Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing AD DS Module A 3: Securing AD DS

Similar presentations


Presentation on theme: "Securing AD DS Module A 3: Securing AD DS"— Presentation transcript:

1 Securing AD DS Module 3 10969A 3: Securing AD DS
Presentation: 70 minutes Lab: 60 minutes After completing this module, students will be able to: Secure domain controllers. Implement password and lockout policies. Implement audit authentication. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10969A_3.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, some of the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will enable you to provide meaningful hints to students who might experience difficulties in a lab; it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 3 Securing AD DS

2 Implementing Audit Authentication
Module Overview 3: Securing AD DS Implementing Audit Authentication

3 Lesson 1: Securing Domain Controllers
3: Securing AD DS Administrator Role Separation

4 Domain Controller Security Risks
3: Securing AD DS Domain controllers are a prime target for attacks and the most important resource to secure Security risks include: Network security Authentication attacks Elevation of privilege Denial of Service Operating system, service, or application attacks Operational risks Physical security threats Briefly explain the importance of securing domain controllers properly. Do not go into great detail. More information will be covered in the following topics.

5 Modifying the Security Settings of Domain Controllers
3: Securing AD DS Use a GPO to apply the same security settings to all domain controllers Consider custom GPOs linked to the Domain Controllers OU Security settings include: Account policies, such as passwords and account lockout Local policies, such as auditing, user rights, and security options Event log configuration Secure system services Windows Firewall with Advanced Security Public key policies Advanced auditing Explain why students should use Group Policy Objects (GPOs) to apply security settings to specific groups of servers, such as domain controllers, and what the common security settings are.

6 Minimizing the Attack Surface of Domain Controllers
3: Securing AD DS To minimize the attack surface on domain controllers, you should: Establish update management processes Increase the security of communication protocols: Secure LDAP IPsec SMB signing Secure the operating system by using: Baseline security by using SCW Server Core installation BitLocker Drive Encryption

7 Implementing Secure Authentication
3: Securing AD DS Consider the following factors when implementing secure authentication: Secure user accounts and passwords Secure groups with elevated permissions Audit critical object changes Deploy secure authentication, such as smart cards Secure network activity Establish deprovisioning and cleanup processes Secure client computers Discuss these aspects of security with your students. Keep in mind that read-only domain controllers (RODCs), password and account lockout policies, and auditing are covered in the following topics and lessons.

8 Securing Physical Access to Domain Controllers
3: Securing AD DS When securing physical access to your domain controllers, consider the following: RODCs BitLocker Hot-swap disk systems can lead to domain controller theft Protect virtual disks: virtual machine admins must be highly trusted Store backups in secure locations

9 Data center Branch office
What are RODCs? 3: Securing AD DS Data center Branch office Writable Windows Server domain controller Password replication policy: Specifies which user and computer passwords can be cached by the RODC RODC: All objects Subset of attributes No secrets Not writable Users sign on: RODC forwards authentication Password is cached: If password replication policy allows Has a local administrators group AD DS AD DS

10 Deploying an RODC Deploying an RODC: Prerequisites:
3: Securing AD DS Deploying an RODC: Prerequisites: Adprep /rodcprep Sufficient Windows Server 2008 or newer replication partners for the RODCs One-step deployment: Server Manager with Add Roles and Features, then Active Directory Domain Services Configuration Wizard Windows PowerShell: Install-ADDSDomainController – ReadOnlyReplica Two-step deployment: pre-staging and delegated promotion: Create the account: Active Directory Administrative Center or Add-ADDSReadOnlyDomainControllerAccount Join the RODC as delegated admin: Server Manager or Install-ADDSDomainController -ReadOnlyReplica

11 Planning and Configuring RODC Credential Caching
3: Securing AD DS A password replication policy determines which users’ credentials are cached on a specific RODC You can configure these credentials by using: Domain-wide password replication policy RODC-specific password replication policy RODC filtered attribute set

