1. Efi Bregman Principal Consultant Microsoft Consulting Services Israel

2. Session Objectives and Takeaways Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features

3. Key Investments areas Security Manageability Branch Office

4. Key Investments areas Security Manageability Branch Office

5. Hub Site Branch Office Windows 2008 Branch Office Benefits Security BitLocker Server Core Read-Only Domain Controller Admin Role Separation Optimization SysVol Replication DFS Replication Protocols Administration Print Management Console PowerShell, WinRS, WinRM Virtualization Restartable Active Directory

6. Branch Office Dilemma Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist HQ Data Center Hub Network Branch Office

7. Option 1: Consolidate and remove DCs from branch Branch authentication & authorization fails when WAN goes down Option 2: Put full DC in branch Either give branch admin privilege or manage remotely Branch DC being compromised jeopardizes security of corporate AD!!! Branch Office HQ Data Center Hub Network Branch Office Dilemma

8. So how can we deploy a Domain Controller in this environment?!

9. RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion Admin Role Separation Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC Passwords not cached by-default No replication from RODC to Full-DC 1-Way Replication Attack on RODC does not propagate to the AD Read-Only Domain Controller

10. RODC – Attacker “experience” Let’s intercept Domain Admin credentials sent to this RODC With Admin role separation, the Domain Admin doesn’t need to log-in to me. Let’s steal this RODC By default I do not have any secrets cached. I do not hold any custom app specific attributes either. Let’s tamper data on this RODC and use its identity I have a Read-Only database. Also, no other DC in the enterprise replicates data from me. Damn! Attacker RODC

11. RODC Mitigates “Stolen DC” Hub Admin Perspective

12. Read-Only Domain Controller How it works? 2.RODC: Looks in DB "I don't have the users secrets" 3.Forwards Request to Full DC 4.Full DC authenticates user 5.Returns authentication response and TGT back to the RODC 6.RODC gives TGT to User and Queues a replication request for the secrets 7.Hub DC checks Password Replication Policy to see if Password can be replicated 1.Logon request sent to RODC Branch HUB Full DC RODC

13. Read-Only Domain Controller Recommended Deployment Models No accounts cached (default) Pro: Most secure, still provides fast authentication and policy processing Con: No offline access for anyone Most accounts cached Pro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC Few accounts (branch-specific accounts) cached Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task

14. Read-Only Domain Controller Upgrade path from Windows 2003 Domain Deployment steps: 1.ADPREP /ForestPrep 2.ADPREP /DomainPrep 3.Promote a Windows Server 2008 DC 4.Verify Forest Functional Mode is Windows 2003 5.ADPREP /RodcPrep 6.Promote RODC Test RODCs for application compatibility in your environment Not RODC specific RODC Specific task

15. Read-Only Domain Controller Delegated Administrator (“Local Roles”) Delegated RODC Promotion Attach machine to RODC slot Specify RODC parameters Pre-create RODC account

17. Read-Only Domain Controller Install-from-media Promotion NTDSUtil > IFM During creation of RODC IFM: “Secrets” are removed DIT is defragged to remove free space

18. Branch Office & Replication Optimization DFS-R replication provides more robust and detailed replication of SYSVOL contents Requires Windows Server 2008 Domain Mode

19. Key Investments areas Security Manageability Branch Office

20. Directory Service Auditing New Directory Service Changes Events Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning & end values Auditing controlled by Global audit policy SACL Schema Event IDEvent typeEvent description 5136ModifyThis event is logged when a successful modification is made to an attribute in the directory. 5137CreateThis event is logged when a new object is created in the directory. 5138UndeleteThis event is logged when an object is undeleted in the directory. 5139MoveThis event is logged when an object is moved within the domain.

21. Fine-Grained Password Policies Overview Granular administration of password and lockout policies within a domain Usage Examples: Administrators Strict setting (passwords expire every 14 days) Service accounts Moderate settings (passwords expire every 31 days, minimum password length 32 characters) Average User “light” setting (passwords expire every 90 days)

22. Fine-Grained Password Policies At a glance Policies can be applied to: Users Global security groups Does NOT apply to: Computer objects Organizational Units Multiple policies can be associated with the user, but only one applies

23. Password Settings Object PSO 1 Password Settings Object PSO 2 Precedence = 20 Applies To Resultant PSO = PSO1 Fine-Grained Password Policies Example Precedence = 10 Resultant PSO = PSO1 Applies To

24. Fine-Grained Password Policies Design Step-by-Step Requires Windows Server 2008 Domain Functional Mode Create mirror groups for different sets of users Create PSOs for different password policies Apply PSOs to users/groups Delegate administration of mirror groups

25. Fine-Grained Password Policies Administration Feature itself can be delegated By default, only Domain Admins can: Create and read PSOs Apply a PSO to a group or user

26. Key Investments areas Security Manageability Branch Office

27. Restartable AD DS Without a reboot you can now perform offline defragmentation DS stopped similar to member server: NTDS.dit is offline Can log on locally with DSRM password Server Core Restartable AD DS Fewer reboots for servicing

28. ADUC: Prevent Object Deletion Existing Object/OU New Organizational Unit

29. Database Mounting Tool Backup/Recovery Allows administrator to choose best backup Best Practice: Schedule NTDSUtil.exe to take regular snapshots of AD DS Note: Tool is not used for restoring objects LDP.EXE or Active Directory Users & Computers Views read-only Directory Service data DSAMAIN.EXE Exposes snapshots as LDAP servers NTDSUTIL.EXE Takes VSS snapshots of Directory Service

30. Group Policy Enhancements Over 700 new settings Power options, Removable media, Windows Firewall configuration, Printer management … Transition to ADMX files Additional management features Add comments to individual GPOs and settings Search and filter on settings and comments Create Starter GPOs for easier reuse

31. Summary – Key features in Active Directory Directory Services 2008 Read Only Domain Controller Fine Grained Password Policies Enhanced Auditing Capabilities Restartable AD DS AD DS Database Mounting Tool DFS-R Sysvol Replication

32. Resources Read Only Domain Controller http://technet2.microsoft.com/windowsserver2008/en/libra ry/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx Fine Grained Password Policies http://technet2.microsoft.com/windowsserver2008/en/libra ry/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx Restartable AD DS http://technet2.microsoft.com/windowsserver2008/en/libra ry/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx

33. Resources Enhanced Auditing Capabilities http://technet2.microsoft.com/windowsserver2008/en/libra ry/ad35ab51-2e85-41e9-91f7-ccedf2fc98241033.mspx http://technet2.microsoft.com/windowsserver2008/en/libra ry/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx AD DS Database Mounting Tool (“SnapView”) http://technet2.microsoft.com/windowsserver2008/en/libra ry/4503d762-0adf-494f-a08b- cf502ecb76021033.mspx?mfr=true

34. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.