secure your active directory environment id 194
TRANSCRIPT
-
8/4/2019 Secure Your Active Directory Environment Id 194
1/43
Secure your Active Directory
Environment
Juan Martinez
Information Security ConsultantInternational Network Services
-
8/4/2019 Secure Your Active Directory Environment Id 194
2/43
Agenda
Active Directory design issues
Trust Relationships
Schema Protection Firewall Considerations
Protecting Service Management
Group Policy Architecture System Hardening
-
8/4/2019 Secure Your Active Directory Environment Id 194
3/43
Active Directory Design Issues
-
8/4/2019 Secure Your Active Directory Environment Id 194
4/43
Security Boundaries
Forest security boundary
Domain boundaries for administration
Why is the forest the security boundary?1. Forest-level service management
2. Implicit transitive trusts between all domains
in a forest.
-
8/4/2019 Secure Your Active Directory Environment Id 194
5/43
Forest-level Service Management
-
8/4/2019 Secure Your Active Directory Environment Id 194
6/43
Implicit Transitive Trusts
-
8/4/2019 Secure Your Active Directory Environment Id 194
7/43
Domain Trust Vulnerability
Users authorization data contains SIDs
-
8/4/2019 Secure Your Active Directory Environment Id 194
8/43
Domain Trust Vulnerability
Trusting domain doesnt verify SIDs
-
8/4/2019 Secure Your Active Directory Environment Id 194
9/43
Domain Trust Vulnerability
Solution: SID Filtering
-
8/4/2019 Secure Your Active Directory Environment Id 194
10/43
Design Implications
You cant delete trusts between domainsin a forest
You cant implement SID Filtering between
domains in a forest
Well You can, but it will break stuff
So a domain cant be considered asecurity boundary
All Domain Admins must be trusted
-
8/4/2019 Secure Your Active Directory Environment Id 194
11/43
Design Spec Empty Root
-
8/4/2019 Secure Your Active Directory Environment Id 194
12/43
DMZ Considerations
Preferred > no AD systems in DMZ
Extranet considerations
Separate forest to provide isolation
Administrators that span forests should have
separate accounts for each
-
8/4/2019 Secure Your Active Directory Environment Id 194
13/43
Trust Relationships
-
8/4/2019 Secure Your Active Directory Environment Id 194
14/43
Restricting Trust Relationships
SID Filtering
Enabled by default for external or forest trusts
-
8/4/2019 Secure Your Active Directory Environment Id 194
15/43
-
8/4/2019 Secure Your Active Directory Environment Id 194
16/43
Protect the Schema
-
8/4/2019 Secure Your Active Directory Environment Id 194
17/43
-
8/4/2019 Secure Your Active Directory Environment Id 194
18/43
Schema Policy
Ownership
Management of schema naming prefix
Delegating OIDs
Configuration Management
Define evaluation criteria for proposed schema
extensions
Provide final approval/disapproval Maintenance and documentation
-
8/4/2019 Secure Your Active Directory Environment Id 194
19/43
-
8/4/2019 Secure Your Active Directory Environment Id 194
20/43
Firewall Considerations
-
8/4/2019 Secure Your Active Directory Environment Id 194
21/43
Firewall Considerations
Firewall the Root domain?
No real security gained, just added complexity
Firewall the Schema Master?
