Active Directory Security Best Practices
2y ago
91 Views
1 Downloads
7.37 MB
69 Pages
Report/dmca
Download PDF

Transcription

Active Directory Security Best PracticesFriedwart KuhnDigital unterschrieben von Friedwart KuhnDatum: 2017.04.12 20:51:31 02'00'Adobe Acrobat Reader-Version:2017.009.200441

Agendaooo2

Who We Areoooooooo3

Introoooo4

Mistake No. 1: Lack of AD Governance5

The Problem: Lack of s/books/sampchap/3173.aspx6

The Solution: Dedicated ADGovernanceooo7

The Solution: Dedicated ADGovernanceoooooooo8

Mistake No. 2: Admins (and ServiceAccounts) Logging on Everywhere9

The Problem: Admins Logging on Everywhere v1Prov1Prov2Org.Prov2Prov1Prov2Prov1Org.Prov310

Power:DomainControllersResult of Mistake 2 Data:Servers andApplicationsAccess:Users andWorkstationsThis slide is from: Mark Simos, Nicholas DiCola; “TWC: Pass-theHash and Credential Theft Mitigation Architectures“ 11

The Solution: Implement Administrative TiersTier 0Tier 1Tier 2Tier 3Enterprise & DomainAdminsBUILTIN\AdministratorsGeneral: Tier 0 AdminsDomain Controllers,Domain AdminWorkstations, Special Tier 0Systems (Patch, AV, Mgmt)Server Admins, ServerServicesApplication AdminsGeneral: Tier 1 AdminsApplication ServersServer/App AdminWorkstations, Tier 1 MgmtSystemsInternetConnectedWorkstations ofStandard UsersWorkstationAdmins (Tier 2Admins)Standard Users12

Tier Model PrinciplesClassify: Every single security principal, system, orapplication has to be classified as belonging only toone tierRestrict Logons: Security principals of a higher tiermust never log on to a resource on a lower tier ( Implement logon restrictions)Restrict Control: Security principals of a lower tiermust never control resources of a higher tier ( Implement control restrictions)13

Control Restrictions vs. Logon Restrictions14

Implementation Guidelinesoooooo15

Summaryooooooo16

Mistake No. 3: Using “Dirty Sources”17

The Problem: Security DependenciesoOS or Application InstallInfect MediaCompromise VectorInstallation MediaAdministration TaskInfect WorkstationCompromise VectorUser Workstation18

The Solution: Clean Source 9

Clean Source Principle: Installationooooooooo20

Clean Source Principle: Administrationoooooo21

Clean Source Principle: PAWsoooPAWoUser VMoooPAW22

Clean Source Principle:ESAE/PRIV ForestoESAE ForestTier 0oooPRIV ForestTier 1Tier 2Standard UsersoProduction Forest23

Exemplary Secure AdministrationEnvironment ModelsoPAWsTier 0 managedvia PAWsTrust for identitiesof Shared ServicesGlobalResourceForestAccountForest(s)Local ESAEForestoTier 0 managed viaLocal ESAE ForestoTrust for identitiesof Shared ServicesoGlobalResourceForest Global ESAEAccountForest(s)oForestTier 0 managed viaGlobal ESAE ForestoTrust for identitiesof Shared ServicesoAccountForest(s)24GlobalResourceForest

Exemplary ESAE Forest ImplementationESAE FORESTAD(s)AppADADDNSHyper-VWSUSAV/ Monitor/VulnerabilityPKIFirewallTIEROS0OS (DCs/Member)OSHWHW ManagementNWSwitches FirewallJumpHardware ER2Virtual ClientsHardwareClientsPKIIdentity itchesWeb AppsVPNDBsPAWsPhysically in Tier 2Logically in Tier 025

Mistake No. 4: (AD) Borders Not UnderControl26

The Problem: AD Borders Neither Well-definedNor Controlled: Trustsooooo27

Too many trusts 28

Trusts are tooopen oAuthentication RequestsAll requests comingover the trust areauthenticated androuted by DC1(with Domain- andForest-wideAuthentication)DC1oAuthenticated UsersoTrusted ForestTrusting Forest29

