Transcription
Best Practice Guide for SecuringActive Directory InstallationsMicrosoft CorporationFirst published: October 2005Updated and republished: January 2009AbstractThis guide contains recommendations for protecting domain controllers against known threats,establishing administrative policies and practices to maintain network security, and protectingDomain Name System (DNS) servers from unauthorized updates. It also provides guidelines formaintaining Active Directory security boundaries and securing Active Directory administration.
Copyright informationInformation in this document, including URL and other Internet Web site references, is subject tochange without notice. Unless otherwise noted, the example companies, organizations, products,domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,and no association with any real company, organization, product, domain name, e-mail address,logo, person, place, or event is intended or should be inferred. Complying with all applicablecopyright laws is the responsibility of the user. Without limiting the rights under copyright, no partof this document may be reproduced, stored in, or introduced into a retrieval system, ortransmitted in any form or by any means (electronic, mechanical, photocopying, recording, orotherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Microsoft, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property. 2005–2009 Microsoft Corporation. All rights reserved.Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks ortrademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of theirrespective owners.
ContentsBest Practice Guide for Securing Active Directory Installations . 11Scope of This Guide (Best Practices for Securing Active Directory Installations) . 12General Guidelines (Best Practices for Securing Active Directory Installations) . 13Audience (Best Practices for Securing Active Directory Installations) . 14How to Use This Guide (Best Practices for Securing Active Directory Installations) . 14Chapter 1: Planning In-Depth Active Directory Security. 15Overview of the Role of Active Directory in Secure Access . 15Authentication: Identifying Network Users. 15Authorization: Allowing Access to Network Resources . 16Planning for Active Directory Security-in-Depth . 16Deployment Scenarios for Domain Controllers in a Secure Network Operating System . 17Domain Controllers in Intranet Datacenters . 18Domain Controllers in Branch Offices . 19Domain Controllers in Extranet Datacenters . 20Security Planning Through Threat Analysis . 22Identifying Types of Threats . 22Spoofing . 23Tampering with Data . 23Repudiation . 23Information Disclosure . 23Denial of Service. 23Elevation of Privilege . 24Social Engineering . 24Identifying Sources of Threats . 24Chapter 2: Establishing Secure Active Directory Boundaries . 26Specifying Security and Administrative Boundaries . 27Delegating Administration . 27Trusting Service Administrators . 29Selecting an Active Directory Structure Based on Delegation Requirements . 30Implications for Active Directory in Extranet Deployment . 30Establishing Secure Collaboration with Other Forests . 31
SID History and External Trusts . 32Security Risk Posed by SID History. 32Blocking SIDs from Untrusted Domains . 33Impact of SID Filtering on External Trusts . 34Security Risks Associated with Forest Trusts. 34Security Considerations for Resource Access Across Forests . 35Recommendations: Establishing Secure Active Directory Boundaries . 35Recommendations for Specifying Security and Administrative Boundaries . 35Recommendations for Selecting an Active Directory Structure Based on DelegationRequirements . 36Recommendations for Establishing Secure Collaboration with Other Forests. 36Chapter 3: Deploying Secure Domain Controllers . 36Securing the Domain Controller Build Environment . 37Building Domain Controllers in Datacenter Environments . 37Building Domain Controllers in Branch Office Environments . 38Establishing Secure Domain Controller Build Practices . 38Automated Installation Processes . 38Using an Image-Based Installation Process . 40Using an Answer-File-based Installation Process . 41Creating the Image for Windows Server 2003 Image-Based Installations . 41Ensuring Predictable, Repeatable, and Secure Domain Controller Deployments . 41Installing Windows Server 2003 with Secure Configuration Settings, Service Packs, andHotfixes . 42Creating a Strong Administrator Password . 42Disabling NTFS Automatic 8.3 Name Generation . 43Running Virus-Scanning Software on the Server . 44Enabling Only Essential Services . 45Creating a Reserve File to Enable Recovery from Disk-Space Attacks . 66Configuring the Automatic Installation of Active Directory . 67Using Unattended Active Directory Installation . 68Selecting Secure Active Directory Configuration Settings . 68Specifying Locations for the Active Directory Database, Logs, and SYSVOL . 69Configuring Pre–Windows 2000 Compatibility (Anonymous Access to Active Directory) forNew Domains . 70Determining the Need for Anonymous Access to Active Directory Data . 70Testing for Anonymous Active Directory Access . 71Eliminating the Requirement for Anonymous Active Directory Access . 72Disabling Anonymous Active Directory Access . 72Running Virus Scans on Domain Controllers . 73
