Presentation is loading. Please wait.

Presentation is loading. Please wait.

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

Published byIrene McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs "— Presentation transcript:

1 { Best Practice Why reinvent the wheel?

2   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs   GPOs Quick AD overview

3  Most security gaps are unintentional  Estimated 97% can be fixed or avoided  Entry point  Only need one  Initial targets  Attractive accounts for credential theft Commonly Leveraged Vulnerabilities

4  In Active Directory  Accounts with elevated privileges  On Domain Controller (DC)  Consider it Critical Infrastructure  Operating systems  Inconsistency Misconfiguration

5  High privileged accounts are usually the targets  Not maintaining separate admin credentials  Logging into unsecure computers  Browsing the internet  Same credentials on all local machines  Improper management Activities Likely to Increase Compromise

6  Principal of least privilege  Users should have least privileges needed to complete the task.  Privileged accounts are dangerous accounts  Model privilege reduction in every area of the network Reduce AD Attack Surface

7  Larger the organization, the more complex, the more difficult to secure  Securing local administrator accounts  workstations  member servers  Securing local privileged accounts in AD  Built-in admin accounts  Audit changes to this account  Securing Administrator, Domain Admin and Enterprise Admin groups  Securing Domain Admins Group  Securing Administrators Groups Reducing Privileges

8  Grouping user based on daily tasks and access needs, ex:  Accounting  Marketing  Controls unnecessary privileges  Simplest implementation -> roles in AD DS  Commercial, off-the-shelf (COTF) available Role-Based Access Controls (RBAC)

9   Design, creation and implementation used to managed privileged accounts  Manually created or third-party software Privileged Identity/Account Management

10  Exponential growth in credential theft attacks due to widely available tools  Identify accounts most likely to be targeted  Do not use single factor authentication Robust Authentication Controls

11  Never administer a trusted system from an insecure host.  Do not rely on single authentication  Do not ignore physical security  Even if organization does not use smart cards consider using it for privileged accounts Secure Administrative Hosts

12  Same practices already discussed  Physical security  Limit RDP  Patch  Security configuration wizard  Microsoft Security Compliance Manager  Block Internet access on DC  Perimeter firewall restrictions  DC firewall Security DC Against Attack

13  Windows Audit Policy  Events to monitor  AD objects and attributes to monitor  Classify security events Signs of Compromise

14   “It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. “   Prevention is better than reaction Planning for Compromise

15 Best Practice Tactical or Strategic Preventative or Detective 1Patch applications.TacticalPreventative 2Patch operating systems.TacticalPreventative 3 Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. TacticalBoth 4 Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. TacticalDetective 5Protect and monitor accounts for users who have access to sensitive dataTacticalBoth 6Prevent powerful accounts from being used on unauthorized systems.TacticalPreventative 7Eliminate permanent membership in highly privileged groups.TacticalPreventative 8 Implement controls to grant temporary membership in privileged groups when needed. TacticalPreventative 9Implement secure administrative hosts.TacticalPreventative 10 Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems. TacticalPreventative 11Identify critical assets, and prioritize their security and monitoring.TacticalBoth 12 Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems. StrategicPreventative 13Isolate legacy systems and applications.TacticalPreventative 14Decommission legacy systems and applications.StrategicPreventative 15Implement secure development lifecycle programs for custom applications.StrategicPreventative 16 Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. StrategicPreventative 17 Migrate critical assets to pristine forests with stringent security and monitoring requirements. StrategicBoth 18Simplify security for end users.StrategicPreventative 19Use host-based firewalls to control and secure communications.TacticalPreventative 20Patch devices.TacticalPreventative 21Implement business-centric lifecycle management for IT assets.StrategicN/A 22Create or update incident recovery plans.StrategicN/A

16   Best Practices for Securing Active Directory. (2013). 314.   Melber, D. (n.d.). The Administrator Shortcut Guide to Active Directory Security. Sources

Download ppt "{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs "

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.

Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.

Similar presentations

Ads by Google