19 Smart Tips for Securing Active Directory Sean Deuby

At a Glance:

Administrative security Account password and group security Domain controller security

Active Directory Group Policy

Does Active Directory keep you up at nig t! "ne could easily understand w y# $t is most likely t e largest and most critical distributed system in your enterprise# Along wit disaster recovery% Active Directory& security is at t e top of t e list of topics t at gnaw away at an administrator's sleep# (ut t ere's a lot you can do to en ance your Active Directory security% and you've probably already taken some steps# ) at follows is a list of tips you can use to elp you make your Active Directory installation more secure# *irst $'ll cover administrative security% t en passwords and group security% t en wrap up wit tips for domain controller security#

1# Document ) at +ou ,ave T e very first step you need to take is to document your Active Directory configuration# $t's not very e-citing work% but you can't tell w ere you need to go if you don't know w ere you are rig t now# A good place to start is wit t e ig .level structures like forest and domain configuration% organi/ational unit 0"12 structure% top.level directory security% and e-isting trust relations ips# Document your site topology by listing t e sites% configuration settings for eac site% site links and t eir settings% t e list of subnets and t eir settings% and any manually created connection ob3ects and t eir settings# Document your Group Policy "b3ects 0GP"s2 wit a Group Policy utility like t e Group Policy 4anagement 5onsole 0GP452% available from 4icrosoft downloads and included in

)indows Server6 7889 :7# T e documentation you create s ould include password and audit policies% and don't forget to include w at t e GP"s are linked to and w o as rig ts on t em# (e sure you ave a list of all c anges you've made to t e Active Directory sc ema% preferably in t e form of a ;ig tweig t Directory $nterc ange *ormat 0;D$*2 file# T ere's even a GP45 script included in t e download to elp you get started# $t is located in t e <programfiles<=gpmc=scripts directory and is called Get:eports*orAllGP"s#wsf# ) ile you're at it% also list your domain controllers and t eir names% t eir "S versions% and virus scanning software and t eir versions# :ecord t e backup met ods you're using and ow often t ey run% along wit ow long you keep t e backups# $f you use disk.based backups% record w ere you securely keep t e backup files# $f you use )indows& D>S% use D>S54D and D>S;$>T to document its configuration# >ote w et er it's integrated wit Active Directory% w et er you use application partitions% and ow t ey are configured#

7# 5ontrol +our Administration Active Directory security begins rig t at t e top?your administration model# 5ontrolling your administration is t e single most important step in securing your forest and it's also probably t e ardest# @veryone wants to own a piece of Active Directory% but a well. secured forest model can't allow t is# $f your company's installation is like most% your logical Active Directory design is already set% so you ave to work wit in its constraints# $f not% you ave t e opportunity to build Active Directory from t e start# T e forest is t e only true security boundary wit in Active Directory# Domains s ould be used to facilitate your company's $T support infrastructure and replication% and "1s s ould be used to delegate administration wit in a domain# $f you ave ard security constraints between two parts of your company% consider implementing anot er forest# See A4ultiple *orest 5onsiderations in )indows 7888 and )indows Server 7889A for recommendations# $f necessary% add a security.filtered forest trust to communicate wit your first forest 0see APlanning and $mplementing *ederated *orests in )indows Server 7889A for more information2# $f your domains are already administered by different groups% reali/e t at administrative access to any domain controller in t e forest can 3eopardi/e t e entire forest# As a result% you need to work closely wit t e administrative teams of t e ot er domains to ensure you ave a uniform domain controller 0D52 administration model across t e forest# *or more detail on t is topic% read ADesign 5onsiderations for Delegation of Administration in Active DirectoryA#

9# ;imit t e >umber of Administrators )it in your forest% you need to do everyt ing you can to limit t e number of administrators# T oug t e Active Directory security model is muc better t an it was in