12 Demonstration: Configure a Password Replication Policy
3: Securing AD DS In this demonstration, you will see how to: Stage a delegated installation of an RODC View an RODC’s password replication policy Configure an RODC-specific password replication policy Verify the resultant password policy When you have completed the demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-DC2 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Stage a delegated installation of an RODC On LON-DC1, in Server Manager, click Tools, and then click Active Directory Sites and Services. In Active Directory Sites and Services, in the navigation pane, click Sites. From the Action menu, click New Site. In the New Object – Site dialog box, in the Name field, type Munich, select the DEFAULTIPSITELINK site link object, and then click OK. In the Active Directory Domain Services message box, click OK. Switch to Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, click Adatum (local), and then in the details pane, double-click the Domain Controllers organizational unit (OU). In the Tasks pane, in the Domain Controllers section, click Pre-create a Read-only domain controller account. In the Active Directory Domain Services Installation Wizard, on the Welcome to the Active Directory Domain Services Installation Wizard page, click Next. On the Network Credentials page, click Next. On the Specify the Computer Name page, type the computer name MUC-RODC1, and then click Next. (More notes on the next slide)

13 10969A 3: Securing AD DS On the Select a Site page, click Munich, and then click Next. On the Additional Domain Controller Options page, accept the default settings, select the DNS server and Global catalog check box, and then click Next. On the Delegation of RODC Installation and Administration page, click Set. In the Select User or Group dialog box, in the Enter the object name to select field, type Thorsten, and then click Check Names. Verify that Thorsten Scholl is resolved, and then click OK. In the Delegation of RODC Installation and Administration page, click Next. On the Summary page, review your selection, and then click Next. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish. View an RODC’s password replication policy In Active Directory Administrative Center, in the Domain Controllers OU, select MUC-RODC1. In the Tasks pane, in the MUC-RODC1 section, click Properties. In the MUC-DC1 (Disabled) Properties dialog box, scroll down to Extensions, and then click the Password Replication Policy tab. Review the default groups, users, and computers in the Password Replication Policy. Leave the dialog box open. Configure an RODC-specific password replication policy Switch to Server Manager, click Tools, and then click Active Directory Users and Computers. In the navigation pane, expand Adatum.com, and then click Users. On the Action menu, click New, and then click Group. In the New Object – Group dialog box, enter the group name Munich Allowed RODC PasswordReplication Group, and then click OK. (More notes on the next slide)

14 10969A 3: Securing AD DS Double-click Munich Allowed RODC Password Replication Group, click the Members tab, and then click Add. In the Select Users, Contacts, Computers, Services Accounts, or Groups dialog box, in the Enter the object names to select text box, type Anne, and then click Check Names. In the Multiple Names Found dialog box, select Anne-Mette Stolze, and then click OK. Click OK in the Select Users, Contacts, Computers, Service Accounts or Groups dialog box, and then click OK in the Munich Allowed RODC Password Replication Group Properties dialog box. Close Active Directory Users and Computers. Switch to Active Directory Administrative Center, and open the MUC-RODC1 Properties. In the Extensions section, on the Password Replication Policy tab, click Add. In the Add Groups, Users and Computers dialog box, click the Allow passwords for the account to replicate to this RODC radio button, and then click OK. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, type Munich, click Check Names, and then click OK. In the MUC-RODC1 (Disabled) dialog box, click OK. Verify the resultant password policy In Active Directory Administrative Center, in the Tasks pane, in the MUC-RODC1 section, click Properties. In the MUC-RODC1 (Disabled) Properties dialog box, in the Extensions section, on the Password Replication Policy tab, click Advanced. In the Advanced Password Replication Policy for MUC-RODC1 dialog box, note that you usually see the accounts whose passwords are stored on this RODC. (More notes on the next slide)

15 10969A 3: Securing AD DS In the Display users and computers that meet the following criteria drop-down list box click Accounts that have been authenticated to this Read-only Domain Controller, and then note that this will only show accounts that have the permissions and have already been authenticated by this RODC. On the Resultant Policy tab, click Add, and in the Select Users or Computers dialog box, in the Enter the object name to select field, type Anne-Mette, click Check Names, and then click OK. Recognize that Anne-Mette has a Resultant Setting of Allow. Close or Cancel all dialog boxes.

