Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • RAllen AD Security Best Practices

    Enviado por

    Zeeshan Dawoodani
    62 visualizações24 páginas
    The document outlines Active Directory security best practices, including designing AD with security in mind, securing administrator accounts and domain controllers, limiting group memberships, using delegation appropriately, securing DNS, DHCP, trusts, backups and auditing changes. It recommends monitoring for attacks, preparing response plans, and periodically testing recovery scenarios. Additional resources for securing AD installations and operations are provided.

    Descrição original:

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    The document outlines Active Directory security best practices, including designing AD with security in mind, securing administrator accounts and domain controllers, limiting group memberships, using delegation appropriately, securing DNS, DHCP, trusts, backups and auditing changes. It recommends monitoring for attacks, preparing response plans, and periodically testing recovery scenarios. Additional resources for securing AD installations and operations are provided.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    62 visualizações24 páginas

    RAllen AD Security Best Practices

    Enviado por

    Zeeshan Dawoodani
    The document outlines Active Directory security best practices, including designing AD with security in mind, securing administrator accounts and domain controllers, limiting group memberships, using delegation appropriately, securing DNS, DHCP, trusts, backups and auditing changes. It recommends monitoring for attacks, preparing response plans, and periodically testing recovery scenarios. Additional resources for securing AD installations and operations are provided.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 24

    Active Directory Security Best Practices

    Robbie Allen Cisco Systems rallen@cisco.com www.rallenhome.com

    Agenda
    What we are up against AD Security best practices Preparing for the worst Additional resources Q/A

    The First Law of Computer Security


    There is no such thing as a secure computer

    Perhaps if the computer is:


    Unplugged In a locked room And has no disk drive

    Corollary There is no such thing as a secure computer network Corollary Even if there was, you couldnt afford it

    AD Design with Security in Mind


    Design dictates security

    The fewer the better philosophy


    Use forests to establish isolating boundaries Use domains to establish replication, security policy, and management boundaries Use application partitions to establish customized replication boundaries Use OUs to establish policy and delegation boundaries

    AD Functional Boundaries:

    The Empty Root Domain


    Creates a framework for adding new domains without creating a separate namespace Provides almost no additional security Tends not to be so empty over time Increases support costs

    Basic Attack Strategies


    Social engineering Escalation of privilege Denial of service Spoofing Repudiation Sniffing Data access Data modification

    Some AD Attack Vectors


    Admin groups Admin accounts LocalSystem account Backups ACLs Group Policy SIDHistory Replication Quotas FSMOs Global catalogs DNS DHCP Terminal services Physical server Hard drives

    Best Practices

    Administrators
    Rename default Administrator account Create separate admin and user accounts Store admin accounts in separate OU Establish secure admin workstations Limit access to Administrator account password

    Change password frequently and make it random (dont forget the DSRM password)

    Have process to quickly disable/delete admin accounts

    Domain Controllers
    Ensure physical security Automate the build process Build DCs in a controlled environment Create a reserve disk space file Disable all unnecessary services Run virus scanning software

    Group Memberships
    Limit membership of admin groups Set ACLs on groups so that only admins can modify admin groups

    Create separate OUs to store admin groups

    Remove everyone from the Schema Admins group

    Add accounts as needed

    Audit changes to admin groups

    Delegation
    KISS Create a role-based model Don't assign perms to individual accts Don't assign perms on individual objects Document your delegation model Get familiar with dsrevoke.exe

    DNS
    Use AD-integrated zones

    Enable secure dynamic updates to prevent name hijacking Use Application partitions in W2K3 to decrease replication Enable scavenging to remove stale records

    Use forwarders or stub zones instead of secondaries

    Eliminate text-based zone files and zone transfers

    Create a split DNS namespace


    Hide internal namespace from the Internet Lots of infrastructure information in AD RRs

    Use quotas to restrict the number of records Authenticated Users can create

    DHCP
    Avoid the name hijacking problem Configure so that:

    Client updates A record DHCP service updates PTR record If necessary, use a service account See MS KB 255134 - http://tinyurl.com/5ek6n

    Dont run DHCP on a DC


    Trusts
    Consider operational security of other forest Consider Admin membership in other forest sIDHistory and SID filtering

    Use netdom to enable SID filtering

    Backup and Restore


    Secure backup handling and storage Document backup lifecycle Treat backup admins as service admins Periodically test restore process

    Perform object, tree, and forest authoritative restores

    Auditing
    See Best Practice Guide Audit changes to admin accounts, groups and other important objects Coming soon: Audit Collection Services (ACS)

    Provides consolidation of audit logs Populates a SQL Server or MSDE database

    Monitoring
    Monitor for any unexpected DC outages

    Can indicate an attack

    Monitor for disk space use and object growth

    Can indicate a replicating DOS attack

    Monitor for LDAP and DNS traffic

    Can indicate a DOS attack

    Keep an eye on new DC/GC promotions

    Prepare for the worst


    Form a response plan to handle: Object flooding Rogue administrator Physical breach Forest/data corruption Document recovery scenarios

    See the Forest Recovery whitepaper

    Periodically perform a forest recovery to test process, backups, etc.

    Conclusion
    Securing AD is a big job Design dictates security Automate as much as possible Monitor, monitor, monitor Periodically test recovery scenarios Read up

    Additional Resources
    Best Practice Guide for Securing Active Directory Installations (Windows Server 2003)

    Whitepaper - http://tinyurl.com/3c928

    Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations (Windows 2000)

    Part I - http://tinyurl.com/4etnu Part II - http://tinyurl.com/5zcan

    Best Practices for Delegating Active Directory Administration


    Whitepaper - http://tinyurl.com/vzlg Appendices - http://tinyurl.com/wcwn

    Additional Resources (contd)


    Securing Windows 2000 Active Directory

    Part 1 - http://tinyurl.com/4jf5p Part 2 - http://tinyurl.com/5yyk9 Part 3 - http://tinyurl.com/2j5ga

    Best Practices: Active Directory Forest Recovery

    Whitepaper - http://tinyurl.com/3rk7b

    Active Directory in Networks Segmented by Firewalls

    Whitepaper - http://tinyurl.com/3gkyc

    Q/A
    Thank you for your time! Email: rallen@cisco.com Preso: http://www.rallenhome.com/

    Você também pode gostar