05 improving the security of authentication in an
TRANSCRIPT
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 1/21
w w w
. t e c h n o c o r p . c o . i n
Improving the Security of Authentication in an
AD DS Domain
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 2/21
w w w
. t e c h n o c o r p . c o . i n
Module Overview
•
Configure Password and Lockout Policies• Audit Authentication
• Configure Read-Only Domain Controllers
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 3/21
w w w
. t e c h n o c o r p . c o . i n
Configure Password and Lockout Po
•
Understand Password Policies• Understand Account Lockout Policies
• Configure the Domain Password and Lockout Policy
• Demonstration: Configure Domain Account Policies
• Fine-Grained Password and Lockout Policy
• Understand Password Settings Objects (PSOs)
• Demonstrations: Configure Fine-Grained Password Policy
• PSO Precedence and Resultant PSO
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 4/21
w w w
. t e c h n o c o r p . c o . i n
Understand Password Policies
•
Implemented via Default Domain GPO• Determine password requirements for the whole domain
• Password policies consist of :
• Enforce password history: 24 passwords
• Maximum password age: 42 days
• Minimum password age: 1 day• Minimum password length: 7 characters
• Password must meet complexity requirements: Enabled
• Store password using reversible encryption: Disabled
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 5/21
w w w
. t e c h n o c o r p . c o . i n
Understand Account Lockout Policie
•
Helps mitigate the threat of brute force attacks on user acco• Account lockout policies consist of
• Account lockout duration: Not defined
• Account lockout threshold: 0 invalid logon attempts
• Reset account lockout counter after: Not defined
•Unlock
• A user who is locked out can be unlocked by an administrator
• The Reset account lockout policy can specify a "timeout" period afthe account is automatically unlocked
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 6/21
w w w
. t e c h n o c o r p . c o . i n
Configure the Domain Password anLockout Policy•
Domain password policies are defined by the precedent GPO scodomain controllers• Default Domain Policy GPO
• Best practices:• Modify the settings in the Default Domain GPO for password, lockout, a
policies
• Do not use the Default Domain GPO to deploy any other policy settings
• Do not define password, lockout, or Kerberos settings for the domain in GPO
• Policy settings are overridden by options in user account• Password never expires
• Store passwords using reversible encryption
Fi G i d P d d L k
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 7/21
w w w
. t e c h n o c o r p . c o . i n
Fine-Grained Password and LockouPolicy
Administrativeaccounts
ServiceAccounts
Finance users
Length: 15
Max age: 45
Lockout: 5 in 60
Reset: 1 day
Password Never Expires
Length: 64
Lockout: None
Length: 15
Max age: 60
Lockout: 5 in 30
Reset: 30 min
Fine-grained password and lockout policies allow multiplepassword and lockout policies to exist in the same domain
Domain Policy:
Length: 10
Max age: 90
Lockout: 5 in 30 min
Reset: 30 min
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 8/21
w w w
. t e c h n o c o r p . c o . i n
Understand Password Settings ObjeA PSO has the following settings available:
• Password policies
• Account lockout policies• PSO Link
• Precedence
Considerations when implementing PSOs:
PSOs can only be applied to users or global security groups
PSOs can be created through ADSI Edit or LDIFDE
The Password Settings Container (PSC) and PSOs are newobject classes defined by the AD DS schema
Windows Server 2008 domain functional level required
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 9/21
w w w . t e c h n o c o r p . c o . i n
Demonstration: Configure Fine-GraiPassword Policy
In this demonstration, you will see how to configure a fine-grapassword policy to enhance the security of accounts in the DoAdmins group
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 10/21
w w w . t e c h n o c o r p . c o . i n
PSO Precedence and Resultant PS
• A PSO can be linked to more than one group or user
• A group or user can have more than one PSO linked to it
• Only one PSO prevails—the Resultant PSO• Precedence: Lower value (closer to 1) has higher precedence
• Global group PSO with highest precedence prevails
• Any PSOs linked to user override all global group PSOs.User-linked PSO with highest precedence prevails
• msDS-ResultantPSO attribute of user in Attribute Editor
• Click the Filter button and ensure Constructed is selected
• If there are no PSOs, domain account policies apply• Best Practices
• Use only group-linked PSOs. Do not link to user objects.
