Escolar Documentos
Profissional Documentos
Cultura Documentos
Securing
Directory
Roberta Bragg MCSE, CISSP, Author, Columnist, Speaker, Consultant
YourActive
Chapters
1. Perform a Self-Audit 2. Know and Use Security Tools and Techniques 3. Monitor Active Directory Operations 4. Leverage People and Processes 5. Active Directory Security Maintenance
Sponsored by:
CONTENTS
CHAPTER 2: KNOW AND USE SECURITY TOOLS AND TECHNIQUES .............5 TECHNIQUES FOR MANAGING AD SECURITY ...........................................6 SECURING AUTHENTICATION, DCS, AND DC COMMUNICATION ..................................6 Securing Authentication Via Group Policy .......................................................................8 Hardening Domain Controllers Via Group Policy....................................................... 11 Using Security Templates to Secure Domain Controllers ........................................ 13 Using Group Policy Administrative Templates ............................................................ 14 Hardening Domain Controller Communications Via Group Policy........................ 14 HARDEN DNS..................................................................................................................... 15 Securing DNS Using Placement and Policy.................................................................. 15 Securing DNS Configuration............................................................................................ 16 Securing DNS Using Group Policy.................................................................................. 18 MANAGING DOMAINS AND TRUSTS ................................................................................. 19 MANAGING DIRECTORY OBJECTS .................................................................................... 20 Protect Active Directory by Restricting Group Membership and Understanding Active Directory ACLs............................................................................ 21 Standard and Extended Rights ....................................................................................... 21 Adding AD Classes.............................................................................................................. 23 Modifying AD Default Permissions and Properties.................................................... 24 Assigning Authority for AD Administration................................................................... 24 TOOLS..................................................................................................................25 USING GROUP POLICY TOOLS .......................................................................................... 26 Group Policy Editor............................................................................................................. 26 Understanding and Controlling GPO Inheritance....................................................... 29 Reporting............................................................................................................................... 39 Ensuring Permission Consistency .................................................................................. 41 Backup and Restore........................................................................................................... 42 Managing Backups............................................................................................................. 44 Delegating Group Policy.................................................................................................... 45 GPO Planning and Analysis Modeling............................................................................ 47 Modeling a Group Policy Hierarchy ............................................................................... 47 Determining the Results of Group Policy Implementation....................................... 49 USING SECURITY CONFIGURATION AND ANALYSIS AND SECURITY TEMPLATES ......... 50 USING ADSI EDIT TO MANAGE DIRECTORY OBJECTS ................................................... 51 USING THE ACTIVE DIRECTORY DOMAINS AND TRUSTS CONSOLE ......................................... 53 Selective Authentication .................................................................................................... 53 SID Filtering.......................................................................................................................... 54 SUMMARY ...........................................................................................................55 ABOUT QUEST WINDOWS MANAGEMENT..............................................56 ABOUT QUEST SOFTWARE, INC..................................................................56
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Harden DNS Protect DCs and AD by limiting and managing external trusts
and forest trusts
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
User rights for the domain are configured in the Default Domain
Controller Security Policy. They can also be configured in additional GPOs linked to the DC OU.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Strengthen the password policy or provide alternatives Set a reasonable Account Lockout Policy Maintain a strong Kerberos Policy Reduce or eliminate anonymous access (access that does not
require credentials)
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Strengthening the password policy will require management approval. Dont forget to discuss the technical and non-technical controls that are part of a good policy. Technical controls are those things that can be implemented in the Windows password policy such as password length and complexity and how often the password must be changed. Non-technical controls are things such as not sharing passwords, not writing them down, and requiring complexity beyond what can technically be controlled by the operating system. When a strong policy is approved, changes should be made to the Default Domain GPO. There can be only one password policy per domain; changes made to the default domain GPO affect all domain accounts. A strong policy should also be required for computers if local accounts are used to authenticate to these systems. Password policies for local computer accounts on domain computers can be set in GPOs linked to the OU within which the computer account resides. The password policy for stand-alone computers (computers that are not members of a domain) should be set in the Local Security Policy. Account Lockout should be set to prevent an attacker from guessing passwords