Download presentation
Presentation is loading. Please wait.
1
Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Microsoft Ignite 2015 9/21/2018 5:56 PM Righting the Right Rights: Active Directory & Domain Security, Administration & Maintenance M354 Jess Dodson © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
3
Security Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
Accounts Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
Accounts – you need more than one!
Microsoft Ignite 2015 9/21/2018 5:56 PM Accounts – you need more than one! © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
6
Different Accounts Standard account Desktop admin account
Microsoft Ignite 2015 9/21/2018 5:56 PM Different Accounts Standard account Desktop admin account Server admin account Domain admin account © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
Domain admin accounts never logon to workstations OR servers
Microsoft Ignite 2015 9/21/2018 5:56 PM Domain admin accounts never logon to workstations OR servers © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8
Limit access to your accounts
Microsoft Ignite 2015 9/21/2018 5:56 PM Limit access to your accounts © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
9
Keep accounts out of your admin groups
Microsoft Ignite 2015 9/21/2018 5:56 PM Keep accounts out of your admin groups © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10
Who actually needs to be a
Microsoft Ignite 2015 9/21/2018 5:56 PM Who actually needs to be a Domain Admin anyway? © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11
Passwords Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12
Do not use the default Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
13
Don’t use the same password…for everything
Microsoft Ignite 2015 9/21/2018 5:56 PM Don’t use the same password…for everything © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
14
Make sure passwords EXPIRE
Microsoft Ignite 2015 9/21/2018 5:56 PM Make sure passwords EXPIRE © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
15
longer time between changes
Microsoft Ignite 2015 9/21/2018 5:56 PM Longer password = longer time between changes XKCD.com © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
16
Use fine-grained password policies
Microsoft Ignite 2015 9/21/2018 5:56 PM Use fine-grained password policies (FGPPs) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
17
Passwords do not belong in GPP’s… EVER
Microsoft Ignite 2015 9/21/2018 5:56 PM Passwords do not belong in GPP’s… EVER (MS14-025) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
18
Microsoft Ignite 2015 9/21/2018 5:56 PM Randomise your local admin passwords – Local Administrator Password Solution (LAPS)! © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
19
Prevent local admin accounts from remotely accessing other systems
Microsoft Ignite 2015 9/21/2018 5:56 PM Prevent local admin accounts from remotely accessing other systems © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
20
Servers Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21
Patch your servers! Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
22
Limit RDP ability Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
Only DA’s can access the console of DC’s
Microsoft Ignite 2015 9/21/2018 5:56 PM Only DA’s can access the console of DC’s © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
24
Trusts – who actually needs access?
Microsoft Ignite 2015 9/21/2018 5:56 PM Trusts – who actually needs access? © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
25
Security Compliance Manager (SCM) – your new bestest friend
Microsoft Ignite 2015 9/21/2018 5:56 PM Security Compliance Manager (SCM) – your new bestest friend © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
26
Workstations Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
27
Admin workstation =/= user workstation Microsoft Ignite 2015
9/21/2018 5:56 PM Admin workstation =/= user workstation © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
28
Administration & Maintenance
Microsoft Ignite 2015 9/21/2018 5:56 PM Administration & Maintenance © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
29
Account Administration Azure – AADC & AADC Health
Microsoft Ignite 2015 9/21/2018 5:56 PM Replication FSMO Roles Time Synchronization Trusts DNS & Networking Event Logs Account Administration Azure – AADC & AADC Health © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
30
Replication Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
31
repadmin /replsummary
Microsoft Ignite 2015 9/21/2018 5:56 PM repadmin /replsummary © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
32
repadmin /showrepl * /errorsonly
Microsoft Ignite 2015 9/21/2018 5:56 PM repadmin /showrepl * /errorsonly © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
33
repadmin /showutdvec * dc=<domain>,dc=<com>
Microsoft Ignite 2015 9/21/2018 5:56 PM repadmin /showutdvec * dc=<domain>,dc=<com> © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
34
repadmin /queue * Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
35
repadmin /failcache Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
36
FSMO Roles Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37
netdom query fsmo Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
38
Time Settings Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39