• Avoid having two PSOs with the same precedence value
• PSOs cannot be "linked" to an OU
• Create a shadow group that contains all users in the OU
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 11/21
w w w . t e c h n o c o r p . c o . i n
Audit Authentication
•
Account Logon and Logon Events• Configure Authentication-Related Audit Policies
• Scoping Audit Policies
• View Logon Events
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 12/21
w w w . t e c h n o c o r p . c o . i n
• Account logon events• Registered by the system
that authenticates the
account• For domain accounts:
Domain controllers
• For local accounts: Localcomputer
• Logon events•
Registered by the machineat which (or to which) auser logged on
• Interactive logon: User'ssystem
• Network logon: Server
Account Logon and Logon Events
LogonEvent
AccountEvent
LogonEvent
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 13/21
w w w . t e c h n o c o r p . c o . i n
Configure Authentication-Related AuPolicies• Computer Configuration > Windows Settings > Security Settings > Local Polici
Policy
• Windows Server 2008 default
is to audit Success eventsfor both account logon andlogon events
• Windows Server 2008 R2 has new
and more detailed polices for
account logon and logon events
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 14/21
w w w . t e c h n o c o r p . c o . i n
Scoping Audit Policies
DomainControllers
RemoteDesktopServers
HR Clients
Custom
GPO
LogonEvents
DefaultDomain
ControllersPolicy
AccountLogonEvents
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 15/21
w w w . t e c h n o c o r p . c o . i n
View Logon Events
•
Security log of the system that generated the event• The DC that authenticated the user: Account logon
• Note: Not replicated to other DCs
• The system to which the user logged on or connected: Logon
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 16/21
w w w . t e c h n o c o r p . c o . i n
Configure Read-Only Domain Contr
•
Authentication and Domain Controller Placement in a Branc• What Are Read-Only Domain Controllers?
• Deploy an RODC
• Demonstration: Configure a Password Replication Policy
• Demonstration: Configure Password RODC Credentials Cach
• Administrative Role Separation
Authentication and Domain Controll
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 17/21
w w w . t e c h n o c o r p . c o . i n
Authentication and Domain ControllPlacement in a Branch Office
Data center• Personnel
• Secure facilities
• Authentication of branch userssubject to availability andperformance of WAN
Branch Office• Few, if any, personnel
• Less secure facilities
• Improved authentication
• Security: Exposure of AD database
•Directory Service Integrity:Corruption at branch replicating toother DCs
• Administration: Administrationrequires domain Administratorsmembership
What Are Read Only Domain
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 18/21
w w w . t e c h n o c o r p . c o . i n
What Are Read-Only DomainControllers?
Data Center
• Writeable Windows Server2008 DC
• Password Replication Policy
• Specifies which user (andcomputer) passwords can becached by the RODC
Branch office
• RODC
• All objects
• Subset of attributes
• No "secrets"
• Not writeable
• Users log on
• RODC forwards authentication
• Password is cached
• If password replication policyallows
• Has a local Administratorsgroup
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 19/21
w w
w . t e c h n o c o r p . c o . i n
Deploy an RODC
1. Ensure the forest functional level is Windows Server 2003 or h• All domain controllers running Windows Server 2003 or later• All domains functional level of Windows Server 2003 or higher• Forest functional level set to Windows Server 2003 or higher
2. If the forest has any DCs running Windows Server 2003, run ad/rodcprep
• Windows Server 2008 CD:\sources\adprep folder
3. Ensure that there is at least one writeable DC running Window2008
4. Install the RODC• Active Directory Domain Services Installation Wizard (dcpromo)• Stage delegated installation of an RODC: Domain Controllers OU
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 20/21
w w
w . t e c h n o c o r p . c o . i n
Demonstration: Configure a PasswoReplication PolicyIn this demonstration, you will see how to:
• View an RODC's password replication policy
• Configure domain-wide password replication policy
• Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group
• The groups are added to all new RODCs password replication polic
default
• Configure RODC-specific password replication policy
8/13/2019 05 Improving the Security of Authentication in An
http://slidepdf.com/reader/full/05-improving-the-security-of-authentication-in-an 21/21
w w
w . t e c h n o c o r p . c o . i n
Administrative Role Separation
• Allows performing local administrative tasks on the RODC
• Each RODC maintains a local security account manager (SAdatabase of groups for specific administrative purposes
• DSMgmt command allows you to manage the local roles
• dsmgmt [enter]
•
local roles [enter]• ? [enter] for a list of commands
• List roles [enter] for a list of roles
• add username administrators [enter]