or running automated dictionary attacks against accounts. A number of incorrect entries, whether manually or automatically generated, triggers account lockout. At this point, even a correct password will fail. Lockout can be configured to automatically be released after a time period, or require administrative action. The Account Lockout threshold must be carefully considered. Set too low, it may lock out legitimate users who occasionally fat finger their attempts. It can also be an avenue for a denial of service attack, since an attacker could effectively lock out all accounts by attacking them all. In organizations with strong perimeter controls, opportunities for such attacks may be few, making account lockout viable. By default, Kerberos Policy is correctly configured for most organizations and should be left alone. Two settings that are often modifiedand should not beare Maximum Tolerance for Computer Clock Synchronization and Enforce User Logon Restrictions. The computer clock synchronization time can prevent replay attacks. In a replay attack, the attacker captures valid credentials and attempts to use them to gain access to networks and systems. Kerberos requires that communications from the client not be older than the clock synchronization time. If they are, they are rejected. Lengthening this time weakens this security feature of Kerberos. When the Enforce User Logon Restrictions policy is enabled, each request for a session ticket is evaluated against the target computers user rights policy. If a user is denied the right to log on at the target computer, his request for a session ticket will fail.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques 9
Disabling Enforce User Logon Restrictions may save time and therefore improve performance, but it weakens security. In addition to Account Policy, other areas of Group Policy can impact authentication. These include the policies described below, which are found in Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. Policy
Interactive Logon: Require Domain Controller Authentication to Unlock Workstation Network Security: Do Not Store LAN Manager Hash Value on Next Password Change
Recommendation/Description
Enable Prevents an administrator whose account has been disabled from logging on to a DC using cached credentials. Disable Discontinues storage of weak LM hash in the password database. Many password cracking programs attack the weak LM hash and then deduce the stronger NTLM hash. Without the weaker LM hash, these crackers take much, much longer and may not be effective. Set to Send NTLMv2 response, only, refuse LM and NTLM Note: Down-level clients can be configured to use NTLMv2. Windows 9x must install the AD Client and apply registry edits. Windows NT must have registry edits applied. This change in policy may also impact older server applications such as RRAS, and should be tested before being deployed in a production environment. Negotiate signing if some domains require it; require it if all domains require it Secures communications between clients and domain controllers and between domain controllers.
10
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Reducing or eliminating anonymous access can be managed via Security Options. Security Options can vary through the domain, but in some cases they only make sense for GPOs linked to the domain controller OU. Security Options that impact anonymous access: Policy
Network Access: Do Not Allow Anonymous Enumeration of SAM Accounts and Shares Network Access: Let Everyone Permissions Apply to Anonymous Users Network Access: Named Pipes that Can Be Accessed Anonymously
Description
Enable Prevents a connection made without an account ID and password from being able to list accounts and shares. Disable Allows anonymous users to have privileges and access granted to the Everyone group. Remove named pipes not used by DCs. For example, the SQL\QUERY named pipe is not needed unless SQL is installed on the DC. Installing SQL on the DC is not a good practice. Shares should be protected by placing explicit permissions on the share and on its root folder. The COMFG share often listed as accessible anonymously can be removed from this setting unless the DC is running the host integration servicea service that would rarely be installed.
Recommendation/Description
Remove the right from the Account Operators group and the Print Operators group. Do not allow users permission to shut down DCs. Remove Backup Operators and assign this right to a special group for DCs. Remove Backup Operators and assign this right to a special group for DCs. This group should be different than the group assigned Backup Files and Directories.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
11
Multiple registry entries are exposed in the GUI as Security Options. Many of these settings directly relate to audit checkpoints listed in Chapter 1. Specific settings useful in managing DC security include: Policy
Accounts: Guest Account Status Accounts: Rename Administrator Account Devices: Prevent Users from Installing Printer Drivers Devices: Unsigned Driver Installation Behavior
Recommendation/Description
Disable Rename
Enable
Do not allow installation. If a driver required for DC operation is not signed, temporarily modify this setting, install the driver, and then reenable the setting. Disable
The Restricted Groups section of the Default Domain Controller Security Policy can be used to control group membership. When a user group is added to the Restricted Groups section of Group Policy, membership in the group is managed by Group Policy. Normally, group membership is managed by administrative groups, either by members of the default Windows administrative groups or custom Windows groups delegated responsibility for group membership. However, once a group is added to the Restricted Groups section of the GPO, the membership of that group is dependent on the list of user accounts added to the group within Restricted Groups. If members are added to AD or domain computer local groups in other ways, the group membership will change to those user accounts listed in Restricted Groups on the next Group Policy refresh. Likewise, if a user is added to a Restricted Group within the security settings of the GPO, the account, if not present in the AD or local computer group, will be added. Tread carefully when using Restricted Groups. It is not advised to manage all groups in this manner, and some even advise against managing any domain groups this way due to potential inconsistencies and excessive replication traffic.