16 Administrator Role Separation
3: Securing AD DS Allows performance of local administrative tasks on the RODC for non-domain administrators Each RODC maintains a local Security Accounts Manager database of groups for specific administrative purposes Configure the local administrator by: Adding the user or group when pre-creating or installing the RODC Adding a user or group on the Managed By tab on the RODC account properties

17 Lesson 2: Implementing Password and Lockout Policies
3: Securing AD DS PSO Precedence and Resultant PSO

18 Set password requirements by using the following settings:
Password Policies 3: Securing AD DS Set password requirements by using the following settings: Enforce password history Maximum password age Minimum password age Minimum password length Password complexity requirements: Does not contain name or user name Must have at least six characters Contains characters from three different groups– uppercase, lowercase, numeric, and special characters

19 Account Lockout Policies
3: Securing AD DS Account lockout policies define whether accounts should be locked automatically after several failed attempts to log on To configure these policy settings, you must consider: Account lockout duration Account lockout threshold Reset account lockout counter after Account lockout policies provide a level of security but also provide an opportunity for DoS attacks

20 Demonstration: Configure Domain Account Policies
3: Securing AD DS In this demonstration, you will see how to configure: A domain-based password policy An account lockout policy Quickly demonstrate how to configure a domain-based password and account lockout policy. When you have completed the demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-DC2 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps Configure a domain-based password policy On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management. In the Group Policy Management Console, expand Forest: Adatum.com\Domains\Adatum.com\Group Policy Objects, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor window, in the navigation pane, under Computer Configuration, expand Policies\Windows Settings\Security Settings\Account Policies, double- click Password Policy, and then double-click Enforce password history. In the Enforce password history Properties window, type 20 in the Keep password history for field, click OK, and then double-click Maximum password age. In the Maximum password age Properties window, type 45 in the Password will expire in field, click OK, and then double-click Minimum password age. In the Minimum password age Properties window, ensure that the Password can be changed after field is 1, click OK, and then double-click Minimum password length. In the Minimum password length Properties window, type 10 in the Password must be at least field, click OK, and then double-click Password must meet complexity requirements. In the Password must meet complexity requirements Properties window, click Enabled, and then click OK. Do not close the Group Policy Management Editor window. (More notes on the next slide)

21 10969A 3: Securing AD DS Configure an account lockout policy
In the Group Policy Management Editor window, in the navigation pane, click Account Lockout Policy, and then double-click Account lockout duration. In the Account lockout duration Properties window, click Define this policy setting, type 30 in the Minutes field, and then click OK. In the Suggested Value Changes window, note the suggested values, including the automatic configuration of Account lockout threshold, click OK, and then double-click Reset account lockout counter after. In the Reset account lockout counter after Properties window, type 15 in the Reset account lockout counter after field, and then click OK. Close the Group Policy Management Editor window and the Group Policy Management Console.

22 Fine-Grained Password and Lockout Policies
3: Securing AD DS You can use fine-grained password policies to specify multiple password policies within a single domain Fine-grained password policies: Apply only to user objects, InetOrgPerson objects, or global security groups Cannot be applied directly to an OU Do not interfere with custom password filters that you might use in the same domain

23 Windows Server 2012 provides two tools for configuring PSOs:
10969A Understanding PSOs 3: Securing AD DS Windows Server 2012 provides two tools for configuring PSOs: Windows PowerShell cmdlets: New-ADFineGrainedPasswordPolicy Add-FineGrainedPasswordPolicySubject Active Directory Administrative Center

24 Demonstration: Configuring a Fine-Grained Password Policy
3: Securing AD DS In this demonstration, you will see how to configure and apply a fine-grained password policy When you have completed the demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-DC2 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative Center. In Active Directory Administrative Center, in the navigation pane, click Adatum (local). In the details pane, double-click the Managers OU. In the details pane, right-click the Managers group, and then click Properties. Note: Ensure that you open the Properties dialog box for the Managers group, and not the Managers OU. In the Managers window, under Group scope, click Global, and then click OK. In the details pane, double-click the System Container. In the details pane, right-click the Password Settings Container, click New, and then click Password Settings. In the Create Password Settings window, complete the following steps: In the Name field, type ManagersPSO. In the Precedence field, type 10. In the Minimum password length field, type 15. In the Number of passwords remembered field, type 20. In the Enforce maximum password age field, type 30, and then click Enforce account lockout policy. (More notes on the next slide)