)indows >T& B#8% it still as a weakness: you can't fully administer a domain controller wit out being an administrator of t e domain# T is means t at in a basic Active Directory implementation% computer operators in locations t at contain D5s are usually members of Domain Admins so t ey can perform all maintenance functions on t ese servers# Don't do t isC +ou've anded t e keys to your Active Directory forest to a potentially large number of employees wit unknown backgrounds and security Dualifications# $nstead% follow t e time. onored practice of determining reDuirements first and t en creating a solution based on t ese reDuirements# 4eet wit operations management to figure out e-actly w at tasks t ey need to perform on D5s# T en% design a solution using a combination of Group Policy and t ird.party tools to grant t em as many rig ts as possible wit out elevating t em to Domain Admins# *inally% your administration team must assume t e tasks you can't securely delegate to operations# T is is a very touc y area because you're taking away responsibilities from operations% but you'll ave t e big stick of information security on your side#

B# Test Group Policy Settings T is is a good opportunity to say a few words about Group Policy# $t's t e single most powerful tool for controlling your forest's security# Precisely because it's so powerful% owever% you need to make sure you test t ese settings in a controlled environment before rolling t em out# +ou can use a duplicate test.bed environment% be it p ysical or virtual 0t roug t e use of virtuali/ation software suc as Eirtual Server 788F2# +ou can implement t ese policies in stages by first linking new security.focused GP"s to individual "1s% t en to t e entire domain#

G# 1se Separate Administrative Accounts "nce you've limited t e number of administrators% make sure all employees w o perform operations wit elevated privileges use separate administrative accounts# T ese accounts s ould ave a naming convention t at's different from standard accounts and s ould reside in t eir own "1 so you can apply uniDue GP"s to t em# +ou can group t ese accounts by t e roles t ey perform and assign rig ts to t ese groups rat er t an to individuals# *or e-ample% elpdesk members responsible for account management s ould ave t eir administrative accounts in a group named AHdomain nameI Account AdminsA% and t is group s ould be added to t e Account "perators built.in group#

F# :estrict @levated (uilt.$n Groups $f your security model follows t e recommendations $ 3ust outlined% it's relatively easy to put all elevated built.in groups into Group Policy's :estricted Groups feature# T is will

ensure t at t e group's members ip is enforced every five minutes% limiting t e c ance t at a rogue administrator will in3ect t eir account into it# 1se :estricted Groups to keep groups like Sc ema Admins empty and to keep @nterprise Admins very small#

J# 1se a Dedicated Terminal Server for Administration Service administrators 0responsible for running core Active Directory services like D5s% sites% and t e sc ema2 s ould perform all t eir tasks from dedicated terminal server administration points 0TSAPs2 rat er t an from t eir desktops# T is is a muc more secure practice t at minimi/es any leaking of desktop malware% makes working wit a separate administrative account muc less cumbersome and provides a locked.down% customi/ed administration point# Keep t ese TSAPs in t eir own "1% and use GP"s to prevent $nternet access% restrict logon locally to administrative accounts only% increase auditing procedures% and implement a password.protected screen saver# 1pgrading your TSAP to )indows Server 7889 will cause its Active Directory administration tools to sign and encrypt ;ig tweig t Directory Access Protocol 0;DAP2 traffic between itself and your )indows Server 7889 D5s#

L# Disable Guest and :ename Administrator (asic account security measures are to disable t e guest account and rename t e administrator account# +ou may ave already done t is# @it er way% don't forget to also remove t e default description of t ese accounts% since t at's easy for bad guys to searc for# 4ost programmatic attacks use t e administrator account's well.known Security $dentifier 0S$D2 rat er t an its name% so renaming Administrator is really of limited use# $t does s ow t at you're using due diligence for security audits% owever# T e rename policy also can be useful for creating a oneypot Administrator account# T is is an account named Administrator 0after you've renamed t e real account2 t at as a ig level of auditing enabled# $f anyone attempts to log onto t is account by guessing t e password% t e attempt will be logged# $f you ave an event log monitoring utility% you can also trigger an alert#

