efi bregman principal consultant microsoft consulting services israel
TRANSCRIPT
Efi BregmanEfi BregmanPrincipal ConsultantPrincipal ConsultantMicrosoft Consulting Services Microsoft Consulting Services IsraelIsrael
Session Objectives and Takeaways
Session Objectives: Identify the key new AD DS features in WS08Explain the value of deploying these featuresDemonstrate these features in real life scenarios
Key Takeaways:Understand when and how to deploy the key new AD DS features
Key Investments areas
Security Manageability
Branch Office
Key Investments areas
Security Manageability
Branch Office
Hub Site
Branch Office
Windows 2008 Branch Office Benefits
SecurityBitLockerServer CoreRead-Only Domain ControllerAdmin Role Separation
OptimizationSysVol ReplicationDFS ReplicationProtocols
AdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active Directory
Branch Office Dilemma
Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist
HQ Data CenterHub Network
Branch Office
Option 1:
Consolidate and remove DCs from branch
Branch authentication & authorization fails when WAN goes down
Option 2:
Put full DC in branch
Either give branch admin privilege or manage remotely
Branch DC being compromised jeopardizes security of corporate AD!!!
Branch Office
HQ Data CenterHub Network
Branch Office Dilemma
So how can we deploy a Domain Controller in this environment?!
RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion
Admin Role Separation
Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC
Passwords not cached by-default
No replication from RODC to Full-DC
1-Way Replication
Attack on RODC does not propagate to the AD
Read-Only Domain Controller
RODC – Attacker “experience”
Let’s intercept Domain Admin credentials sent
to this RODC
With Admin role separation, the Domain Admin doesn’t need to
log-in to me.
Let’s steal this RODC
By default I do not have any secrets
cached.I do not hold any
custom app specific attributes either.
Let’s tamper data on this
RODC and use its identity
I have a Read-Only database. Also, no
other DC in the enterprise
replicates data from me.
Damn!
Attacker RODC
Read-Only Domain ControllerHow it works?
2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated
1.Logon request sent to RODC
1
2
34
5
6
6
7
7
BranchHUB
Full DC RODC
Read-Only Domain ControllerRecommended Deployment ModelsNo accounts cached (default)
Pro: Most secure, still provides fast authentication and policy processingCon: No offline access for anyone
Most accounts cachedPro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC
Few accounts (branch-specific accounts) cached
Pro: Enables offline access for those that need it, and maximizes security for otherCon: Fine grained administration is new task
Read-Only Domain ControllerUpgrade path from Windows 2003 Domain
Deployment steps:1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Windows
20035. ADPREP /RodcPrep6. Promote RODC
Test RODCs for application compatibility in your environment
Not RODC specific
RODC Specific task
Read-Only Domain ControllerDelegated Administrator (“Local Roles”)Delegated RODC Promotion
Read-Only Domain ControllerInstall-from-media PromotionNTDSUtil >
IFMDuring creation of RODC IFM:
“Secrets” are removedDIT is defragged to remove free space
Branch Office & Replication Optimization
DFS-R replication provides more robust and detailed replication of SYSVOL contents
Requires Windows Server 2008 Domain Mode
Key Investments areas
Security Manageability
Branch Office
Directory Service AuditingNew Directory Service Changes Events
Event logs tell you exactly:Who made a changeWhen the change was madeWhat object/attribute was changedThe beginning & endvalues
Auditing controlled byGlobal audit policySACLSchema
Event ID
Event type
Event description
5136ModifyThis event is logged when a successful modification is made to an attribute in the directory.
5137CreateThis event is logged when a new object is created in the directory.
5138UndeleteThis event is logged when an object is undeleted in the directory.
5139MoveThis event is logged when an object is moved within the domain.
Fine-Grained Password PoliciesOverviewGranular administration of password and
lockout policies within a domain
Usage Examples:Administrators
Strict setting (passwords expire every 14 days)
Service accountsModerate settings (passwords expire every 31 days, minimum password length 32 characters)
Average User“light” setting (passwords expire every 90 days)
Fine-Grained Password PoliciesAt a glance
Policies can be applied to:UsersGlobal security groups
Does NOT apply to: Computer objectsOrganizational Units
Multiple policies can be associated with the user, but only one applies
Password
Settings Object PSO 1
Password
Settings Object PSO 2
Precedence = 20
Precedence = 20
Applies To
Applies To Resultant
PSO = PSO1
Fine-Grained Password PoliciesExample
Precedence = 10
Precedence = 10
Resultant PSO = PSO1
Applies To
Applies To
Applies To
Applies To
Fine-Grained Password PoliciesDesign Step-by-StepRequires Windows Server 2008
Domain Functional Mode
Fine-Grained Password PoliciesAdministration
Feature itself can be delegatedBy default, only Domain Admins can:
Create and read PSOsApply a PSO to a group or user
Key Investments areas
Security Manageability
Branch Office
Restartable AD DS
Without a reboot you can now perform offline defragmentation
DS stopped similar to member server:
NTDS.dit is offlineCan log on locally with DSRM password
Database Mounting Tool Backup/Recovery
Allows administrator to choose best backup
Best Practice: Schedule NTDSUtil.exe to take regular snapshots of AD DS
Note: Tool is not used for restoring objects
Group Policy Enhancements
Over 700 new settingsPower options, Removable media, Windows Firewall configuration, Printer management …
Transition to ADMX filesAdditional management features
Add comments to individual GPOs and settingsSearch and filter on settings and comments
Create Starter GPOs for easier reuse
Summary – Key features in Active Directory Directory Services 2008
Read Only Domain ControllerFine Grained Password PoliciesEnhanced Auditing CapabilitiesRestartable AD DSAD DS Database Mounting ToolDFS-R Sysvol Replication
Resources
Read Only Domain Controllerhttp://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx
Fine Grained Password Policieshttp://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx
Restartable AD DShttp://technet2.microsoft.com/windowsserver2008/en/library/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx
Resources
Enhanced Auditing Capabilitieshttp://technet2.microsoft.com/windowsserver2008/en/library/ad35ab51-2e85-41e9-91f7-ccedf2fc98241033.mspx http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx
AD DS Database Mounting Tool (“SnapView”)
http://technet2.microsoft.com/windowsserver2008/en/library/4503d762-0adf-494f-a08b-cf502ecb76021033.mspx?mfr=true
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.