performance. Registry information and files important to operating system operation are permissioned during operating system installation and server promotion to a DC (via Dcpromo). If changes are recommend by Microsoft or internal study to promote security, changes can be rapidly distributed to multiple DCs by using the Registry and File System Permissions section of Group Policy. The System Services section enables centralized control over services enabled or disabled on domain computers. Permissions set here also determine which users and groups can enable, disable, start, stop or set startup characteristics of services. The presence of an enabled or disabled service may impact what a user can do. For example, the Domain Users group may have permission to remotely access the network, but if the Remote Access service is stopped or disabled on a server, users cannot access the server using that service. This area of Group Policy should be used to both disable unnecessary or unauthorized services, and to prevent unauthorized users from changing this status. If left unconfigured, an unnecessary service such as Telnet might be enabled then used to attack a DC, or an attacker might take advantage of services known vulnerability. (Telnet, for example, sends passwords in clear text across the network.) Alternatively, an attacker might disable services required for DC operation, causing a Denial of Service (DoS) attack. Recommendations for which services to disable on DCs is part of the security guides provided by Microsoft and referenced earlier.
Public Key Policies dictate policies such as whether or not certificates will be issued, and if the Encrypting File System can be used. Public Key policy management should reflect organization policy. Software Restriction Policies, if configured, determine what software can run. Policies can either allow all software to run except software explicitly defined as being disallowed, or prevent all software from running except that which is explicitly unrestricted.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
13
The user right Deny Access to This Computer From the Network (Add the Guest account and all non-operating system
service accounts used to run local services. There is no reason these accounts should be allowed network access.)
The Security Option Domain Controller: LDAP Server Signing Requirement (Require signing. Protects Lightweight Directory Access Protocol (LDAP) communications between administrative stations and AD. If an attacker captures a packet and modifies it, the signature will vary and the packet will be dropped.)
14
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Harden DNS
AD cannot exist without DNS. Without DNS, clients cannot locate DCs and authenticate to the domain, and DCs cannot locate replication partners, blocking AD changes. If an attacker can compromise DNS, he can disrupt the very backbone of AD and mine DNS for information useful in further attacks. There are three ways to harden DNS:
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
15
16
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Create a computer OU Create a unique DNS server OU as a child OU of the computer OU Place all DNS server accounts in this OU Import the general hardening security template (use a
Microsoft-provided template or create one of your own) into a GPO linked to the computer OU
Import the infrastructure security template (use a Microsoftprovided template or create one of your own) into a GPO linked to the DNS server OU
18 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
If this process is used, any computers in the computer OU or its child OUs will be locked down according to settings in the template as well as settings made in the GPO linked to the computer OU. Before implementing this method, you should determine what additional steps might be needed to ensure that all computers can perform their designated functions. For example, in the general hardening template the DNS service is disabled, but since a special template is applied to the DNS server that enables the DNS service, the DNS server will be able to function as a DNS server. Check out these online Microsoft server hardening resources:
most limited manner that will still fulfill the requirements. This can be done by:
Limiting trusts to trusts between the specific domains required. Limiting trusts with partners to trusts with domains in forests
that contain only partner-shared resources (do not provide trusts relationships to domains within the organizations internal forest).
Limiting authentication across the trust. Limiting authorization within trusting domains. Providing a
blanket trust for all trusted users or to all resources should not be the default setup.
Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services
Numerous other tools are available from Start | Administrative Tools, such as ADSI edit and various command-line tools. These tools allow direct configuration of access control lists (ACLs). The Delegation of Control wizard, used to assign authority over groups of AD objects, delegates the right to manage directory objects and their properties, including ACLs. The security-conscious administrator will learn about AD ACLs before using these tools.
20 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Protect Active Directory by Restricting Group Membership and Understanding Active Directory ACLs
AD ACLs are used the same way as ACLs on files, folder, printers and Registry. When a request is made to do something with an object, this request is compared to the ACLs on the object. However, AD object permissions are different from those applied to other objects. AD permissions are composed of standard permission sets applicable to all objects, and unique permissions are applicable to only specific types of objects. Its easy to see why this is so: objects like users are different from computers, and both are different from an Exchange mailbox. How do you ensure that the correct permissions exist on all objects? How can you ensure that weak permissions do not allow an attacker to steal information or damage AD processing? No resource exists that defines every possible permission on every AD object. You can, however, develop a sound policy by evaluating the basic objects and evaluating proper protection for objects you add. To start, become familiar with standard object rights, and then extended rights.
DELETE: Delete the object. READ_CONTROL: Read data from the security descriptor, but not
the Systems Access Control List (SACL) (auditing information).
WRITE_DAC: Modify the Discretionary Access Control List (DACL). WRITE_OWNER: Assume ownership of the object. SYNCHRONIZE:
Use the object for synchronization. Synchronization is used when multiple processes (or threads) need access to the same object.