9# ;imit Access to t e Administrator Account +ou s ould severely limit t e number of people w o ave access to t e real Administrator account and password# *or t e ig est level of security% consider t e nuclear password option: two 0or more2 administrators generate two 0or more2 eig t.digit% random% strong passwords separate from eac ot erM t en eac admin enters is password into t e password field# 0*or a good password generator% take a look at www#winguides#comNsecurityNpassword#p p#2 T e account now as a password t at is 1F.digits or longer and t at reDuires at least two administrators to log onM one

administrator can't do it alone#

18# )atc t e DS:4 Password An often overlooked but important password is t e Directory Service :estore 4ode 0DS:42 password on domain controllers# T e DS:4 password% uniDue to eac D5% is used to log onto a D5 t at as been rebooted into DS:4 mode to take its copy of Active Directory offline# +ou need to update t e DS:4 password regularly because wit t is password a local operator can copy >TDS#D$T 0t e Active Directory database2 off t e server and reboot before anyone noticed# $n early builds of )indows 7888% t e only way to c ange t e password was to log on and c ange it manually?impractical if you ave more t an two D5s# )indows 7888 Service Pack 7 introduced t e S@TP)D command 0see t e Knowledge (ase article A5onfigure +our Server )i/ard sets a blank recovery mode passwordA2 to remotely update t e DS:4 password# T e >TDS1T$; command in )indows 7889 as t e ability to c ange it remotely 0see A,ow To :eset t e Directory Services :estore 4ode Administrator Account Password in )indows Server 7889A2# 5reate a script to run t is operation against your D5s% and run it regularly#

11# @nforce Strong Password :ules (y now% you all know t e benefits of strong passwords% but it's probably too muc to e-pect your users to use t em willingly# To elp t em along% you really s ould enforce strong password rules in your domain 0see A@nabling Strong Password *unctionality in )indows 7888A2# +ou can elp your users by suggesting strategies suc as t e use of passp rases instead of confusing wordNnumberNc aracter combinations#

17# Protect t e Service Account's Password As you know% service accounts are anot er sore sub3ect# T e nature of service accounts ?used on application servers for t e application's service?makes a low.impact password c ange very difficult% and so t e password is usually set to never e-pire# (ecause t e account controls an important service 0often on many servers2% compromising t e service account's password is not somet ing you want to appen# T oug it may be difficult to solve t e password c ange problem% you can take steps to mitigate t e risk of attack or accidental c anges# Give t e accounts a naming convention t at identifies t em as service accounts and suggests w at t ey're used for# Put all of t ese accounts into a group named somet ing like AService AccountsA and apply a policy to your application servers to deny t e A;og on ;ocallyA policy but allow A;og on as a ServiceA# Keep t em in t eir own "1 so you can apply GP"s uniDue to t eir reDuirements#

19# 4ake Sure t at @ac D5 is P ysically Secure Domain controllers make up t e p ysical aspect of Active Directory# Distributed t roug out your enterprise% eac D5 as its own copy of t e Active Directory database >TDS#D$T# T is means t at one of your paramount security concerns is to make sure t at eac D5 is p ysically secure# $f one of t em grows legs and walks off% t e t ief will ave p ysical access to t e directory information tree 0D$T2 and can run cracking programs against it to obtain usernames and passwords# T erefore% you must ave a reaction plan in place to c ange all passwords in a domain if one of its D5s is stolen# A proposed feature of t e fort coming version of )indows Server 0code.named A;ong ornA2 aims to mitigate t e risk from t is scenario dramatically wit t e read.only domain controller 0:"D52% a D5 w ose D$T contains no user passwords# 1sers are logged on via a Kerberos referral from a full D5M you can configure t e :"D5 to cac e t e passwords of users w o use it for aut entication# $n a branc office scenario% only t e branc office's users will ave t eir passwords cac ed on t e :"D5 so if it's compromised t ey're t e only passwords t at must be c anged immediately# T e :"D5 cac ing configuration is very fle-ibleM it even includes a way to determine w o ad t eir password cac ed on it# As wit all discussion of prerelease software% t oug % t is is sub3ect to c ange#