The Problem: AD Borders Neither Well-definedNor Controlled: DMZooooo30

The Solution: AD Border & Trust trust-2/31

Trustsoooooooo32

DMZ ADoo33

Mistake No. 5: Best Practices Lost inTime34

The Problem: Basics AreOverlookedoooooooo35

The Solution: Do the Basicsoooooooo36

AdminSDHolder Objectooooo37

The Solution: Do the Basicsooooooooo38

Mistake No. 6: Too Many and TooPrivileged Service Accounts39

The Problem: Overabundance ofService Accountsooooooo40

The Solution: Service AccountHouse Keepingooooooo41

Mistake No. 7: Too Many Admins42

The Problem: Over-privileged Accountsooooooooooooooooo43

The Solution: Remove Privilegesooooooo44

Mistake No. 8: Using Bad Passwords45

The Problem: Bad Policies & UserAwarenessooooooo46

Example IoooReally?47

Example IIoooooBetter?48

The Solution: Update Password Policiesooooooooooooooo49

Recommended Password RequirementsTypeMin AgeMax AgeMin d50

Mistake No. 9: Running OutdatedOperating Systems51

The Problem: Outdated OperatingSystemsooooooo52

The Solution: Use ModernOperating System Versionsoooooooo53

The Solution: Use ModernOperating System Featuresooooooooooo54

Mistake No. 10: Vulnerable Systems andApplications Everywhere55

The Problem: Insufficient Patch Managementoooo56

The Solution: Patch andVulnerability Managementoooo57

The Solution: Patch andVulnerability Managementooooooooo58

Mistake No. 11: No Active DirectorySpecific Security Logging & Monitoring59

The Problem: No AD-Specific SecurityLogging & Monitoringoooo60

The Solution: AD-SpecificSecurity Logging & Monitoringoooo61

The Solution: AD-Specific Security Logging &Monitoringoooooooooooo62

Thank you for your time!63

Sourcesoooo64

Additional Material & Information65

Control/Logon Restrictions Example 1for Admin TiersAs the user is a tier1 admin, he cannotcontrolthefileshare system /theresource (he canonlyaccessashare with limitedNTFS permissions)Tier 1 admin mustaccess a Tier 0 filesharetostorecertain filesTier 0Tier 0FileShareTier 1AdminTier 1As required by hisrole, the Tier 1admin can logonto a higher-tierresourcetoaccess a shareand store files(well-defined andstrictly monitored)Note: A similarscenario is theaccess to theNetlogon share66

Control/Logon Restrictions Example 2for Admin TiersTier 0 admin manages theidentitystore(ActiveDirectory database). Hecandefinegroupmembership of Tier 0, Tier1 (and Tier 2) accountsand he can define securitysettings for Tier 0 und Tier1 servers (and even Tier 2computers) in GPOs.Tier 0Tier 0DCTier 0Admin!Tier 1Therefore, the Tier 0 adminmust access dsa.msc andgpmc.msc on a DC (wherehe logs on).Thus, as requiredby his role, theTier 0 admin cancontrol lower-tierresources, but henever logs on to alower-tier system.67

The Problem: AD Borders Neither Well-definedNor Controlled: AD Extension Into the Cloudoooo68

Azure (Cloud)oo69

The Problem: Basics Are Overlooked o o o o o o o o. 36 o o o o o o o o The Solution: Do the Basics. 37 AdminSDHolder Object o o o o o. 38 o o o o o o o o o The Solution: Do the Basics. 39 Mistake No. 6: Too Many and Too Privileged Service Accounts. 40 The Problem: Overabundance of Service Accounts o o o o o o o. 41 The Solution: Service Account House Keeping o o o o o o o. 42 Mistake No. 7 .

Related Books

BEST PRACTICES GUIDE Nimble Storage Best Practices for .

BEST PRACTICES GUIDE Nimble Storage Best Practices for .

IBM GDPS Active/Active Overview and Planning

IBM GDPS Active/Active Overview and Planning

“Best Products Best Prices Best Service”

“Best Products Best Prices Best Service”

VTE: 2016 ACCP Update with Best Evidence and Best Practices

VTE: 2016 ACCP Update with Best Evidence and Best Practices

Active Directory Infrastructure DesignDocument

Active Directory Infrastructure DesignDocument

Active Directory Administrator's Pocket Consultant eBook

Active Directory Administrator's Pocket Consultant eBook

MASTERING ACTIVE DIRECTORY WITH POWERSHELL

MASTERING ACTIVE DIRECTORY WITH POWERSHELL

The 12 Essential Tasks of Active Directory Domain Services

The 12 Essential Tasks of Active Directory Domain Services

[MS-ADFSOD]: Active Directory Federation Services (AD FS .

[MS-ADFSOD]: Active Directory Federation Services (AD FS .

Modern Authentication with Azure Active Directory for Web .

Modern Authentication with Azure Active Directory for Web .

Creating Active Directory Domain Services in Oracle Cloud .

Creating Active Directory Domain Services in Oracle Cloud .

Active Directory - The Eye

Active Directory - The Eye

PopularTags

Recent Views