ACCESS_SYSTEM_SECURITY: Read or set the SACL. GENERIC_READ: Read permissions and properties on the object.
List the object name if the parent container is listed, or, if the object is a container, list its contents.
LIST: List children of the object. The right to list children of this
object. For more information about this right, see Controlling Object Visibility within the ADSI-Edit tool section.
22
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Rights
Allowed to authenticate inetOrgPerson
Object(s)
Computer or service
Explanation
inetOrgPerson is an alternative user object, new to Windows Server 2003, required for compatibility with other directory structures and applications developed to use those structures The right to create an inbound-only trust between forests The right of a user to enable or disable the Reversible Encrypted Password setting for a user(s) or computer(s) account The right to generate Resultant Set of Policy logging of the specific domain or OU The right to generate Resultant Set of Policy planning on the specific domain or OU Migrate SID-history without administrator privileges In Windows 2003 it is possible to cache group membership for Universal Groups. This means that a remote branch office need not have access to a Global Catalog server; instead, Universal Group membership is cached local on a domain controller. This privilege is necessary to update the cache on demand.
Create inbound forest trust Enable per user reversibly encrypted password Generate RSoP logging Generate RSoP Planning Migrate SID-History Refresh group cache
User or group
User
OU or domain
Domain or OU
Adding AD Classes
AD classes define the types of objects that can be included in the AD and what properties these objects will have. Included in the class definition are the default permissions that will be assigned. Classes added to AD cannot be removed; this can cause problems if a new class has the same name as an existing class that is no longer required. Windows 2003 allows AD classes to be disabled, thus freeing up the name and preventing the proliferation of objects no longer required in the directory.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
23
In order for applications to work well in an AD domain, they must be integrated with the AD; to do so, they will typically add new classes. One example is Microsoft Exchange Server. In order to install such applications, the administrator must be a member of Schema Admins. Keeping the membership of this group empty until such applications must be installed is a sound security practice. Adding new object classes to the AD should not be done without a great deal of thought, planning and testing. Restricting membership of the Schema Admins group will prevent accidental additions and make malicious additions harder. It will also be much easier to prove intent, as the individual must first have his account added to Schema Admins and install the application. He cannot claim that he did not know the application would add new object classes.
24
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
TOOLS
Many tools can be used to manage AD, and all of them are important to security in some way. Information about the different types of tools can be found in various chapters of this book, some of which will be available in future installments:
Managing AD Security: Chapter 2 (this chapter) Monitoring Group Policy Health: Chapter 3 Delegation of Authority: Chapter 4 Auditing and Monitoring AD security: Chapter 5 Note
Other tools have functionality beyond whats needed to ensure the security of AD, and are beyond the scope of this book. But they are all important, since if used incorrectly they can weaken security. Please do not make the mistake of thinking that only the tools mentioned in this e-book can impact the security of AD. Even more important than learning how to use all the tools is to learn when to use them, and how to use them correctly. More harm can be done by an untrained, unthinking employee with administrative privileges than by most attackers. Take a caution from medical practitioners: whatever you do, Above all, do no harm. If you do not know how to properly use a tool or if you do not understand why you are making changes, stay away from a production network until you do.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
25
To create a new GPO: 1) To create a domain- or OU-level GPO, open Active Directory Users and Computers. To create a site GPO, open Active Directory Sites and Services. 2) To create a domain or OU GPO, right-click the domain or OU object and click Properties. To create a site GPO, right-click the site and select Properties. 3) Select the Group Policies tab as shown in Figure 4.
Figure 4. Create a new GPO from the domain, site or OU properties page. 4) Click the New button. 5) Enter a name for the new GPO and click OK. 6) To edit the GPO, select the new policy and click Edit. 7) Edit the policy by selecting a container and navigating to the specific option desired; then double-click to open the item selected in the detail pane, as shown in Figure 5.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
27
Figure 5. Open items to make changes. 8) When your edit is complete, click OK in the item view, then close the GPO by closing the policy windows.
28
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Figure 6. Select the policy to edit by browsing the AD objects where policy can be linked. 5) Click Finish, click Close, and then click OK to return to the console and edit the policy. 6) Expand the policy in the console to view or edit its settings.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
29
To inspect the policy and ensure that blocking inheritance has not been set: 1) Select the Group Policy property page of the site, domain, or OU. 2) View the Block Policy Inheritance check box as shown in Figure 7. If the box is selected, policy inheritance is blocked.
Figure 7. Block Policy Inheritance is set for the AD object. 3) Click OK.