25 10969A 3: Securing AD DS In the Number of failed logon attempts allowed field, type 3. In the Reset failed logon attempts count field, type 30, and then click Until an administrator manually unlocks the account. In the Directly Applies To section, click Add. In the Enter the object names to select text box, type Adatum\Managers, click Check Names, and then click OK. In the Create Password Settings window, click OK. Close Active Directory Administrative Center.

26 PSO Precedence and Resultant PSO
3: Securing AD DS If multiple PSOs apply to a user: The directly applied PSOs are considered, rather than the PSOs that are applied via group memberships The PSO with the lowest precedence wins If two PSOs have the same precedence, the smallest objectGUID wins To evaluate a user object to see which PSO has been applied, you can use: msDS-ResultantPSO Active Directory attribute Active Directory Administrative Center Extensions Attribute Editor Filter: Show constructed attributes Explain that students need to plan PSOs, especially naming conventions, precedence values, and PSO descriptions. Also, the administrative delegation model should consider who is able to create PSOs and which groups are able to communicate the effective PSO to users.

27 Lesson 3: Implementing Audit Authentication
3: Securing AD DS Demonstration: Viewing Logon Events

28 Account Logon and Logon Events
3: Securing AD DS AD DS Advanced audit policies provide 53 auditable events: Account logon events: Registered by the system that authenticates the account For domain accounts–domain controllers For local accounts–local computer Logon events: Registered by the machine at or to which (or to which) a user logged on Interactive logon–user's system Network logon–server Ensure that students understand the difference between account logon and logon events. Account Logon Event Logon Event Logon Event

29 Demonstration: Configuring Authentication-Related Audit Policies
3: Securing AD DS In this demonstration, you will see where the authentication-related audit policies are configured Explain to students the four possible configurations of an audit policy. In particular, make sure they understand the difference between Not Defined and Defined for Success, Failure, or both. Point out that, by default, Active Directory Domain Services (AD DS) is configured to audit successful account logon events. When you select to audit failure events as well, this will lead to a more interesting demonstration of event log entries. When you have completed the demonstration, leave the virtual machines running for the subsequent demonstrations. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-DC2 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, in Server Manager, click the Tools menu, and then click Group Policy Management. In the Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com\Domains\Adatum.com\Group Policy Objects, and then select the Default Domain Controllers Policy. Right-click the Default Domain Controllers Policy, and then click Edit. In the Group Policy Management Editor window, in the navigation pane, expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and then click Audit Policy. In the details pane, double-click Audit account logon events, and then show the configuration options: If the Define these policy settings check box is selected, the policy is applied. If Success is selected, only success audits will be logged. If Failure is selected, only failure audits are logged. If multiple policies contain the setting, and it is defined differently, the success and failure options are taken from the last policy applied that defines those settings. If one policy defines success audits and another defines failure audits, they are not merged. (More notes on the next slide)

30 10969A 3: Securing AD DS On the Explain tab, show and discuss the explanation. Click Cancel to close the Audit account logon events Properties dialog box. Repeat steps five and six with the Audit logon events policy. In the Group Policy Management Editor window, in the navigation pane, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy configuration\Audit Policies, and then click Audit Policies. Show the 10 main categories in the Audit Policies policy, and then click Account Logon. Show the four subcategories, and then double-click Audit Kerberos Authentication Service. Show that the subcategory has the same settings as in the Audit Policy Audit Account Logon setting, and explain that they are now on a more detailed level and allow a more selective auditing. Select Configure the following audit events, select Success and Failure, and then click Apply. On the Explain tab, show and discuss the explanation and the default settings and predicted auditing volume. Click OK to close the Audit Kerberos Authentication Service Properties dialog box.