Preventing Interference Between Active Directory Database and Log File Access and VirusScans . 73Preventing Interference Between FRS Database and Log File Access and Virus Scans . 74Preventing Virus Scans from Triggering Excessive FRS Replication. 74Excluding Antivirus Scanning of SYSVOL . 75Requiring Script Signing on Domain Controllers and Administrative Workstations . 75Maintaining Physical Security . 77Securing Domain Controllers Against Physical Access . 77Preventing Domain Controllers from Booting into Alternate Operating Systems . 78Protecting Domain Controllers on Restart by Using SYSKEY . 78Evaluating the Need for SYSKEY . 79Selecting a Method for Securing Domain Controller Restarts with SYSKEY . 79Providing SYSKEY Passwords to Secure Domain Controller Restarts. 80Providing SYSKEY Floppy Disks to Secure Domain Controller Restarts . 80Securing Backup Media Against Physical Access . 81Enhancing the Security of the Network Infrastructure. 81Securing Cabling Rooms . 81Placing Domain Controllers in Secure Network Segments . 82Placing Domain Controllers in Datacenters . 82Placing Domain Controllers in Perimeter Networks . 83Placing Domain Controllers in Branch Offices . 84Securing the Remote Restart of Domain Controllers . 85Recommendations: Deploying Secure Domain Controllers . 86Recommendations for Securing the Domain Controller Build Environment. 86Recommendations for Establishing Secure Domain Controller Build Practices. 87Recommendations for Using Automated Installation Processes . 87Recommendations for Ensuring Predictable, Repeatable, and Secure Domain ControllerDeployments . 87Recommendations for Configuring the Automatic Installation of Active Directory . 88Recommendations for Maintaining Physical Security . 89Chapter 4: Strengthening Domain and Domain Controller Policy Settings . 90Default Domain and Domain Controller GPOs . 90Strengthening Security Policy Settings . 91Applying Security Policy Settings . 91Auditing Important Active Directory Objects . 92Strengthening Domain Policy Settings . 92Modifying Domain Security Policy. 92Strengthening Password Policy Settings for Domains . 92Strengthening Account Lockout Policy Settings for Domains . 94Reviewing Kerberos Policy Settings for Domains. 95
Strengthening Domain Controller Policy Settings . 95Domain Controller Security Policy Settings . 96Changes to Domain Controller Security Policy. 96Reviewing Domain Controller Audit Policy Settings . 96Strengthening Domain Controller User Rights Assignment Policy Settings . 98Strengthening Domain Controller Security Options Policy Settings . 99Disabling LAN Manager Authentication . 108SMB Signing on Domain Controllers . 109Strengthening Domain Controller Event Log Policy Settings . 111Applying Selected Domain and Domain Controller Policy Settings . 113Modifying the Settings in the Default Domain Policy GPO and the Default Domain ControllersPolicy GPO . 114Applying a New Group Policy Object to the Domain Controllers OU. 114Reviewing Audit Settings on Important Active Directory Objects . 115Reviewing Default Audit Settings on the Schema Directory Partition . 116Reviewing Default Audit Settings on the Configuration Directory Partition . 116Reviewing Default Audit Settings on the Domain Directory Partition. 118Reviewing Default Audit Settings on the Policies Container . 120Recommendations: Strengthening Domain and Domain Controller Policy Settings . 121Recommendations for Strengthening Domain Policy Settings . 121Recommendations for Strengthening Domain Controller Policy Settings . 121Recommendations for Applying Selected Domain and Domain Controller Policy Settings . 122Recommendations for Reviewing Audit Settings on Important Active Directory Objects . 122Chapter 5: Establishing Secure Administrative Practices . 123Establishing Secure Service Administration Practices . 123Securing Service Administrator Accounts . 124Limiting the Exposure of Service Administrator Accounts . 127Limit the Number of Service Administrator Accounts . 127Separate Administrative and User Accounts for Administrative Users. 128Hide the Domain Administrator Account . 128Managing Service Administrators in a Controlled Subtree . 128Task 1: Create the OU structure for the controlled subtree. . 129Task 2: Set the permissions on the controlled subtree OUs. . 130Task 3: Move service administrator groups to the controlled subtree. . 131Task 4: Add service administrator user accounts to the controlled subtree. . 132Task 5: Add administrative workstation accounts to the controlled subtree. . 132Task 6: Enable auditing on the controlled subtree. . 132Protecting the Service Administrator Accounts . 133Hiding the Membership of the Service Administrator Groups . 135Managing Group Memberships for Service Administrator Accounts . 136
Assign Trustworthy Personnel . 137Restrict Service Group Membership to Users Within the Forest . 137Limit the Schema Admins Group to Temporary Members . 137Limit Administrator Rights to Those Rights That Are Actually Required . 137Controlling the Administrative Logon Process . 138Require Smart Cards for Administrative Logon . 138Share Logon Credentials for Sensitive Administrative Accounts . 138Securing Service Administrator Workstations . 139Restricting Service Administrators Logon to Administrative Workstations . 139Prohibiting the Use of Cached Credentials in Unlocking an Administrative Console . 140Avoiding Running Applications in Administrative Contexts . 141Running Antivirus Software . 141Securing Traffic Between Administrative Workstations and Domain Controllers . 142Securing LDAP Traffic Between Administrative Workstations and Domain Controllers . 142Using Terminal Services to Perform Procedures Remotely on Domain Controllers . 