30
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
It is important to note that No Override always beats Block Policy Inheritance. If, for example, No Override is set on a GPO linked to the domain, and Block Policy Inheritance is set on an OU, the domain GPO settings are inherited by accounts in the OU. The use of Block Policy Inheritance and No Override should be carefully coordinated within the domain to ensure that the proper policy is applied. To determine if No Override has been set: 1) Open the Group Policy property page. 2) Check the No Override column of the GPO as shown in Figure 8. If the column is selected, No Override is in effect. To remove the setting, double-click in the column. 3) Click Close.
Figure 8. No Override is configured from the GPO properties page. This will ensure adherence to any Block Policy Inheritance settings.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
31
Backup and restore of GPOs HTML reporting of GPO settings HTML reporting of Resultant Set of Policy (RSoP) data (both
logging and planning mode data)
Simplified management of Group Policy security Import and export (backup) of GPOs and WMI filters Copy and paste of GPOs and WMI filters A GUI that makes Group Policy easier to use Scripting of policy tasks exposed within the tool (but not scripting of settings within a GPO)
While GPMC can be used to manage Windows 2000, XP Pro and Windows 2003 computers, it must be installed on an XP Pro or Windows 2003 computer. If XP is used, it must have:
Service Pack 1, at minimum The Microsoft .NET Framework Post SP1 hotfix QFE 326469
(This updates gpedit.dll to version 5.12600.1186 required by GPMC.)
32 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
To install the GPMC: 1) Double-click the gpmc.msi package, then click Next. 2) Read and accept the End User License Agreement (EULA). Note that the license specifies that you must have a valid license for Windows 2003 in order to run the utility. Click Next. 3) If installing on XP, you will be prompted to install post SP1 hotfix 326469 if gpedit.dll has not been updated. The hotfix is delivered with the download and can be installed at this time. 4) Click Close to complete the installation. To open the GPMC console, use one of the following methods:
Click Start, click Run, type GPMC.msc, and then click OK. Use the Group Policy Management shortcut from Administrative
Tools.
Open GPMC from the property pages of sites, domains and OUs.
(The old access to GPE is no longer available; however, it can be accessed through GPMC.)
Figure 9. The Group Policy Management Console (GPMC) is a new tool that provides management of Group Policy much superior to the Group Policy Editor.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques 33
Domain: A sub-node for each domain. Site: A sub-node for each site. Group Policy Modeling: The ability to predict the results of a new
policy. The Group Policy Modeling node will not be present in a pure Windows 2000 forest.
Group Policy Results: The ability to see the results of the current
policies. Expanding a domain container provides a policy-based view of AD and additional Group Policy elements. All GPOs linked to the domain can be found by name from the Group Policy Objects container; follow the links extending from a top-level list of domain GPOs or from the expanded OU container. All WMI filters are also listed. Note that below each domain, site, or OU, GPO links are displayed as shortcuts, but in the Group Policy Objects container, GPOs are shown as little scrolls without the shortcut arrow. This highlights that the GPO exists separately from any container. Its also important to remember to perform GPO-related operations, such as backup and copy, from the GPO in the Group Policy Objects containernot from the link. Every GPO is represented in the Group Policy Objects container, while only those GPOs linked to a site, domain or OU are represented in the site and domain containers. If you select a domain, site or OU, as shown in Figure 10, the detail pane provides three pages of information.
Figure 10. Select the domain, site or OU container to see its associated Group Policy information.
34
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
The Linked Group Policy Objects tab displays GPOs linked to the
container.
Figure 11. All inherited GPOs are listed, with the exception of Site policies. Site policies can vary depending on the computer and user account, and what Site they are located in.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
35
Figure 12. Delegated Permissions are listed. You must change the drop-down list to view different permissions. GPO-specific properties can be examined by double-clicking on the GPO. Scope, Details, Settings and Delegation tabs can also be reviewed.
Figure 13. Use the Scope page to determine where the GPO is linked.
36 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
The Settings tab displays only the settings configured for the GPO. The Delegation tab lists the explicit permissions on the GPO and
includes the users, computers and groups to which the GPO will apply, as well as who can edit and delete the GPO. Several options are available to customize how GPMC works. The following options can be selected from the GPMCs View/Options menu:
Options: Customize the location of columns for some tables. Reporting: Set the location of .adm files used for reporting. The
default search path for .adm files is the system folder then the SYSVOL folder of the GPO. It can be overridden.
General:
Enable or disable trust detection. By default, a two-way forest trust is required to add an additional forest to a GPMC. This can be modified to allow management of GPOs across a oneway forest trust, or to use the Stored User Names and Passwords feature of Windows XP and Windows 2003 to enable access to GPOs in non-trusted forests. Enable or disable the distinction between GPOs and GPO links. Display the DC name beside the domain name.