31 Default Domain Controllers Policy
Scope Audit Policies 3: Securing AD DS Domain Controllers Remote Desktop Servers HR Clients Custom GPO Logon Events Default Domain Controllers Policy Account

32 Demonstration: Viewing Logon Events
3: Securing AD DS In this demonstration, you will see how to view logon events After completing this demonstration, revert all virtual machines. Preparation Steps For this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-DC2 virtual machines. Sign in as Adatum\Administrator with the password Pa$$w0rd. Demonstration Steps On LON-DC1, in Start screen, type cmd, and then click Command Prompt. Type gpupdate /force, and then press Enter. Wait until the policy has been updated. Switch to Start screen. In the upper-right corner, click Administrator, and then click Sign Out. On LON-DC1, attempt to sign in as Adatum\Benno with password You will get a message that the user name or password is incorrect. Click OK. Sign in as Adatum\Administrator with password Pa$$w0rd. Wait until the logon is finished and Server Manager has started. In Server Manager, click Tools, and then click Event Viewer. In Event Viewer, in the navigation pane, expand Windows Logs, and then click Security. In the details pane, locate the Event ID 4771, and then show that this event is an Audit Failure event. Double-click the Audit Failure event. Show that this event was logged when Adatum\Benno tried to log on with the wrong password. Click Close. Locate the event with the Event ID Show that this is an Audit Success event. Double-click the Audit Success event. Show that this event was logged when Adatum\Administrator logged on successfully. Click Close. Close the Event Viewer.

33 Exercise 2: Deploying and Configuring an RODC
Lab: Securing AD DS 3: Securing AD DS Exercise 2: Deploying and Configuring an RODC Remind students to revert the lab machines as shown in the last lab task. Exercise 1: Implementing Security Policies for Accounts, Passwords, and Administrative Groups It is important to A. Datum that all management processes are as secure as possible to help prevent a possible security breach. The company has identified its business requirements regarding account logons and password security. In this exercise, you will define and implement the Group Policy settings to meet the company’s requirements. Supporting Documentation Logon Information: Virtual machines: A-LON-DC1 10969A-LON-DC2 10969A-LON-SVR1 User name: Adatum\Administrator Password: Pa$$w0rd A. Datum GPO strategy proposal Requirements overview A. Datum has identified the following requirements regarding account logon and password policies: All users must use a password that is at least eight characters long. For IT administrators, the minimum length must be 10 characters. Passwords for all users must be complex and stored securely. All users, except IT administrators, must change their password every 60 days or less. IT administrators must change their password every 30 days or less. If users enter the wrong password more than five times within 20 minutes, their accounts must be locked. For normal users, accounts are unlocked automatically after one hour. For IT administrators, accounts must be locked after three incorrect password attempts. IT administrator accounts are never unlocked automatically. An administrator must unlock the account. IT administrator accounts include all members of the IT group and the Domain Admins group. No users should be able to use at least 10 of their previous passwords. The membership list for the local Administrators group on all member servers must be limited to only the local Administrator account, the Domain Admins group, and the IT group. The Domain Admins group must include only the Administrator account. The Enterprise Admins and Schema Admins groups must be empty during normal operations. Users must be added explicitly to these groups only when they need to perform tasks that require this level of administrative rights. Other built-in groups, such as Account Operators and Server Operators, should contain no members. If users are added to one of these groups, they should be removed automatically from the group. All changes made to user objects and security groups in AD DS must be audited. Estimated Time: 45 minutes (More notes on the next slide)

34 10969A 3: Securing AD DS Proposals
List the settings that need to be configured to meet A. Datum’s requirements regarding password policies and account lockout. Setting Configuration for all users Configuration for IT administrators Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encryption Account lockout duration Account lockout threshold Reset account lockout counter after How can you configure that IT administrators have different password and account lockout settings than regular users? How can you identify IT administrators in terms of more restricted password and account lockout settings? How can you meet the requirement to limit the membership list for the local Administrators groups on all member servers to only the local Administrator account, the Domain Admins group, and the IT group? How can you meet the requirement that the Domain Admins group must include only the Administrator account and that the Enterprise Admins and Schema Admins groups must be empty during normal operations? How can you meet the requirement that other built-in groups, such as Account operators and Server operators, must not contain members? How can you meet the requirement that you must audit all changes to AD DS? (More notes on the next slide)

