module 3
DESCRIPTION
Module 3. Securing AD DS. Module Overview. Securing Domain ControllersImplementing Password and Lockout PoliciesImplementing Audit Authentication. Lesson 1: Securing Domain Controllers. - PowerPoint PPT PresentationTRANSCRIPT
Microsoft® Official Course
Module 3Securing AD DS
Module Overview
Securing Domain ControllersImplementing Password and Lockout Policies• Implementing Audit Authentication
Lesson 1: Securing Domain Controllers
Domain Controller Security RisksModifying the Security Settings of Domain ControllersMinimizing the Attack Surface of Domain ControllersImplementing Secure AuthenticationSecuring Physical Access to Domain ControllersWhat are RODCs?Deploying an RODCPlanning and Configuring RODC Credential CachingDemonstration: Configure a Password Replication Policy• Administrator Role Separation
Domain Controller Security Risks
Domain controllers are a prime target for attacks and the most important resource to secure• Security risks include:•Network security• Authentication attacks• Elevation of privilege•Denial of Service•Operating system, service, or application attacks•Operational risks• Physical security threats
Modifying the Security Settings of Domain Controllers• Use a GPO to apply the same security settings to all domain controllers• Consider custom GPOs linked to the Domain Controllers OU• Security settings include:
• Account policies, such as passwords and account lockout• Local policies, such as auditing, user rights, and security options• Event log configuration• Secure system services• Windows Firewall with Advanced Security• Public key policies• Advanced auditing
Minimizing the Attack Surface of Domain Controllers
To minimize the attack surface on domain controllers, you should:• Establish update management processes• Increase the security of communication protocols:
• Secure LDAP• IPsec• SMB signing
• Secure the operating system by using:• Baseline security by using SCW• Server Core installation• BitLocker Drive Encryption
Implementing Secure Authentication
Consider the following factors when implementing secure authentication: • Secure user accounts and passwords• Secure groups with elevated permissions• Audit critical object changes• Deploy secure authentication, such as smart cards• Secure network activity• Establish deprovisioning and cleanup processes• Secure client computers
Securing Physical Access to Domain ControllersWhen securing physical access to your domain controllers, consider the following:• RODCs• BitLocker• Hot-swap disk systems can lead to domain controller theft• Protect virtual disks: virtual machine admins must be highly trusted• Store backups in secure locations
What are RODCs?Data center Branch office
• Writable Windows Server 2008 domain controller• Password replication policy:• Specifies which user and
computer passwords can be cached by the RODC
• RODC:• All objects• Subset of attributes
• No secrets• Not writable• Users sign on:
• RODC forwards authentication• Password is cached:
• If password replication policy allows
• Has a local administrators group
AD DS AD DS
Deploying an RODC
Deploying an RODC:• Prerequisites:
• Adprep /rodcprep• Sufficient Windows Server 2008 or newer replication partners for the
RODCs• One-step deployment:
• Server Manager with Add Roles and Features, then Active Directory Domain Services Configuration Wizard
• Windows PowerShell: Install-ADDSDomainController –ReadOnlyReplica
• Two-step deployment: pre-staging and delegated promotion:• Create the account: Active Directory Administrative Center or
Add-ADDSReadOnlyDomainControllerAccount• Join the RODC as delegated admin: Server Manager or
Install-ADDSDomainController -ReadOnlyReplica
Planning and Configuring RODC Credential Caching
A password replication policy determines which users’ credentials are cached on a specific RODC• You can configure these credentials by using:•Domain-wide password replication policy• RODC-specific password replication policy• RODC filtered attribute set
Demonstration: Configure a Password Replication Policy• In this demonstration, you will see how to:• Stage a delegated installation of an RODC• View an RODC’s password replication policy• Configure an RODC-specific password replication policy• Verify the resultant password policy
Administrator Role Separation
•Allows performance of local administrative tasks on the RODC for non-domain administrators•Each RODC maintains a local Security Accounts Manager database of groups for specific administrative purposes•Configure the local administrator by:• Adding the user or group when pre-creating or installing the RODC• Adding a user or group on the Managed By tab on the RODC account properties
Lesson 2: Implementing Password and Lockout PoliciesPassword PoliciesAccount Lockout PoliciesDemonstration: Configure Domain Account PoliciesFine-Grained Password and Lockout PoliciesUnderstanding PSOsDemonstration: Configuring a Fine-Grained Password Policy•PSO Precedence and Resultant PSO