Basic Operations
Creating, editing, testing, protecting, reporting, backup/restoring, and copy/pasting are all basic Group Policy management processes available via GPMC. Other operations, such as designating which DC to use for Group Policy, can also be managed from the console.
Right-click on any domain or OU and choose Create and Link a GPO here from the context menu. This operation creates the
GPO and links it to the domain or OU selected.
Right-click the Group Policy Objects node in any domain and click New. A new, unlinked GPO is created. (Remember that the
GPO is not applied until it is linked.) To edit the settings in any GPO, right-click the GPO and select Edit.
Scoping GPOs
The process of assigning which users and computers will be impacted by a GPO is called scoping the GPO. This may be accomplished by linking the GPO, using security filtering or using a WMI filter. The methods are described below:
Linking. Explicitly link the GPO during or after creation. The linked
scope of a GPO can also be changed by dragging a GPO from the Group Policy Object node to an OU in the same domain.
Security filtering. Prior to the GPMC, this required using the ACL
editor to set the Read and Apply Group Policy permissions for specific users and groups. With GPMC, the user or group is added to the Scope tab for the GPO or GPO link. This automatically sets the Read and Apply Group Policy permissions. Should you want to Deny these permissions, you must use the ACL editor.
38
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Reporting
Prior to the GPMC, Group Policy lacked native reporting. This made a seemingly simple activity, like documenting a Group Policy, a tedious, manual chore. The GPMC provides extensive HTML reporting, and reports can be viewed and printed. Some of the reports that can be produced include:
GPO settings. Click the Settings tab of the GPO or GPO link pane
to produce a report, an example of which is shown in Figure 14.
Figure 14. Use the Show all link to see all settings in the GPO, or view only selected areas. Only configured settings will display.
Group Policy Modeling (RSoP planning). Group Policy Results (RSoP logging).
Some settings might not be displayed. Microsoft indicates that the following items might not be displayed:
IE Settings in Preference mode. Some cookie settings Customized Java settings in Zones and Privacy Some details for Wireless and IPSec settings
To save a report, right-click on the object and select Save Report (or select Save Report from the Action menu); name the report then save it as an XML or HTML file.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques 39
Reports are automatically displayed in a condensed fashion, as shown in Figure 15, and show only areas where settings are established. This simplifies viewing. To examine the settings requires expanding the category. To expand all of the settings, use the show all option at the top of the report. In the Administrative templates portion of the report, the Explain information can be viewed by clicking the setting name as shown in Figure 16.
Figure 15. A full report of the GPO settings can be produced by clicking on the Settings tab.
40
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Figure 16. Administrative Template settings can display the Explain information.
Bug Alert
Check Windows 2000 domains for this issue by looking at the Default Domain Policy and the Default Domain Controllers Policy from the GPMC. There is a bug in Windows 2000 that incorrectly sets the ACLs on the Sysvol portion of the GPO to allow inheritance. This may cause them to be out of synch with the permissions set in AD. To correct the error, examine the GPOs in the GPMC and, when prompted, click OK to make the permissions match. The permissions will be synched with the ACLs on the AD portion of the GPO, and the allow inheritance feature will be removed.
41
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
The GUID and domain name The GPO settings WMI filter links (not the filter itself) Permission settings on the GPO An XML report of the GPO settings
The backup does not include items stored outside the GPO (only items stored in Sysvol or AD portions of the GPO are backed up.) Be careful; some items many think are part of the GPO are not stored with the GPO and thus are not backed up, including WMI filters (these can be backed up separately using GPMC); IPSec Policies (export to a file from the IP Security Policy snap-in to back up); and links from the domain, site or OU object to the GPO. Warning: Anyone who can access the backup, or a copy of the exported GPO, has a large amount of information about the security configuration of the enterprise. This information should not be readily available. Only authorized administrators, security teams and auditors should have access to this information. The location, and the DACLs set on these files, are critical. Think of these backups like you do any other backups of sensitive data and maintain good copies of your critical data both locally and off-site. Additionally, protect AD from accidental or malicious use of these backups in a restore that might leave systems vulnerable. If an outdated GPO is restored, or a weaker one imported, enormous damage could be done. Ensure limited access to these files and limit all GPMC operations to those trusted individuals who need access in order to do their jobs. Restore takes a backup and reinstates it in the domain. The GUID of the original GPO is used, as is the domain information. You cannot use a backup/restore process to move a GPO to another domain. The restore replaces the GOP setting, the ACLs on the GPO and the WMI filter links.
42
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
To back up a GPO: 1) Right-click on the GPO in GPMC and select Back Up from the context menu. 2) Provide a file system location, the name of the file and a description, and then click Back Up as shown in figure 17. Click Back Up again, and then click OK to save the GPO.