1B# 4inimi/e 1nnecessary Services and "pen Ports T e )indows Server 7889 SP1 Security 5onfiguration )i/ard can Duickly arden your D5s in t is aspect by stepping you t roug a wi/ard to lock it down# "ne attack to be wary of?a denial of service of sorts?fills t e available disk space on a D5# T ere are two ways t is attack can be e-ecuted# T e first is by attempting to flood Active Directory wit ob3ects# (ecause Active Directory is ugely scalable% it is unlikely to cras in t is scenario% but flooding Active Directory wit ob3ects will increase t e si/e of t e database until it fills t e disk partition# (esides ensuring t e D$T is on a partition wit lots of free space% consider implementing directory Duotas via DS4"D PA:T$T$"> or DS4"D O1"TA# T is will prevent any one security principal from adding too many ob3ects to t e directory# Anot er denial of service attack as to do wit flooding t e S+SE"; folder wit files% causing it to fill up t e boot partition% and cras ing t e D5# +ou can't use a Duota system in t is case% but you can create a simple reserve file or files to take up e-isting free disk space# $f you encounter t is type of disk.filling situation% simply erase reserve files% one at a time% to maintain free disk space until you resolve t e root cause# +ou can easily create reserve files wit t e *S1T$; *$;@ 5:@AT@>@) command#

1G# 4ake t e D5 Time Source Secure (ecause Active Directory depends on Kerberos% it's very sensitive to time variations between its D5s# T is is especially true in trusts between forests because t ey may rely on different time ierarc ies# (y default% t e PD5 operations master in t e root domain is t e reference to w ic all ot er D5s in t e forest look for accurate time# ) at time source does t is D5 look to for accurate time! $s it secure!

1F# Audit $mportant @vents +ou must enable auditing in a domain.level GP"% wit no override% to ensure every system in your domain is tracking important events# +ou s ould audit failed logons% successful and failed account management% ob3ect access% and policy c ange# 1se t e same GP" to boost t e security log si/e% because wit t e increased auditing you'll need it#

1J# 1se $Psec 4any organi/ations ave dragged t eir feet on t e implementation of $Psec because of t e comple- rules you must build% but it's relatively easy to implement for inter.D5 communication only# *or communications from D5s to clients% t ere are a number of options to consider# )indows Server 7889 D5s by default ave S4( signing enabled% w ic means t ey sign all t eir communications to t e client to prevent spoofing# $ts policy is listed as A4icrosoft network server: Digitally sign communications 0always2A# (e aware of t is c ange w en you upgrade% and don't disable it if you don't ave to#

1L# Don't Store ;A> 4anager ,as Ealues +ou s ould try to rid yourself of ;4 0;an 4anager2 password as es if possibleM many password crackers attack t e weak ;4 as and t en deduce t e stronger >T;4 as # T e policy you need is ADo >ot Store ;A> 4anager ,as Ealue on >e-t Password 5 angeA# Also consider enabling ASend >T;4 v7 response only% refuse ;4 and >T;4A# 4ost down.level clients can be configured to use >T;4v7# T is may not be possible for Active Directory installations in factory environments or ot er installations w ere embedded )indows is used# Test t ese settings carefully because t ey can break down. level clients# $t's important to remember t at t ese clients not only include )indows >T B#8 and )indows 4e% but also ot er Server 4essage (lock 0S4(2.enabled network clients like network attac ed storage 0>AS2 devices% 1>$P clients running Samba% or embedded )indows devices like factory station controllers# T e Knowledge (ase article A5lient% service% and program incompatibilities t at may occur w en you modify security settings and user rig ts assignmentsA lists recommendations for most D5 security

settings and user rig ts#

19# Don't *orget +our (usiness Practices ,andle emergencies and document procedures for facing situations like compromised passwords% general Active Directory attacks% and Active Directory disaster recovery# 4icrosoft as done muc of t is work for you in A(est Practice Guide for Securing Active Directory $nstallationsA% and A(est Practices: Active Directory *orest :ecoveryA#

Prerelease info in t is article is sub3ect to c ange#

Sean Deuby is a design engineer wit $ntel 5orporation% w ere e is t e senior member of t e identity and directory services team# T e aut or of many articles and presentations on Active Directory and )indows Server% t is is is t ird year as a Directory Services 4EP wit 4icrosoft# Q 788L 4icrosoft 5orporation and 54P 4edia% ;;5# All rig ts reservedM reproduction in part or in w ole wit out permission is pro ibited#

:esources

Tec >et *las >ewsletter Tec >et Tec nology >ews feed 4SD> 4aga/ine