Password Policies
•Set password requirements by using the following settings:• Enforce password history• Maximum password age • Minimum password age• Minimum password length• Password complexity requirements:• Does not contain name or user name• Must have at least six characters• Contains characters from three different groups–
uppercase, lowercase, numeric, and special characters
Account Lockout Policies
•Account lockout policies define whether accounts should be locked automatically after several failed attempts to log on•To configure these policy settings, you must consider:• Account lockout duration• Account lockout threshold• Reset account lockout counter after
•Account lockout policies provide a level of security but also provide an opportunity for DoS attacks
Demonstration: Configure Domain Account Policies• In this demonstration, you will see how to configure:• A domain-based password policy• An account lockout policy
Fine-Grained Password and Lockout Policies•You can use fine-grained password policies to specify multiple password policies within a single domain• Fine-grained password policies:• Apply only to user objects, InetOrgPerson objects, or global security groups• Cannot be applied directly to an OU • Do not interfere with custom password filters that you might use in the same domain
Understanding PSOs
Windows Server 2012 provides two tools for configuring PSOs:•Windows PowerShell cmdlets:• New-ADFineGrainedPasswordPolicy• Add-FineGrainedPasswordPolicySubject
•Active Directory Administrative Center
Demonstration: Configuring a Fine-Grained Password Policy• In this demonstration, you will see how to configure and apply a fine-grained password policy
PSO Precedence and Resultant PSO
If multiple PSOs apply to a user:• The directly applied PSOs are considered, rather than the PSOs that
are applied via group memberships• The PSO with the lowest precedence wins• If two PSOs have the same precedence, the smallest objectGUID
wins
To evaluate a user object to see which PSO has been applied, you can use:• msDS-ResultantPSO Active Directory attribute• Active Directory Administrative Center• Extensions • Attribute Editor• Filter: Show constructed attributes
Lesson 3: Implementing Audit AuthenticationAccount Logon and Logon EventsDemonstration: Configuring Authentication-Related Audit PoliciesScope Audit Policies•Demonstration: Viewing Logon Events
Account Logon and Logon Events
Advanced audit policies provide 53 auditable events:• Account logon events:
• Registered by the system that authenticates the account
• For domain accounts–domain controllers
• For local accounts–local computer
• Logon events:• Registered by the machine at or
to which (or to which) a user logged on
• Interactive logon–user's system• Network logon–server
Logon Event
Account Logon Event
Logon Event
AD DS
Demonstration: Configuring Authentication-Related Audit Policies• In this demonstration, you will see where the authentication-related audit policies are configured
Scope Audit Policies
DomainControllers
RemoteDesktopServers
HR Clients
CustomGPO
LogonEvents
Default Domain
Controllers Policy
AccountLogonEvents
Demonstration: Viewing Logon Events
• In this demonstration, you will see how to view logon events
Lab: Securing AD DS
Exercise 1: Implementing Security Policies for Accounts, Passwords, and Administrative Groups•Exercise 2: Deploying and Configuring an RODCLogon Information:
Virtual machines: 10969A-LON-DC110969A-LON-DC210969A-LON-SVR1
User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 45 minutes
Lab Scenario
The security team at A. Datum Corporation has been examining the organization for possible security issues. It has been focusing on AD DS and is particularly concerned with AD DS authentication and branch-office domain controller security.You have been asked to help improve the security and monitoring of authentication against the enterprise’s AD DS domain. You must enforce a specified password policy for all user accounts, and you must develop a more stringent password policy for security-sensitive administrative accounts. It also is important that you implement an appropriate audit trail to help monitor authentication attempts within AD DS. The second part of your assignment includes the deployment and configuration of RODCs s to support AD DS authentication within a branch office
Lab Review
In the lab, we configured the password settings for all users within the Default Domain Policy, and we configured the password settings for Administrators within a PSO. What other options were available to accomplish the solution?• In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this?
Module Review and Takeaways
Review Questions•Tools