35 10969A 3: Securing AD DS Exercise 2: Deploying and Configuring an RODC
In this exercise, students will configure the server LON-SVR1 as an RODC in the distant branch office. To avoid travel costs, you decide to do the conversion remotely with the assistance of a desktop support technician and the only IT staff member at the branch. This user already has installed a Windows Server 2012 computer named LON-SVR1. You will stage a delegated installation of an RODC so that this administrative user can complete the installation. Once the deployment is complete, you will configure a domain-wide password replication policy and the password replication policy specific to LON-SVR1.

36 10969A Lab Scenario 3: Securing AD DS The security team at A. Datum Corporation has been examining the organization for possible security issues. It has been focusing on AD DS and is particularly concerned with AD DS authentication and branch-office domain controller security. You have been asked to help improve the security and monitoring of authentication against the enterprise’s AD DS domain. You must enforce a specified password policy for all user accounts, and you must develop a more stringent password policy for security-sensitive administrative accounts. It also is important that you implement an appropriate audit trail to help monitor authentication attempts within AD DS. The second part of your assignment includes the deployment and configuration of RODCs s to support AD DS authentication within a branch office

37 10969A Lab Review 3: Securing AD DS In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this? Question In the lab, we configured the password settings for all users within the Default Domain Policy, and we configured the password settings for Administrators within a PSO. What other options were available to accomplish the solution? Answer We could have created a PSO with specific settings for all users, configured it with a very high precedence and linked it to the Domain Users security group. The benefit would be that there is only one interface for managing domain password policies, and the default settings for local accounts on domain members can be set differently across the whole domain. In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this? The administrative PSO is very restrictive, so the precedence should be low. However, there might be groups of administrators in the future with more restrictive settings—for example, a subset of administrators to access human resource data, or service accounts where you might want to enforce longer passwords with administrative rights that change less frequently. For these reasons, using a value of 10 allows some space for implementing more precise PSOs.

38 Module Review and Takeaways
3: Securing AD DS Tools Review Questions Question Why is physical security so important, especially for AD DS domain controllers? Answer AD DS domain controllers store all information about any user, computer, group, and any other object in the domain. If someone is able to access the server physically, or the hard drive of the server, this person can circumvent security guards quite easily and get all information. This person then can use the information to attack the rest of the network or to modify the domain controller and put it back into the network. You need to implement auditing policies for domain authentication and directory services changes. What is the best way to implement these auditing settings? If you want to enable auditing, it is very important that all relevant servers on which the event might occur are configured with the same auditing settings. If you want to configure auditing for domain authentication or changes in AD DS, the Default Domain Controllers Policy or a GPO linked to the Domain Controllers OU is the best place to configure these settings. Your organization requires you to maintain a highly reliable and secure AD DS infrastructure. It also requires that users can access corporate from the Internet by using Outlook Web Access. You are considering implementing account lockout settings. What must you consider? Account lockout settings are not just a security feature; they also can provide attackers an easily accessible denial of service (DoS) interface. If Outlook Web Access is accessible from the Internet, you must configure additional protocols or services to ensure that only your domain users are able to enter their logon credentials. Other users must not be allowed to use the website to enter false passwords to lock out valid user accounts. (More notes on the next slide)

39 10969A 3: Securing AD DS Tools Tool Use for Where to find it
Tool Use for Where to find it Active Directory Users and Computers Managing objects within AD DS such as users, groups, and computers. Server Manager Active Directory Administrative Center Group Policy Management Managing, reporting, and backup and restoration of GPOs. Gpupdate.exe Manually updating the GPOs of local machines. Command-line


Download ppt "Securing AD DS Module A 3: Securing AD DS"

Similar presentations


Ads by Google