Figure 17. GPOs may be saved to the file system. Make sure this is done to a secure locationnot somewhere where unauthorized individuals can access the file. To back up all GPOs: 1) Right-click on the Group Policy Objects node and select Backup All from the context menu. 2) Provide a file system location and description. 3) Click Back Up, then OK. To restore a GPO that still exists, an administrator need only have edit settings and delete and modify security permissions on the GPO. To restore a GPO that has been deleted, an administrator needs the Create GPO right.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
43
To restore a GPO that still exists: 1) Right-click on the GPO in the Group Policy Objects container and select Restore from Backup from the context menu. Click Next. 2) Browse to the GPO location and click Next. 3) Select the backup and click Next. 4) Review the settings and click Finish. 5) Click OK. Sample scripts that perform basic functions are provided with the GPMC. To back up a GPO, use the provided script BackupGPO.wsf or BackupAllGPOs.wsf. To restore a GPO, use the example scripts RestoreGPO.wsf or RestoreAllGPO.wsf. Information about GPO backups can be found using the QueryBackuplocation.wsf script.
Managing Backups
Information on backups, as well as the ability to delete, organize (sort), restore and view backup settings is located in the Manage Backups dialog. To access this page: 1) Right-click on the Domains container and select Manage Backups from the context menu. OR Right-click on the Group Policy Objects container and select Manage Backups from the context menu. 2) Locate and select the file location of the backups and click OK. A backed-up GPO can be imported into an existing GPO. Import can be used to restore a GPO, or completely replace the existing settings in a GPO with the settings in the backup GPO. Import can be used to move GPO settings from one domain to another, even if the new domain is in another forest, and even if theres no trust relationship between the original and destination domains. To import a GPO, right-click the GPO under the Group Policy Objects node and follow the wizard. The GPMC Copy command uses an existing GPO to obtain settings that it then transfers to a new GPO in a new domain. (If the copy function is used in the same domain it will link the GPO to the new object, not produce a new GPO). To copy a GPO to a new domain, an administrator must have GPO creation rights in the new domain and read access to the source GPO. A trust is required between the source and destination domains.
44 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Figure 18. The Group Policy Objects Delegation tab displays all users and groups that can create GPOs in the domain.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
45
This tab can be used to add a user or group and configure their access using permissions. Major permission categories include:
Create WMI Filters. Use the Delegation tab of the WMI Filters
page. WMI filters are stored in the domains system container in AD, so permissions applied to this container would do the same thing. Two possible permissions are available: Creator Owner (can create new WMI filters, but has no access to WMI filters created by others), and Full Control (create, own and have full control on all WMI filters in the domain; assigned by default to Domain Admins and Enterprise Admins). You can also apply permissions to a specific WMI filterEdit or Full Control. By default, all users have Read permission to all WMI filters. This is necessary to allow Group Policy processing on the client and it cannot be removed. To manage delegation for a GPO, use the Delegation tab of the GPO and/or permissions directly on the GPO. These privileges are more granular and include (as shown in figure 19):
Read. Read the GPO. Edit settings. Read, write, create child objects, and delete child
objects.
Edit, delete and modify security. Read, write, create child objects,
delete child objects, delete, modify permissions, and modify owner. The apply group policy right is not set.
46
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
47
Figure 20. Previous queries are displayed from the Group Policy Modeling node. Group policy modeling requires GPOs. Best practices call for using a test forest. Follow these steps: 1) Right-click the Group Policy Modeling container and select Group Policy Modeling from the context menu. 2) On the Group Policy Modeling Wizard welcome page click Next. 3) Select a DC to process the simulation. 4) Find the Container to be used for user information (where the user accounts are located). 5) Find the Container to be used for computer information (where the computer accounts are located), and then click Next. 6) Indicate where the user and computer accounts are located. 7) Continue the wizard as listed in the RSoP section. 8) The report is displayed in the detail pane.