-
8/4/2019 Secure Your Active Directory Environment Id 194
22/43
Firewall the Schema Master
-
8/4/2019 Secure Your Active Directory Environment Id 194
23/43
-
8/4/2019 Secure Your Active Directory Environment Id 194
24/43
Protecting Service
Management
-
8/4/2019 Secure Your Active Directory Environment Id 194
25/43
Stronger Password Policies
Policy: stronger password requirements
for elevated privilege accounts
Two options:
Custom password complexity requirements
Store all service management accounts in
forest root domain
-
8/4/2019 Secure Your Active Directory Environment Id 194
26/43
Stronger Password Policies
ROOT Domain
Service Management -
Users and Groups
Controlled OU structure in forest root
domain
-
8/4/2019 Secure Your Active Directory Environment Id 194
27/43
Controlled OU Security
Type Name Access Applies To
Allow Enterprise Admins Full Control This object and all childobjects
Allow Service Management Owners -
Full Control This object and all childobjects
Allow SYSTEM Full Control This object and all childobjects
Allow \Domain Admins List ContentsRead All PropertiesRead Permissions
This object and all childobjects
Allow Pre-Windows 2000 Compatible Access List Contents
Read All PropertiesRead Permissions
This object and all child
objects
Allow Enterprise Domain Controllers List ContentsRead All PropertiesRead Permissions
This object and all childobjects
-
8/4/2019 Secure Your Active Directory Environment Id 194
28/43
Controlled OU Audit Settings
Type Name Access Applies To
Success Everyone Write All PropertiesDeleteDelete SubtreeModify PermissionsModify OwnerAll Validated WritesAll Extended RightsCreate All Child ObjectsDelete All Child Objects
This object and all child objects
-
8/4/2019 Secure Your Active Directory Environment Id 194
29/43
Gotchas
Several issues with using separate
domain for service management accounts
model
Custom Domain Admin type group requires
Domain Admin-level permissions
Cant add directly to Domain Admins group
Procedures must be followed closely
-
8/4/2019 Secure Your Active Directory Environment Id 194
30/43
Best Practices
Restrict membership to within forest
Separate accounts
Cached credentials Default service management accounts
Dont use Account Operators, Server
Operators
-
8/4/2019 Secure Your Active Directory Environment Id 194
31/43
Group Policy Architecture
-
8/4/2019 Secure Your Active Directory Environment Id 194
32/43
The Basics
-
8/4/2019 Secure Your Active Directory Environment Id 194
33/43
The Problem
How do I enforce enterprise-wide security
policies?
Problem
Domains are boundaries for Group Policy
Possible solutions
Site-level GPOs
Non-technical solutions
-
8/4/2019 Secure Your Active Directory Environment Id 194
34/43
Site-Level GPOs
-
8/4/2019 Secure Your Active Directory Environment Id 194
35/43
Disadvantages
UGLY!!!
Replication issues
Performance issues
Issues with placement of ROOT DCs
Does not apply to Password policies
Non-technical solutions can be just as
effective
-
8/4/2019 Secure Your Active Directory Environment Id 194
36/43
Group Policy Best Practices
Local Group Policy vs. Domain Group
Policy
Use synchronous mode
Security Policy Processing
Process even if the Group Policy objects have
not changed
Explore capabilities
Extend group policy
-
8/4/2019 Secure Your Active Directory Environment Id 194
37/43
Group Policy Best Practices
Minimize use of block policy inheritance
and Enforce options
Limit number of GPOs
Link GPOs as closely as possible
Disable user/computer configuration when
possible
Avoid cross domain linking of GPOs
-
8/4/2019 Secure Your Active Directory Environment Id 194
38/43
-
8/4/2019 Secure Your Active Directory Environment Id 194
39/43
Adopt a Baseline/Guideline
BASELINE !!
BASELINE !!
BASELINE !! BASELINE !!
-
8/4/2019 Secure Your Active Directory Environment Id 194
40/43
Hardening Guideline Components
1. Preliminary Security Measures (Done
offline)
BIOS level protection
AV
Physical security
Patch
Verify software, shares, users
Patches
-
8/4/2019 Secure Your Active Directory Environment Id 194
41/43
Hardening Guideline Components
2. Apply group policy
Automatic OU placement (netdom)
2. Manual hardening procedures
DS restore mode password
2. Verify functionality and security
3. Back out procedures4. Known vulnerabilities register
-
8/4/2019 Secure Your Active Directory Environment Id 194
42/43
Domain Controllers and DHCP
Dont run DHCP on Domain Controllers if
youre using dynamic updates
(DNSUpdateProxy group issue)
-
8/4/2019 Secure Your Active Directory Environment Id 194
43/43
Questions
Juan Martinez
mailto:[email protected]://www.ins.com/http://www.ins.com/mailto:[email protected]