W32tm /config /syncfromflags:domhier /update
Microsoft Ignite 2015 9/21/2018 5:56 PM w32tm /config /manualpeerlist:<list of time servers> /syncfromflags:manual /reliable:yes /update W32tm /config /syncfromflags:domhier /update © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
40
w32tm /query /configuration
Microsoft Ignite 2015 9/21/2018 5:56 PM w32tm /query /configuration © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
41
Trusts Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
42
nltest /domain_trusts
Microsoft Ignite 2015 9/21/2018 5:56 PM nltest /domain_trusts © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
43
DNS & Networking Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
44
type %systemroot%\debug\netlogon.log | findstr NO_CLIENT_SITE
Microsoft Ignite 2015 9/21/2018 5:56 PM type %systemroot%\debug\netlogon.log | findstr NO_CLIENT_SITE © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
45
Ports 53 – DNS 389 – LDAP 88 – Kerberos 636 – LDAP SSL 445 – SMB/IP
Microsoft Ignite 2015 9/21/2018 5:56 PM Ports 389 – LDAP 636 – LDAP SSL 3268 – LDAP GC 3269 – LDAP GC SSL 135 – EPC, EPM 53 – DNS 88 – Kerberos 445 – SMB/IP 139 – NetBIOS Session Port 123 – NTP Time Services © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
46
Event Logs Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
47
System Events 29: Time synchronization failure
Microsoft Ignite 2015 9/21/2018 5:56 PM System Events 29: Time synchronization failure 55: Possible file system corruption 1056: DHCP service is running on a DC without credentials 16645: RID Pool depleted 16650: Account-identifier failed to initialize © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
48
DNS Events 5774: DNS registration failure
Microsoft Ignite 2015 9/21/2018 5:56 PM DNS Events 5774: DNS registration failure 5775: DNS de-registration failure 5781: DNS registration or deregistration failure © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
49
Security & Directory Service events
Microsoft Ignite 2015 9/21/2018 5:56 PM Security & Directory Service events ALL events © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
50
Advanced Audit Policies (GPO)
Microsoft Ignite 2015 9/21/2018 5:56 PM Advanced Audit Policies (GPO) Computer Configuration – Windows Settings – Security Settings – Advanced Audit Configuration © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
51
Account Monitoring & Administration
Microsoft Ignite 2015 9/21/2018 5:56 PM Account Monitoring & Administration © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
52
Account lockout failures & failed login attempts
Microsoft Ignite 2015 9/21/2018 5:56 PM Account lockout failures & failed login attempts © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
53
Microsoft Ignite 2015 9/21/2018 5:56 PM Check admin group memberships & monitor addition/removal from security groups Enterprise Admins Schema Admins Domain Admins Administrators Backup Operators Event Log Readers Remote Management Users Server Operators © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
54
ALL THE THINGS! Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
55
dcdiag /c Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
56
Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
57
Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
58
Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
59
Azure Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
60
Azure Active Directory Connect - Synchronization Service Manager
Microsoft Ignite 2015 9/21/2018 5:56 PM Azure Active Directory Connect - Synchronization Service Manager © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
61
Azure Active Directory Connect - Synchronization Service Manager
Microsoft Ignite 2015 9/21/2018 5:56 PM Azure Active Directory Connect - Synchronization Service Manager status = success Office Settings - > Organization profile -> Technical Contact © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
62
Azure Active Directory Connect Health
Microsoft Ignite 2015 9/21/2018 5:56 PM Azure Active Directory Connect Health Requires Azure AD Premium Requires agent on each identity server Out-of-the-box monitoring – very little configuration Monitors AD DS & AD FS + AADC sync info © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
63
Azure Active Directory Connect Health
Microsoft Ignite 2015 Azure Active Directory Connect Health 9/21/2018 5:56 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
64
Continue your Ignite learning path
Microsoft Ignite 2015 9/21/2018 5:56 PM Continue your Ignite learning path Pass-the-Hash Attacks Securing Active Directory: Best Practices Microsoft Security Compliance Manager Advanced Audit Policies LAPS © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
65
Continue your Ignite learning path
Microsoft Ignite 2015 9/21/2018 5:56 PM Continue your Ignite learning path AD Security & Administration Regular AD Maintenance & Checks FGPP’s & PSO’s Advanced Audit Policy EventID info DC Security Logs © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
66
Contact me! Twitter: @girlgerms (best way!)
Microsoft Ignite 2015 9/21/2018 5:56 PM Contact me! (best way!) Linkedin: Blog: © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
67
Questions? Microsoft Ignite 2015 9/21/2018 5:56 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.