Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2.

Published byDestiney Quinton Modified over 9 years ago

Similar presentations

Presentation on theme: "Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2."— Presentation transcript:

1 Welcome to the GIG Event 1

2 MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2

3 What is ADS? Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain. 3

4 Active Directory Structure Hierarchical Base object Domain OU Domain OU Objects Domain Tree Domain Tree Forest

5 Authentication Administration Storage Compliance Authentication Administration Storage Compliance Audio Conferencing E-mail and Calendaring E-mail and Calendaring Web Conferencing Web Conferencing Telephony Video Conferencing Video Conferencing Voice Mail Instant Messaging (IM) Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Telephony and Voice Mail Telephony and Voice Mail Instant Messaging E-mail and Calendaring Unified Conferencing: Audio, Video, Web On-Premises Hybrid In the Cloud On-Premises Hybrid In the Cloud Communications Today Future of Communications

6 Domain Controllers on VM’s How do you backup your domain controllers running on virtual machines??  Taking snapshot? What are the side effects?? 6

7 Active Directory Security Fundamentals Forests Domains Trusts Kerberos OUs Group policy (GPO’s) ACLs Authentication Authorization Replication FSMOs Delegation 7

8 Securing Active Directory Planning Creating Maintaining Best Practices 8

9 Planning AD Security Considerations upon deployment of AD DC’s – Datacenter (Microsoft Online Services) Centralized & Secure (ADFS and Single sign 0n) High End Performance (uptime guarantee) – Branch Offices Lack of IT Expertise Slow connectivity to rest of organization 9

10 Planning AD Security Identifying Types of Threats – Spoofing – Data Tampering – Repudiation – Information Disclosure – Denial of Service – Elevation of Privilege Identifying Sources of Threats – Anonymous Users – Authenticated Users – Service Administrators – Data Administrators – Users with Physical Access 10

11 Establishing Secure AD Boundaries Delegation of Administration – Needs to be flexible, limited, secure, dynamic and meet the needs of the organization based upon need for autonomy and isolation Forest/Domain Model Establish Secure Trusts 11

12 Deploying Secure Domain Controllers Ensure predictable, repeatable, and secure domain controller deployments. – Create strong administrator password 9 characters, non-dictionary, symbols, etc. – Use TCP/IP only if possible – Disable non-essential services IIS, Messenger, SMTP, Telnet, etc. – Format partitions with NTFS – Install latest service packs and security updates – Prohibit the use of cached credentials when unlocking DC console – Install anti-virus scanning software – Maintain Secure Physical Access to Domain Controllers 12

13 Best Practices Domain Policies – Password Policies History Age Length Complexity – Lockout Policy Duration Threshold Reset 13

14 Best Practices Domain Controller Policies – User Rights Log on locally System Shutdown – Enable Auditing Account logon Account Management Directory Service Access Logon events Policy changes System events – Event Logging Security log size set to 128 MB Retention – set to overwrite events as needed 14

15 Best Practices Secure Service Admin Accounts – Enterprise Admins – Schema Admins – Administrators – Domain Admins – rename this acct – Server Operators – Account Operators – Backup Operators Best Practices – Rename the administrator account – Limit the number of service admin accts – Separate administrator accts from end user accts 15

16 Deploy Secure DNS Protecting DNS Servers – Use Active Directory–integrated DNS zones. – Implement secure updates between DNS clients and servers – Protect the DNS cache on domain controllers. – Monitor network activity. – Close all unused firewall ports. Protecting DNS Data – Use secure dynamic update. – Ensure that third-party DNS servers support secure dynamic update. – Ensure that only trusted individuals are granted DNS administrator privileges – Set ACLs on DNS data. – Use separate internal and external namespaces. 16

17 Maintaining Secure AD Operations Maintain Baseline Information – Create a baseline database of Active Directory infrastructure information. Audit Policies List of GPO’s and their assignments List of Trusts List of Domain Controllers, Administrative workstations Service Administrators Operations Masters (FSMO roles) Replication topology Database size (.DIT file) OS version, Service Packs, Hotfixes, Anti-Virus version – Detect and verify infrastructure changes 17

18 Maintaining Secure AD Operations Monitoring the AD Infrastructure – Collect information in real time or at specified time intervals. Security Event Logs – Compare this data with previous data or against a threshold value. – Respond to a security alert as directed in your organization’s practices. – Summarize security monitoring in one or more regularly scheduled reports 18

19 Maintaining Secure AD Operations Monitoring the AD Infrastructure – Monitoring Forest-level Changes Detect changes in the Active Directory schema. Identify when domain controllers are added or removed. Detect changes in replication topology. Detect changes in LDAP policies. Detect changes in forest-wide operations master roles. 19

20 Maintaining Secure AD Operations Monitoring Domain-level Changes – Detect changes in domain-wide operations master roles. – Detect changes in trusts. – Detect changes in GPOs for the Domain container and the Domain Controllers OU. – Detect changes in GPO assignments for the Domain container and the Domain Controllers OU. – Detect changes in the membership of the built-in groups. – Detect changes in the audit policy settings for the domain. 20

21 Best Practices DNS Use AD-integrated zones if at all possible Use forwarders instead of secondaries – Eliminates text-based zone files Treat DNS admins as service admins 21

22 Best Practices DHCP Configure so that: – Client updates A record – DHCP service updates PTR record 22

23 Best Practices DC policies Enable auditing Disable anonymous connections Digitally sign client communications Disable cached credentials 23

24 Best Practices FSMO placement Implications per role Availability Survivability 24

25 Best Practices Group Memberships Severely limit membership in administrative groups Set ACLs on groups so that only service admins can modify service admin groups Remove everyone from the Schema Administrators group – Add someone back in when needed Audit changes to service admin groups 25

26 Best Practices Monitoring Monitor for any unexpected DC outages – Can indicate an attack Monitor for unexpected query loads – Can indicate a DOS attack Monitor for disk space use – Can indicate a replicating DOS attack Monitor for DNS request traffic – Can indicate a DOS attack on DNS 26

27 Best Practices Service Administration Create separate admin and user accounts Create a separate service admin OU Establish secure admin workstations – Don’t give admin privileges on workstation Use secure updates (NTLM) between admin workstations and DCs Use the “logon locally” policy to limit service admin logons to specific admin workstations 27

28 Best Practices Data Administration Always use NTFS Use encryption where appropriate 28

29 Thank You Q And A? 29

Download ppt "Welcome to the GIG Event 1. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS 2."

Similar presentations

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Active Directory: Beyond The Basics

Active Directory: Beyond The Basics
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.

© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 1: Introduction to Active Directory.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Similar presentations

Ads by Google