1 / 34

Module 10 Improving the Security of Authentication in an AD DS Domain

Module 10 Improving the Security of Authentication in an AD DS Domain. Module Overview. Configure Password and Lockout Policies Audit Authentication Configure Read-Only Domain Controllers. Lesson 1: Configure Password and Lockout Policies. Understand Password Policies

yepa
Download Presentation

Module 10 Improving the Security of Authentication in an AD DS Domain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 10 Improving the Security of Authentication in an AD DS Domain

  2. Module Overview • Configure Password and Lockout Policies • Audit Authentication • Configure Read-Only Domain Controllers

  3. Lesson 1: Configure Password and Lockout Policies • Understand Password Policies • Understand Account Lockout Policies • Configure the Domain Password and Lockout Policy • Demonstration: Configure Domain Account Policies • Fine-Grained Password and Lockout Policy • Understand Password Settings Objects • Demonstration: Configure Fine-Grained Password Policy • PSO Precedence and Resultant PSO

  4. Understand Password Policies • Implemented via Default Domain GPO • Determine password requirements for the whole domain • Password policies consist of : • Enforce password history: 24 passwords • Maximum password age: 42 days • Minimum password age: 1 day • Minimum password length: 7 characters • Password must meet complexity requirements: Enabled • Store password using reversible encryption: Disabled

  5. Understand Account Lockout Policies • Helps mitigate the threat of brute force attacks on user accounts • Account lockout policies consist of • Account lockout duration: Not defined • Account lockout threshold: 0 invalid logon attempts • Reset account lockout counter after: Not defined • Unlock • A user who is locked out can be unlocked by an administrator • The Reset account lockout policy can specify a "timeout" period after which the account is automatically unlocked

  6. Configure the Domain Password and Lockout Policy • Domain password policies are defined by the precedent GPO scoped to domain controllers • Default Domain Policy GPO • Best practices • Modify the settings in the Default Domain GPO for password, lockout, and Kerberos policies • Do not use the Default Domain GPO to deploy any other policy settings • Do not define password, lockout, or Kerberos settings for the domain in any other GPO • Policy settings are overridden by options in user account • Password never expires • Store passwords using reversible encryption

  7. Demonstration: Configure Domain Account Policies In this demonstration, you will see how to configure the domain account policies for Contoso, Ltd, according to their password requirements

  8. Fine-Grained Password and Lockout Policy Fine-grained password and lockout policies allow multiple password and lockout policies to exist in the same domain Domain Policy:Length: 10 Max age: 90 Lockout: 5 in 30 min Reset: 30 min Length: 15 Max age: 45 Lockout: 5 in 60 min Reset: 1 day Administrative accounts Service Accounts Finance users Length: 15 Max age: 60 Lockout: 5 in 30 min Reset: 30 min Password Never Expires Length: 64 Lockout: None

  9. A PSO has the following settings available: Understand Password Settings Objects • Password policies • Account lockout policies • PSO Link • Precedence Considerations when implementing PSOs: The Password Settings Container (PSC) and PSOs are new object classes defined by the AD DS schema ü Windows Server 2008 domain functional level required ü PSOs can be created through ADSI Edit or LDIFDE ü PSOs can only be applied to users or global security groups ü

  10. Demonstration: Configure Fine-Grained Password Policy In this demonstration, you will see how to configure a fine-grained password policy to enhance the security of accounts in the Domain Admins group

  11. PSO Precedence and Resultant PSO • A PSO can be linked to more than one group or user • A group or user can have more than one PSO linked to it • Only one PSO prevails—the Resultant PSO • Precedence: Lower value (closer to 1) has higher precedence • Global group PSO with highest precedence prevails • Any PSOs linked to user override all global group PSOs. User-linked PSO with highest precedence prevails • msDS-ResultantPSO attribute of user in Attribute Editor • Click the Filter button and ensure Constructed is selected • If there are no PSOs, domain account policies apply • Best Practices • Use only group-linked PSOs. Do not link to user objects. • Avoid having two PSOs with the same precedence value • PSOs cannot be "linked" to an OU • Create a shadow group that contains all users in the OU

  12. Lab A: Configure Password and Account Lockout Policies • Exercise 1: Configure the Domain’s Password and Lockout Policies • Exercise 2: Configure a Fine-Grained Password Policy Logon information Estimated time: 25 minutes

  13. Lab Scenario • The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you must enforce a specified password policy for all user accounts, and a more stringent password policy for security-sensitive, administrative accounts.

  14. Lab Review • What are the best practices for managing PSOs in a domain? • How can you define a unique password policy for all of the service accounts in the Service Accounts OU?

