Escolar Documentos
Profissional Documentos
Cultura Documentos
Agenda
What we are up against AD Security best practices Preparing for the worst Additional resources Q/A
Corollary There is no such thing as a secure computer network Corollary Even if there was, you couldnt afford it
AD Functional Boundaries:
Best Practices
Administrators
Rename default Administrator account Create separate admin and user accounts Store admin accounts in separate OU Establish secure admin workstations Limit access to Administrator account password
Change password frequently and make it random (dont forget the DSRM password)
Domain Controllers
Ensure physical security Automate the build process Build DCs in a controlled environment Create a reserve disk space file Disable all unnecessary services Run virus scanning software
Group Memberships
Limit membership of admin groups Set ACLs on groups so that only admins can modify admin groups
Delegation
KISS Create a role-based model Don't assign perms to individual accts Don't assign perms on individual objects Document your delegation model Get familiar with dsrevoke.exe
DNS
Use AD-integrated zones
Enable secure dynamic updates to prevent name hijacking Use Application partitions in W2K3 to decrease replication Enable scavenging to remove stale records
Hide internal namespace from the Internet Lots of infrastructure information in AD RRs
Use quotas to restrict the number of records Authenticated Users can create
DHCP
Avoid the name hijacking problem Configure so that:
Client updates A record DHCP service updates PTR record If necessary, use a service account See MS KB 255134 - http://tinyurl.com/5ek6n
Trusts
Consider operational security of other forest Consider Admin membership in other forest sIDHistory and SID filtering
Auditing
See Best Practice Guide Audit changes to admin accounts, groups and other important objects Coming soon: Audit Collection Services (ACS)
Monitoring
Monitor for any unexpected DC outages
Conclusion
Securing AD is a big job Design dictates security Automate as much as possible Monitor, monitor, monitor Periodically test recovery scenarios Read up
Additional Resources
Best Practice Guide for Securing Active Directory Installations (Windows Server 2003)
Whitepaper - http://tinyurl.com/3c928
Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations (Windows 2000)
Whitepaper - http://tinyurl.com/3rk7b
Whitepaper - http://tinyurl.com/3gkyc
Q/A
Thank you for your time! Email: rallen@cisco.com Preso: http://www.rallenhome.com/