments that add/delete hundreds of machines can increase database size Recovery Passwords in AD

Windows 7 Improvements  BitLocker ToGo Encrypt removable storage (e.g. USB Keys) Require USB Key encryption for write access Windows 7 Enterprise/Ultimate SKUs  Universal Recovery Key: Data Recovery Agent  BitLocker partitioning done during setup

Agenda  Server Core  Managed Service Accounts  Read-Only Domain Controllers  Fine Grained Password Policies  Deleted Object Management

What is Server Core?  New Installation Option for W2K8 Not a separate SKU, does not require separate CALs  Security benefits Smaller installation footprint “Less friendly” UI leads to less “tinkering” in branch office scenarios  Administering Server Core Only specific services/roles can be installed Limited GUI – but not totally gone! Remote administration can use any GUI tools you’d like

Operational Concerns for Server Core  Application compatibility for Server Core Impact on anti-virus and other tools Windows Server 2008 R2 adds.NET  Administrative learning curve  “Can I ‘upgrade’ a Server Core install to a full installation?” No, requires full re-install of the OS

Server Core Demo

Agenda  Server Core  Managed Service Accounts  Read-Only Domain Controllers  Fine Grained Password Policies  Deleted Object Management

RODC Server Admins needn’t be Domain Admins Prevents Branch Admins from accidentally causing harm Delegated promotion Policy to configure caching branch specific secrets on RODC Policy to configure custom schema attributes as secrets No replication from RODC to Full-DC Admin Role Separation Secrets not cached by-default 1-Way Replication Change on RODC does not propagate to the entire enterprise Branch Office Read-Only Domain Controllers

Active Directory – No RODCs Hub Site Branch Office

Domain Controller Secret Security Hub Site Branch Office Domain-wide Password Reset!

Active Directory –RODCs Hub Site (RWDC) Branch RODC

RODC Secret Security Hub Site (RWDC) Branch RODC Just a few Password Resets

Password Replication Policy  Defines what secrets are cached on the RODC  Stored on a per RODC basis Authenticated To List Cached Passwords List Caching Allowed List Caching Denied List  Cached passwords are removed when they expire or are changed Every RODC has a separate krbtgt account (the krbtgt account encrypts Kerberos Tickets)

How it Works Hub Site (RWDC) Branch RODC End User 1. User Login Request 2. RODC Checks Cache 3. RODC forwards to 2008 writeable DC RWDC authenticates user RWDC returns authentication to RODC 6. RODC sends success to user 7. RODC generates replication request for secret 8. Hub Site DC checks PRP to see if password can be cached 9. Hub Site DC replicates password to RODC

Agenda  Server Core  Managed Service Accounts  Read-Only Domain Controllers  Fine Grained Password Policies  Deleted Object Management

Fine Grained Password Policies  Limitless password and lockout policies per domain  Linked to directly to users or via groups No OU based linking!  Create with ADSIEdit – no FGPP GUI Windows 7 adds PowerShell cmdlets 3 rd Party tools available

FGPP Management Tools SpecOps Password Policy Basic -

Agenda  Server Core  Read-Only Domain Controllers  Fine Grained Password Policies  Managed Service Accounts  Deleted Object Management

Service Accounts Today  Huge Security Hole  Passwords never changed  Nobody knows who knows the password  Every service using the account is often unknown

Managed Service Accounts  Windows Server 2008 R2 feature  Service account password managed by server automatically  One-to-one service account to machine relationship

Agenda  Server Core  Read-Only Domain Controllers  Fine Grained Password Policies  Managed Service Accounts  Deleted Object Management

Accidental Deletion Protection  Checkbox in Windows Server 2008 administrative tools  Adds an ACL to the object preventing Delete for Everyone

Recycle Bin Object Lifecycle Live ObjectDeleted ObjectRecycled Object Tombstone Object 180 Days Garbage collection Live Object Windows Server 2008 Windows Server 2008 R2 w/ Recycle Bin (If not enabled, behavior is similar to Windows Server 2008) LDAP OID LDAP OID Returns Tombstones Returns Deleted and Recycled Returns Deleted

 What’s New?  Windows Server 2008 coverage: Read Only Domain Controllers (RODCs) Fine Grained Password Policies (FGPPs) Auditing and security improvements Windows Server 2008 upgrade procedure DNS enhancements (such as GlobalName zones)  Exchange 2007 integration & scripting  Windows PowerShell & Active Directory.NET Active Directory programming  New user interface features  Lots of new diagrams and figures Active Directory, 4 th Ed Best selling Active Directory title Learn More!

LLTS Tracking Screenshot

Owner Access Restriction  Separates Owner access from Creator access Remember CREATOR OWNER?  Owners can modify permissions by default Use OWNER RIGHTS to prevent this

Active Directory Recycle Bin  Accidental deletions are the leading causes of Active Directory outages  Pre Win7, undelete is severely limited  Recycle Bin is a WS08R2 Forest Functional Level feature  Use PowerShell to restore objects  No out-of-box UI included

Active Directory Auditing  Pre Windows Server 2008 Active Directory auditing was not very helpful  New auditing introduces: Granularity Before and after data in audits Separate events for different types of operations

Sample Audit Event