05 improving the security of authentication in an

8/13/2019 05 Improving the Security of Authentication in An

http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 1/21

w w w

. t e c h n o c o r p . c o . i n

Improving the Security of Authentication in an

AD DS Domain



w w w


Module Overview

•

Configure Password and Lockout Policies• Audit Authentication

• Configure Read-Only Domain Controllers



w w w


Configure Password and Lockout Po

•

Understand Password Policies• Understand Account Lockout Policies

• Configure the Domain Password and Lockout Policy

• Demonstration: Configure Domain Account Policies

• Fine-Grained Password and Lockout Policy

• Understand Password Settings Objects (PSOs)

• Demonstrations: Configure Fine-Grained Password Policy

• PSO Precedence and Resultant PSO



w w w


Understand Password Policies

•

Implemented via Default Domain GPO• Determine password requirements for the whole domain

• Password policies consist of :

• Enforce password history: 24 passwords

• Maximum password age: 42 days

• Minimum password age: 1 day• Minimum password length: 7 characters

• Password must meet complexity requirements: Enabled

• Store password using reversible encryption: Disabled



w w w


Understand Account Lockout Policie

•

Helps mitigate the threat of brute force attacks on user acco• Account lockout policies consist of

• Account lockout duration: Not defined

• Account lockout threshold: 0 invalid logon attempts

• Reset account lockout counter after: Not defined

•Unlock

• A user who is locked out can be unlocked by an administrator

• The Reset account lockout policy can specify a "timeout" period afthe account is automatically unlocked



w w w


Configure the Domain Password anLockout Policy•

Domain password policies are defined by the precedent GPO scodomain controllers• Default Domain Policy GPO

• Best practices:• Modify the settings in the Default Domain GPO for password, lockout, a

policies

• Do not use the Default Domain GPO to deploy any other policy settings

• Do not define password, lockout, or Kerberos settings for the domain in GPO

• Policy settings are overridden by options in user account• Password never expires

• Store passwords using reversible encryption

Fi G i d P d d L k



w w w


Fine-Grained Password and LockouPolicy

Administrativeaccounts

ServiceAccounts

Finance users

Length: 15

Max age: 45

Lockout: 5 in 60

Reset: 1 day

Password Never Expires

Length: 64

Lockout: None

Length: 15

Max age: 60

Lockout: 5 in 30

Reset: 30 min

Fine-grained password and lockout policies allow multiplepassword and lockout policies to exist in the same domain

Domain Policy:

Length: 10

Max age: 90

Lockout: 5 in 30 min

Reset: 30 min



w w w


Understand Password Settings ObjeA PSO has the following settings available:

• Password policies

• Account lockout policies• PSO Link

• Precedence

Considerations when implementing PSOs:

PSOs can only be applied to users or global security groups

PSOs can be created through ADSI Edit or LDIFDE

The Password Settings Container (PSC) and PSOs are newobject classes defined by the AD DS schema

Windows Server 2008 domain functional level required



w w w . t e c h n o c o r p . c o . i n

Demonstration: Configure Fine-GraiPassword Policy

In this demonstration, you will see how to configure a fine-grapassword policy to enhance the security of accounts in the DoAdmins group




PSO Precedence and Resultant PS

• A PSO can be linked to more than one group or user

• A group or user can have more than one PSO linked to it

• Only one PSO prevails—the Resultant PSO• Precedence: Lower value (closer to 1) has higher precedence

• Global group PSO with highest precedence prevails

• Any PSOs linked to user override all global group PSOs.User-linked PSO with highest precedence prevails

• msDS-ResultantPSO attribute of user in Attribute Editor

• Click the Filter button and ensure Constructed is selected

• If there are no PSOs, domain account policies apply• Best Practices

• Use only group-linked PSOs. Do not link to user objects.

• Avoid having two PSOs with the same precedence value

• PSOs cannot be "linked" to an OU

• Create a shadow group that contains all users in the OU




Audit Authentication

•

Account Logon and Logon Events• Configure Authentication-Related Audit Policies

• Scoping Audit Policies

• View Logon Events




• Account logon events• Registered by the system

that authenticates the

account• For domain accounts:

Domain controllers

• For local accounts: Localcomputer

• Logon events•

Registered by the machineat which (or to which) auser logged on

• Interactive logon: User'ssystem

• Network logon: Server

Account Logon and Logon Events

LogonEvent

AccountEvent

LogonEvent




Configure Authentication-Related AuPolicies• Computer Configuration > Windows Settings > Security Settings > Local Polici

Policy

• Windows Server 2008 default

is to audit Success eventsfor both account logon andlogon events

• Windows Server 2008 R2 has new

and more detailed polices for

account logon and logon events




Scoping Audit Policies

DomainControllers

RemoteDesktopServers

HR Clients

Custom

GPO

LogonEvents

DefaultDomain

ControllersPolicy

AccountLogonEvents




View Logon Events

•

Security log of the system that generated the event• The DC that authenticated the user: Account logon

• Note: Not replicated to other DCs

• The system to which the user logged on or connected: Logon




Configure Read-Only Domain Contr

•

Authentication and Domain Controller Placement in a Branc• What Are Read-Only Domain Controllers?

• Deploy an RODC

• Demonstration: Configure a Password Replication Policy

• Demonstration: Configure Password RODC Credentials Cach

• Administrative Role Separation

Authentication and Domain Controll




Authentication and Domain ControllPlacement in a Branch Office

Data center• Personnel

• Secure facilities

• Authentication of branch userssubject to availability andperformance of WAN

Branch Office• Few, if any, personnel

• Less secure facilities

• Improved authentication

• Security: Exposure of AD database

•Directory Service Integrity:Corruption at branch replicating toother DCs

• Administration: Administrationrequires domain Administratorsmembership

What Are Read Only Domain




What Are Read-Only DomainControllers?

Data Center

• Writeable Windows Server2008 DC

• Password Replication Policy

• Specifies which user (andcomputer) passwords can becached by the RODC

Branch office

• RODC

• All objects

• Subset of attributes

• No "secrets"

• Not writeable

• Users log on

• RODC forwards authentication

• Password is cached

• If password replication policyallows

• Has a local Administratorsgroup



w w

w . t e c h n o c o r p . c o . i n

Deploy an RODC

1. Ensure the forest functional level is Windows Server 2003 or h• All domain controllers running Windows Server 2003 or later• All domains functional level of Windows Server 2003 or higher• Forest functional level set to Windows Server 2003 or higher

2. If the forest has any DCs running Windows Server 2003, run ad/rodcprep

• Windows Server 2008 CD:\sources\adprep folder

3. Ensure that there is at least one writeable DC running Window2008

4. Install the RODC• Active Directory Domain Services Installation Wizard (dcpromo)• Stage delegated installation of an RODC: Domain Controllers OU



w w


Demonstration: Configure a PasswoReplication PolicyIn this demonstration, you will see how to:

• View an RODC's password replication policy

• Configure domain-wide password replication policy

• Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group

• The groups are added to all new RODCs password replication polic

default

• Configure RODC-specific password replication policy



w w


Administrative Role Separation

• Allows performing local administrative tasks on the RODC

• Each RODC maintains a local security account manager (SAdatabase of groups for specific administrative purposes

• DSMgmt command allows you to manage the local roles

• dsmgmt [enter]

•

local roles [enter]• ? [enter] for a list of commands

• List roles [enter] for a list of roles

• add username administrators [enter]

05 improving the security of authentication in an

Documents