secure your active directory environment
Skip this Video
Download Presentation
Secure your Active Directory Environment

Loading in 2 Seconds...

play fullscreen
1 / 43

Secure your Active Directory Environment - PowerPoint PPT Presentation

  • Uploaded on

Secure your Active Directory Environment. Juan Martinez Information Security Consultant International Network Services. Agenda. Active Directory design issues Trust Relationships Schema Protection Firewall Considerations Protecting Service Management Group Policy Architecture

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure your Active Directory Environment' - balin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure your active directory environment

Secure your Active Directory Environment

Juan Martinez

Information Security Consultant

International Network Services

  • Active Directory design issues
  • Trust Relationships
  • Schema Protection
  • Firewall Considerations
  • Protecting Service Management
  • Group Policy Architecture
  • System Hardening
security boundaries
Security Boundaries
  • Forest – security boundary
  • Domain – boundaries for administration
  • Why is the forest the security boundary?
    • Forest-level service management
    • Implicit transitive trusts between all domains in a forest.
domain trust vulnerability
Domain Trust Vulnerability
  • User’s authorization data contains SIDs
domain trust vulnerability8
Domain Trust Vulnerability
  • Trusting domain doesn’t verify SIDs
domain trust vulnerability9
Domain Trust Vulnerability
  • Solution: SID Filtering
design implications
Design Implications
  • You can’t delete trusts between domains in a forest
  • You can’t implement SID Filtering between domains in a forest
  • Well… You can, but it will break stuff
  • So… a domain can’t be considered a security boundary
  • All Domain Admins must be trusted
dmz considerations
DMZ Considerations
  • Preferred –> no AD systems in DMZ
  • Extranet considerations
    • Separate forest to provide isolation
    • Administrators that span forests should have separate accounts for each
restricting trust relationships
Restricting Trust Relationships
  • SID Filtering
    • Enabled by default for external or forest trusts
restricting trust relationships15
Restricting Trust Relationships
  • Limit Trust
    • TopLevelExclusion Record
  • Selective Authentication vs. Forest-wide Authentication
    • Selective authentication – restricts “Allowed to Authenticate” permission
    • Use carefully
soft controls
Soft Controls
  • Protecting the AD Schema is more about following sound security practices than technical solutions
  • Policy
  • Guidelines
  • Configuration Management
  • Roles / responsibilities
schema policy
Schema Policy
  • Ownership
    • Management of schema naming prefix
    • Delegating OIDs
    • Configuration Management
      • Define evaluation criteria for proposed schema extensions
      • Provide final approval/disapproval
    • Maintenance and documentation
soft controls19
Soft Controls
  • Guidelines
    • Configuration management evaluation criteria
    • OID Maintenance
    • Documentation
    • Splitting application deployment
    • Schema testing guidelines
  • Access Control
    • Most important – protect Schema Admins group!
firewall considerations21
Firewall Considerations
  • Firewall the Root domain?
    • No real security gained, just added complexity
  • Firewall the Schema Master?
firewall considerations23
Firewall Considerations
  • When a firewall exists between Active Directory systems
    • Use IPSEC tunnels
stronger password policies
Stronger Password Policies
  • Policy: stronger password requirements for “elevated privilege” accounts
  • Two options:
    • Custom password complexity requirements
    • Store all service management accounts in forest root domain
stronger password policies26
Stronger Password Policies
  • Controlled OU structure in forest root domain
  • Several issues with using separate domain for service management accounts model
    • Custom Domain Admin type group requires Domain Admin-level permissions
      • Can’t add directly to Domain Admins group
    • Procedures must be followed closely
best practices
Best Practices
  • Restrict membership to within forest
  • Separate accounts
  • Cached credentials
  • Default service management accounts
    • Don’t use Account Operators, Server Operators
the problem
The Problem
  • How do I enforce enterprise-wide security policies?
  • Problem
    • Domains are boundaries for Group Policy
  • Possible solutions
    • Site-level GPOs
    • Non-technical solutions
  • UGLY!!!
    • Replication issues
    • Performance issues
    • Issues with placement of ROOT DCs
    • Does not apply to Password policies
  • Non-technical solutions can be just as effective
group policy best practices
Group Policy Best Practices
  • Local Group Policy vs. Domain Group Policy
  • Use synchronous mode
  • Security Policy Processing
    • Process even if the Group Policy objects have not changed
  • Explore capabilities
    • Extend group policy
group policy best practices37
Group Policy Best Practices
  • Minimize use of “block policy inheritance” and “Enforce” options
  • Limit number of GPOs
  • Link GPOs as closely as possible
  • Disable user/computer configuration when possible
  • Avoid cross domain linking of GPOs
adopt a baseline guideline
Adopt a Baseline/Guideline
hardening guideline components
Hardening Guideline Components
  • Preliminary Security Measures (Done offline)
    • BIOS level protection
    • AV
    • Physical security
    • Patch
    • Verify software, shares, users
    • Patches
hardening guideline components41
Hardening Guideline Components
  • Apply group policy
    • Automatic OU placement (netdom)
  • Manual hardening procedures
    • DS restore mode password
  • Verify functionality and security
  • Back out procedures
  • Known vulnerabilities register
domain controllers and dhcp
Domain Controllers and DHCP
  • Don’t run DHCP on Domain Controllers if you’re using dynamic updates (DNSUpdateProxy group issue)


Juan Martinez – [email protected]