Transcription
Active Directory Security Best PracticesFriedwart KuhnDigital unterschrieben von Friedwart KuhnDatum: 2017.04.12 20:51:31 02'00'Adobe Acrobat Reader-Version:2017.009.200441
Agendaooo2
Who We Areoooooooo3
Introoooo4
Mistake No. 1: Lack of AD Governance5
The Problem: Lack of s/books/sampchap/3173.aspx6
The Solution: Dedicated ADGovernanceooo7
The Solution: Dedicated ADGovernanceoooooooo8
Mistake No. 2: Admins (and ServiceAccounts) Logging on Everywhere9
The Problem: Admins Logging on Everywhere v1Prov1Prov2Org.Prov2Prov1Prov2Prov1Org.Prov310
Power:DomainControllersResult of Mistake 2 Data:Servers andApplicationsAccess:Users andWorkstationsThis slide is from: Mark Simos, Nicholas DiCola; “TWC: Pass-theHash and Credential Theft Mitigation Architectures“ 11
The Solution: Implement Administrative TiersTier 0Tier 1Tier 2Tier 3Enterprise & DomainAdminsBUILTIN\AdministratorsGeneral: Tier 0 AdminsDomain Controllers,Domain AdminWorkstations, Special Tier 0Systems (Patch, AV, Mgmt)Server Admins, ServerServicesApplication AdminsGeneral: Tier 1 AdminsApplication ServersServer/App AdminWorkstations, Tier 1 MgmtSystemsInternetConnectedWorkstations ofStandard UsersWorkstationAdmins (Tier 2Admins)Standard Users12
Tier Model PrinciplesClassify: Every single security principal, system, orapplication has to be classified as belonging only toone tierRestrict Logons: Security principals of a higher tiermust never log on to a resource on a lower tier ( Implement logon restrictions)Restrict Control: Security principals of a lower tiermust never control resources of a higher tier ( Implement control restrictions)13
Control Restrictions vs. Logon Restrictions14
Implementation Guidelinesoooooo15
Summaryooooooo16
Mistake No. 3: Using “Dirty Sources”17
The Problem: Security DependenciesoOS or Application InstallInfect MediaCompromise VectorInstallation MediaAdministration TaskInfect WorkstationCompromise VectorUser Workstation18
The Solution: Clean Source 9
Clean Source Principle: Installationooooooooo20
Clean Source Principle: Administrationoooooo21
Clean Source Principle: PAWsoooPAWoUser VMoooPAW22
Clean Source Principle:ESAE/PRIV ForestoESAE ForestTier 0oooPRIV ForestTier 1Tier 2Standard UsersoProduction Forest23
Exemplary Secure AdministrationEnvironment ModelsoPAWsTier 0 managedvia PAWsTrust for identitiesof Shared ServicesGlobalResourceForestAccountForest(s)Local ESAEForestoTier 0 managed viaLocal ESAE ForestoTrust for identitiesof Shared ServicesoGlobalResourceForest Global ESAEAccountForest(s)oForestTier 0 managed viaGlobal ESAE ForestoTrust for identitiesof Shared ServicesoAccountForest(s)24GlobalResourceForest
Exemplary ESAE Forest ImplementationESAE FORESTAD(s)AppADADDNSHyper-VWSUSAV/ Monitor/VulnerabilityPKIFirewallTIEROS0OS (DCs/Member)OSHWHW ManagementNWSwitches FirewallJumpHardware ER2Virtual ClientsHardwareClientsPKIIdentity itchesWeb AppsVPNDBsPAWsPhysically in Tier 2Logically in Tier 025
Mistake No. 4: (AD) Borders Not UnderControl26
The Problem: AD Borders Neither Well-definedNor Controlled: Trustsooooo27
Too many trusts 28
Trusts are tooopen oAuthentication RequestsAll requests comingover the trust areauthenticated androuted by DC1(with Domain- andForest-wideAuthentication)DC1oAuthenticated UsersoTrusted ForestTrusting Forest29
The Problem: AD Borders Neither Well-definedNor Controlled: DMZooooo30
The Solution: AD Border & Trust trust-2/31
Trustsoooooooo32
DMZ ADoo33
Mistake No. 5: Best Practices Lost inTime34
The Problem: Basics AreOverlookedoooooooo35
The Solution: Do the Basicsoooooooo36
AdminSDHolder Objectooooo37
The Solution: Do the Basicsooooooooo38
Mistake No. 6: Too Many and TooPrivileged Service Accounts39
The Problem: Overabundance ofService Accountsooooooo40
The Solution: Service AccountHouse Keepingooooooo41
Mistake No. 7: Too Many Admins42
The Problem: Over-privileged Accountsooooooooooooooooo43
The Solution: Remove Privilegesooooooo44
Mistake No. 8: Using Bad Passwords45
The Problem: Bad Policies & UserAwarenessooooooo46
Example IoooReally?47
Example IIoooooBetter?48
The Solution: Update Password Policiesooooooooooooooo49
Recommended Password RequirementsTypeMin AgeMax AgeMin d50
Mistake No. 9: Running OutdatedOperating Systems51
The Problem: Outdated OperatingSystemsooooooo52
The Solution: Use ModernOperating System Versionsoooooooo53
The Solution: Use ModernOperating System Featuresooooooooooo54
Mistake No. 10: Vulnerable Systems andApplications Everywhere55
The Problem: Insufficient Patch Managementoooo56
The Solution: Patch andVulnerability Managementoooo57
The Solution: Patch andVulnerability Managementooooooooo58
Mistake No. 11: No Active DirectorySpecific Security Logging & Monitoring59
The Problem: No AD-Specific SecurityLogging & Monitoringoooo60
The Solution: AD-SpecificSecurity Logging & Monitoringoooo61
The Solution: AD-Specific Security Logging &Monitoringoooooooooooo62
Thank you for your time!63
Sourcesoooo64
Additional Material & Information65
Control/Logon Restrictions Example 1for Admin TiersAs the user is a tier1 admin, he cannotcontrolthefileshare system /theresource (he canonlyaccessashare with limitedNTFS permissions)Tier 1 admin mustaccess a Tier 0 filesharetostorecertain filesTier 0Tier 0FileShareTier 1AdminTier 1As required by hisrole, the Tier 1admin can logonto a higher-tierresourcetoaccess a shareand store files(well-defined andstrictly monitored)Note: A similarscenario is theaccess to theNetlogon share66
Control/Logon Restrictions Example 2for Admin TiersTier 0 admin manages theidentitystore(ActiveDirectory database). Hecandefinegroupmembership of Tier 0, Tier1 (and Tier 2) accountsand he can define securitysettings for Tier 0 und Tier1 servers (and even Tier 2computers) in GPOs.Tier 0Tier 0DCTier 0Admin!Tier 1Therefore, the Tier 0 adminmust access dsa.msc andgpmc.msc on a DC (wherehe logs on).Thus, as requiredby his role, theTier 0 admin cancontrol lower-tierresources, but henever logs on to alower-tier system.67
The Problem: AD Borders Neither Well-definedNor Controlled: AD Extension Into the Cloudoooo68
Azure (Cloud)oo69
The Problem: Basics Are Overlooked o o o o o o o o. 36 o o o o o o o o The Solution: Do the Basics. 37 AdminSDHolder Object o o o o o. 38 o o o o o o o o o The Solution: Do the Basics. 39 Mistake No. 6: Too Many and Too Privileged Service Accounts. 40 The Problem: Overabundance of Service Accounts o o o o o o o. 41 The Solution: Service Account House Keeping o o o o o o o. 42 Mistake No. 7 .