Staying Secure During an NT to Windows 2000 Migration Paul Hinsberg, MCSE, MBA CEO, CRSD Inc

2 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Introduction Sources of Risk Points of Risk During Migration Understanding the Tools Risks related to Services

3 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Sources of Risk Lack of Direction Lack of Planning/Testing Lack of Knowledge

4 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Points of Risk During Migration Planning Phase PreparationImplementationPost-Implementation

5 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Planning Phase Clear understanding of direction Knowing what the Domain and OU structure will look like in the end Established Group Policies Understand the Business Objectives

6 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Preparation Evaluation of Systems Review of the types of Services in your enterprise Review of the types of Services in your enterprise Separation of client facing and internal Separation of client facing and internal Evaluation of Security Review of the Permissions, roles, and measures Review of the Permissions, roles, and measures

7 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Evaluation of Systems Identify all Servers and services RAS, DHCP, Exchange, IIS, Terminal Services… RAS, DHCP, Exchange, IIS, Terminal Services… RAS will often require Windows 2000 security to be relaxed in order to accommodate users. DHCP servers will need to be authorized in order to function correctly and depending on configuration carries risks. Exchange 5.5 has its own directory and will need special care in order to migrate to Exchange IIS implies outside access. Security should already be a focus here. Terminal Services/Citrix will need some attention to maintain user access.

8 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Evaluation of Security Understand the current security model completely User group memberships Understanding SID History will be paramount Understanding SID History will be paramount File Server DACL Cleaning this up will be tedious, but there are tools to help! Cleaning this up will be tedious, but there are tools to help! System Policies You’ve created your own personal nightmare. You’ve created your own personal nightmare.

9 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Security Evaluation Tools SCM – Security Configuration Manager NT 4.0 SP 4+ NT 4.0 SP 4+ Careful ! Q Careful ! Q AddUsers.exe – Resource Kit ADMT for DACL Cleanup Timing is important on this one! Timing is important on this one!

10 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Implementation Migration Types have different Risks Groups/User Accounts How other services influence security

11 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Migration Types In-place Restructure-migration combination Moving to a pristine environment

12 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Inplace PDC/BDC is upgraded “as is” Offers benefits of reduced migration time Carries all of the old infrastructure baggage from old NT domain Operation and security are different then a new build!

13 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Inplace Security Issues NT 4.0 User groups are moved as is. Everyone group exists and allows unauthenticated users Physical security of DCs is often missed

14 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Restructure-migration combination Reorganization of Domains/Users/Groups is done before or after migration Preparation of NT 4.0 domain is required Or Reorganization of domains afterward Multiple phases can lead to disorganization Best when building a pristine is not an option

15 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Restructure Security Issues From a security standpoint requires the most diligence Inadvertent access to Administrative level accounts is often missed Frustration levels can be high leading to relaxed security Switch to Native Mode can cause operation issues.

16 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Pristine Building a Windows 2000 AD and then migrate users Allows for the least impact on users and reduces outage risks Takes longer! User Migration opens security risks

17 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Pristine Security Issues Planning is a big key, and may often be rushed through ADMT and Cloning of user accounts carries inherent security issues Post-Migration cleanup is critical

18 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Groups/User Accounts Clean up the groups and user accounts on DCs prior to any migration (ADDUSERS/NET USERS) Must be done before AND after migration Must be done before AND after migration Special Attention to Administrators and Domain Admins groups SID History

19 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration SID History Windows 2000 eases migration by allowing a SID History to Exist Pre-Migration PaulHins User SID Groups Post-Migration PaulHins User SID … OLD USER SID (treated as a group) Groups (old NT 4.0 groups) (win2k groups)

20 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration SID History Issues ADMT/Clone can allow a properly authorized user to insert SID of one account into the username of another. Objects can only have 1,024 SIDs associated. Companies with many nested groups could run into a problem. Post-Migration Cleanup is required

21 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Other Services Services sometimes need administrative access (more often they are given the access although not required) Service accounts will need to be treated separately during migration Some systems that will need special attention: SMS, RAS, Exchange

22 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration RAS RAS (including VPN, Dialup, etc) may require some relaxed security on Windows 2000 in order to operate during the migration (Mixed Mode) The general solution is to allow the EVERYONE group to read user attributes. Thus, unauthenticated users can see user accounts. Upgrading RAS systems to Windows 2000 as soon as possible is best

23 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration DHCP Has the ability to dynamically update machine records If installed on a Domain Controller can lead to security holes – Q255134, Q Requires authorization to operate correctly.

24 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration DNS Windows 2000 DNS allows for Dynamic Updates. Until the Domain is in Native Mode Dynamic Updates may not be an option This can permit unauthorized updates to the DNS or force you to perform manual entries. Understanding this vulnerability and monitoring the changes is key

25 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Post Implementation DACL Cleanup Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. Access Control Lists are the most tedious task, but a required one. The SIDs from the previous domains may still exist and need to be cleared. SID History Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. Old SIDs represent clutter and a security issue. The ADSI Edit Tool can find and cleans these out. Native Mode Transition

26 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Tools of the Trade Active Directory Migration Tool (ADMT) ClonePrincipalADSI NT Resource Kit Windows 2000 Support Tools

27 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration ADMT/Clone In a migration the Active Directory Migration Tool is going to be one of the main weapons ownloads/tools/default.asp ownloads/tools/default.asp

28 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration ADMT Reports Migrated Users and Groups Report This report summarizes the results of the user and group migration operations. This report summarizes the results of the user and group migration operations. Migrated Computers Report This report summarizes the results of the computer migration operations. This report summarizes the results of the computer migration operations. Expired Computers Report This report lists the computer accounts with expired passwords. This report lists the computer accounts with expired passwords. Impact Analysis Report This report lists the user accounts and groups that will be affected by computer migration operations. This report lists the user accounts and groups that will be affected by computer migration operations. Name Conflicts Report This report lists the user accounts and groups that exist in both the source and target domains. This report lists the user accounts and groups that exist in both the source and target domains.

29 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration ADMT Use Only local Administrators on the DCs will be able to use the tool Only install the tool on Windows 2000 DC that will be used to migrate the users. Use NTFS permissions to further restrict the running of the tool on the system.

30 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration ADSI Edit An MMC Snap-in that is used to search for the SID History for the users. To Perform the Search Connect to a domain. To Perform the Search Connect to a domain. Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) Create a query, cut and paste this… (&(objectCategory=user)(SIDhistory=*)) Then Run it Then Run it ADSI Scripting allows for the removal of SID History (the GUI Does NOT).

31 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Don’t Let Frustration Rule You! Planning, Testing and Patience will be your best defense against the pressure and complexities of the migration!

32 Questions! Look to the lower left to submit a question. Staying Secure During an NT to Windows 2000 Migration Questions! Please click the Ask a Question link in the lower left part of the screen to submit a question.