  15. Lesson 2: Audit Authentication • Account Logon and Logon Events • Configure Authentication-Related Audit Policies • Scope Audit Policies • View Logon Events

  16. Account Logon and Logon Events • Account logon events • Registered by the system that authenticates the account • For domain accounts: Domain controllers • For local accounts: Local computer • Logon events • Registered by the machine at which (or to which) a user logged on • Interactive logon: User's system • Network logon: Server Account Logon Event Logon Event Logon Event

  17. Configure Authentication-Related Audit Policies • Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy • Windows Server 2008 defaultis to audit Success eventsfor both account logon andlogon events • Windows Server 2008 R2 has newand more detailed polices foraccount logon and logon events • Advanced Audit Policies in Windows Server 2008 R2

  18. Scoping Audit Policies Default Domain Controllers Policy Account LogonEvents CustomGPO LogonEvents RemoteDesktopServers DomainControllers HR Clients

  19. View Logon Events • Security log of the system that generated the event • The domain controller that authenticated the user: Account logon • Note: Not replicated to other domain controllers • The system to which the user logged on or connected: Logon

  20. Lab B: Audit Authentication • Exercise: Audit Authentication Logon information Estimated time: 20 minutes

  21. Lab Scenario • The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you need to create an audit trail of logons.

  22. Lab Review • You have been asked to audit attempts to log on to desktops and laptops in the Finance division using local accounts such as Administrator. What type of audit policy do you set, and in what GPO(s)?

  23. Lesson 3: Configure Read-Only Domain Controllers • Authentication and Domain Controller Placement in a Branch Office • What Are Read-Only Domain Controllers? • Prerequisites for Deploying an RODC • Installing an RODC • Demonstration: Configure a Password Replication Policy • Demonstration: Administer RODC Credentials Caching • Administrative Role Separation

  24. Authentication and Domain Controller Placement in a Branch Office ?

  25. What Are Read-Only Domain Controllers?

  26. Prerequesites for Deploying an RODC • Ensure the forest functional level is Windows Server 2003 or higher • All domain controllers running Windows Server 2003 or later • All domains functional level of Windows Server 2003 or higher • Forest functional level set to Windows Server 2003 or higher • If the forest has any domain controllers running Windows Server 2003, run adprep /rodcprep • Windows Server 2008 CD:\sources\adprep folder • Ensure that there is at least one writeable domain controller running Windows Server 2008

  27. Installing an RODC Install the RODC • Active Directory Domain Services Installation Wizard (dcpromo) • Stage delegated installation of an RODC: Domain Controllers OU

  28. Demonstration: Configure a Password Replication Policy In this demonstration, you will see how to: • View an RODC's password replication policy • Configure domain-wide password replication policy • Use the Allowed RODC Password Replication Groupand the Denied RODC Password Replication Group • The groups are added to all new RODCs password replication policies by default • Configure RODC-specific password replication policy

  29. Demonstration: Administer RODC Credentials Caching In this demonstration, you will review: • Policy Usage Reports • Accounts Whose Passwords Are Stored On This Read-Only Domain Controller • Accounts That Have Been Authenticated To This Read-Only Domain Controller • Resultant Policy • Prepopulating credentials in the RODC cache

  30. Administrative Role Separation • Allows performing local administrative tasks on the RODC • Each RODC maintains a local security account manager (SAM) database of groups for specific administrative purposes • DSMgmt command allows you to manage the local roles • dsmgmt [enter] • local roles [enter] • ? [enter] for a list of commands • List roles [enter] for a list of roles • add username administrators [enter]

  31. Lab C: Configure Read-Only Domain Controllers • Exercise 1: Install an RODC • Exercise 2: Configure Password Replication Policy • Exercise 3: Manage Credential Caching Logon information Estimated time: 20 minutes

  32. Lab Scenario • The security team at Contoso, Ltd has tasked you with increasing the security and monitoring of authentication against the enterprise’s AD DS domain. Specifically, you are to improve the security of domain controllers in branch offices.

  33. Lab Review • Why should you ensure that the password replication policy for a branch office RODC has, in its Allow list, the accounts for the computers in the branch office as well as the users? • What would be the most manageable way to ensure that computers in a branch are in the Allow list of the RODC's password replication policy?

  34. Module Review and Takeaways • Review Questions • Common Issues Related to Authentication in an AD DS Domain • Real-World Issues and Scenarios • Best PracticesRelated to Authentication in an AD DS Domain • Tools • Windows Server 2008 R2 Features Introduced in this Module

More Related