48
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
The Summary page displays information that impacts the results, including a list of GPOs that will be applied, security group members affected, and WMI filters applied. The Settings page displays the setting which will be applied, and the Query page displays the parameters used to create the query. A list of GPOs that will impact the user or computer can be a confirmation of proper structure; or, conversely, can point to a flaw in your GPO design. The results of the query are available for later review; the query can also be re-run after GPO changes have been made. Delete any queries that are no longer needed. To save a copy of the report to the file system, right-click on the query in the details pane and select Save from the context menu, then browse to a location, enter a file name, and click Save. The GPMC provides HTML reporting of the results, but not the precedence information provided by the RSoP MMC snap-in. The HTML report tells you the final result, such as what setting will be applied. Precedence information will show the history. The Advanced View (right-click on the query in the console pane and select Advanced View) option opens the RSoP snap-in and provides information on every GPO that attempts to set the setting, along with what it would have set the setting to.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
49
Figure 21. Security templates can be viewed and modified in the Security Templates snap-in. Secedit can be scripted to apply security to multiple computers on a network, or scheduled for periodic re-application. The analysis component of both tools can be used to compare the current computers security configuration to that of an existing template. While security settings in the template can be most easily understood and adjusted in the snap-in, it is possible for security settings to be included in the text file and not displayed in the snapin. Figure 22, for instance, shows a template file that includes a Registry setting to harden TCP/IP. TCP/IP settings are not a preconfigured Security Option or other component of the default security settings GUI. However, if correctly entered, any Registry entry recorded in the template will be set if the template is applied using Group Policy, Security Configuration and Analysis, or secedit.
50 Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Figure 22. Template files can contain Registry settings that are not displayed in the GUI. Group Policy can work with security templates to manage DC security settings, by importing them into a GPO and applying them. Settings can first be applied and tested on a single machine, then tested via Group Policy in a test domain on a test network, before being imported into the production GPO. This saves time over manual configuration, and reduces the risk of configuration errors. To configure a template, open it in the Security Templates GUI and change settings just as you would in Group Policy.
To use ADSI Edit: 1) Install the Windows support tools from the server installation disk Support directory. 2) Add ADSI Edit to an MMC console. 3) Right-click the ADSI Edit node and select Connect to. 4) In the text box, select Naming Context of Distinguished Name for the area of AD (Domain, Configuration, Schema) you wish to view or modify. 5) Click OK. 6) Repeat this procedure to add the other containers if desired. 7) Expand the container to expose the objects, as shown in Figure 23.
Figure 23. ADSI Edit can be used to view or modify directory objects.
52
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
Selective Authentication
Many administrators believe that no access across a completed trust is possible until the trusting domain administrator modifies access controls on domain resources. This is not precisely true. After a trust is completed, the trusting domain will pass through authentication of users from the trusted domain. This means that these users may have access to domain resources. For example, trusted domain users could log on from a computer in a trusting domain and access any computer resources available to the Everyone or Interactive groups. To limit this type of access, the authentication scope of a trust can be managed between domains in different Windows 2003 forests. This process is called Selective Authentication. When Selective Authentication is configured and a user authenticates a new SID across a trust, the Other Organization SID is assigned. This SIDs presence prompts a check on the resource domain to ensure that the user is authorized to authenticate. (If the user is not from across a trust, the This Organization SID is assigned. Only one of these SIDs can be present in a users Access Token.) To configure Selective Authentication for trusts: 1) Open the Active Directory Domains and Trusts console. 2) Right-click the domain node and select Properties. 3) Select the Trusts tab. 4) Select Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (Incoming trusts). 5) Select the external trust or forest trust to administer and click Properties. 6) Select the Authentication trust. 7) For external trust, select either authentication or Selective authentication. the
Domain-wide
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
53
8) For the forest trust, select either Forest-wide authentication or Selective authentication. 9) If Selective Authentication is selected, the domain and/or server properties must be modified to provide the Allowed to authenticate permission on the object. If server properties are not modified in the external trust, no users can access their resources even if provided explicit access to objects on the server. If domain properties do not provide authentication in the forest trust, no resources in the domain can be accessed even if explicit access is granted to external users.
SID Filtering
SID Filtering removes the SIDs in users authorization credentials that represent group membership or user accounts from a different forest. (SIDs from a different forest can be added to the users access token by the forest, but not delivered across the forest trust.) This prevents spoofed credentials from being used across a trust. SID Filtering is automatically enabled when Windows 2003 external or forest trusts are created, or when Windows 2000 SP4 or later DCs are used to establish the trust.
54
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
SUMMARY
Securing AD requires much more planning and activity than simply protecting the AD database itself. Peripheral services such as DNS must be hardened, and domain authentication and domain controller access controls must be strengthened. Native security tools can be used to perform many of these functions. Other Windows tools can be used to monitor, maintain, prepare for recovery, and audit AD. Some of the more interesting management tasks that ensure the security of AD are those that monitor its health. In the next chapter, well focus on these processes and the tools used to accomplish them.
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
55
Quest Software Windows Management 6500 Emerald Parkway Suite 400 Columbus, OH 43016 USA Phone: 614-336-9223 1-800-263-0036
56
Securing Your Active Directory. Chapter 2 - Know and Use Security Tools and Techniques
NOTES