143Avoiding the Delegation of Security-Sensitive Operations . 144Restricting the Delegation of Sensitive Forest-Level Operations . 144Restricting the Delegation of Sensitive Domain-Level Operations . 146Establishing Secure Data Administration Practices . 148Delegating Data Management . 148Restricting Group Policy Application to Trusted Individuals . 148Taking Ownership of a Data Object . 149Reserving Ownership of Directory Partition Root Objects for Service Administrators . 149Preventing Concurrent Group Membership Changes . 150Windows 2000 Replication of Entire Group Membership . 150Windows Server 2003 Replication of Separate Member Values . 150Setting Object Ownership Quotas . 151Establishing Other Secure Practices for Delegating Administration . 151Avoiding Use of the Dnprotect Tool . 151Avoiding Use of Domain Local Groups for Controlling Read Access to Global Catalog Data. 152Recommendations: Establishing Secure Administrative Practices . 152Recommendations for Establishing Secure Service Administration Practices. 153Recommendations for Establishing Secure Data Administration Practices . 153Chapter 6: Securing DNS . 154Deploying Secure DNS. 155Protecting DNS Servers . 156Implementing IPSec Between DNS Clients and Servers . 156Monitoring Network Activity . 156Closing All Unused Firewall Ports . 157
Protecting DNS Data . 157Using Secure Dynamic Update . 157Using Quotas to Limit the Number of DNS Resource Records That Can Be Registered . 158Explicit Quotas for Domain Controllers and Other Servers . 158Explicit Quotas for DHCP Servers . 159Ensuring That Only Trusted Individuals Are Granted DNS Administrator Privileges . 159Delegating Administration of DNS Data . 159Using Appropriate Routing Mechanisms . 159Using Separate Internal and External DNS Namespaces . 160Disabling Recursion . 161Non–Active Directory–Integrated DNS Security . 162Recommendations: Securing DNS . 162Recommendations for Deploying Secure DNS . 162Recommendations for Non–Active Directory–Integrated DNS Security . 163Appendix: Procedures . 163Enabling SID Filtering . 163Enabling Auditing on Important Active Directory Objects . 164Securing Scripts with Script Signing . 165Updating the Default Domain Policy GPO and the Default Domain Controllers Policy GPO . 166Creating a New GPO on the Domain Controllers OU and Changing Its Precedence. 167Creating a .reg File . 168Creating a Reserve File . 168Enabling Monitoring for Anonymous Active Directory Access . 169Monitoring for Anonymous Active Directory Access . 170Renaming the Default Administrator Account . 171Creating a Decoy Administrator Account. 172Changing the Security Descriptor on AdminSDHolder . 172Denying Logon Access to the Domain . 173Allowing Logon Access to Administrative Workstations . 174Appendix: Setting User Account Control Policy for Delegated Administrators . 175How User Account Policy Violations Occurred in Windows 2000 Server Prior to SP4. 175
How Controlled Access Rights to User Accounts Are Enforced in Windows 2000 Server SP4and Later . 176Modifying the default security setting. 178Controlling OWF Password Policy . 179Summary . 180
Best Practice Guide for Securing ActiveDirectory InstallationsOrganizations require a network operating system (NOS) that provides secure network access tonetwork data by authorized users and that rejects access by unauthorized users. For aMicrosoft Windows Server 2003 NOS, the Active Directory directory service provides manykey components for authenticating users and for generating authorization data that controlsaccess to network resources.NoteThis guide does not include operations information. For more information about day-today service operations for Windows Server 2003 deployments, see the Windows Server2003 Operations Guide, which is available as a downloadable document on the MicrosoftWeb site (http://go.microsoft.com/fwlink/?LinkId 63079).A breach in Active Directory security can result in the loss of access to network resources bylegitimate clients or in the inappropriate disclosure of potentially sensitive information. Suchinformation disclosure affects data that is stored on network resources or in Active Directory. Toavoid these situations, organizations need more extensive information and support to ensureenhanced security for their NOS environments. This guide addresses this need for organizationsthat have new, as well as existing, Active Directory deployments.This guide contains recommendations for protecting domain controllers against known threats,establishing administrative policies and practices to maintain network security, and protectingDNS servers from unauthorized updates. It also provides guidelines for maintaining ActiveDirectory security boundaries and securing Active Directory administration.This guide also includes procedures for enacting these recommendations. For more information,see “Appendix: Procedures” later in this guide.NoteThe recommendations and procedures in this guide have been tested in a lab todemonstrate that domain controllers that are built, configured, and administered inaccordance with these recommendations can be deployed and operated in an efficientmanner that enhances security.In This Guide Scope of This Guide (Best Practices for Securing Active Directory Installations) Chapter 1: Planning In-Depth Active Directory Security Chapter 2: Estab
Best Practice Guide for Securing Active Directory Installations Microsoft Corporation First published: October 2005 Updated and republished: January 2009
