hardening active directory windows 2000 20003 network infrastructure l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Hardening Active Directory Windows 2000/20003 Network Infrastructure PowerPoint Presentation
Download Presentation
Hardening Active Directory Windows 2000/20003 Network Infrastructure

Loading in 2 Seconds...

play fullscreen
1 / 34

Hardening Active Directory Windows 2000/20003 Network Infrastructure - PowerPoint PPT Presentation


  • 411 Views
  • Uploaded on

Hardening Active Directory Windows 2000/20003 Network Infrastructure. Presented by: James Placer Senior Security Analyst , ISG. James Placer. Over 17 years of IT and Security experience.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hardening Active Directory Windows 2000/20003 Network Infrastructure' - Anita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hardening active directory windows 2000 20003 network infrastructure

Hardening Active DirectoryWindows 2000/20003Network Infrastructure

Presented by: James Placer

Senior Security Analyst , ISG

james placer
James Placer
  • Over 17 years of IT and Security experience.
  • Certifications: Cisco CCSP, CCDP, CCNP Checkpoint CCSE, NSA InfoSec 4011, Microsoft MCSE 2000 and is a contributing author to two Cisco certification books.
  • Authored and contributed to numerous trade magazine articles in the security field.
agenda
Agenda
  • Current State of Network Security
  • Security Policy Development
  • Security Application
  • Architecture and Security
  • Configuring AD
  • Hardening Servers and Clients
  • Questions
slide5

TechnicalKnowledge Required

Threat Capabilities:More Dangerous & Easier To Use

Internet

Worms

Packet Forging/ Spoofing

High

Stealth Diagnostics

DDOS

Sweepers

Back Doors

Sophistication of Hacker Tools

Sniffers

Exploiting Known Vulnerabilities

Disabling Audits

Self Replicating Code

Password Cracking

Password Guessing

Low

1980

1990

2000

2002 fbi security survey results
2002 FBI Security Survey Results
  • 92% of surveyed companies were hacked in 2002
  • 90% of surveyed companies have firewalls in place
  • 82% of the companies hacked suffered financial losses totaling over $464 million
  • 70% of hacks are internal
slide7

65+% Vulnerable

Internal

Exploitation

Dial-In

Exploitation

External

Exploitation

75% Vulnerable

(95+% Vulnerable Externally with Secondary Exploitation)

100% Vulnerable

Vulnerabilities to Network Attack

Internet

security policy development
Security Policy Development

70% of companies who reported that they were hacked also stated that they lacked a current security policy, and that the lack of a security policy was the primary contributor.

slide9
W5
  • WHAT do you need to protect?
  • WHO needs access to it?
  • WHY do they need access?
  • From WHERE do they need access to it?
  • WHEN do they need access?
state and federal statutes affecting security
State and Federal Statutes affecting Security
  • Feingold / California Break Law
  • - Expect federal statute in eight months
  • Sarbanes Oxley Act
  • Gramm Leach Bliley Act
  • HIPAA
  • FDA 21CFR11
  • ISO 17999
security policy application
Security Policy Application
  • Appropriate Design and Architecture
  • Appropriate Monitoring and Accountability
  • Appropriate Change Management
  • Appropriate Technology
  • Appropriate User Awareness Training
architecture is fundamental to security
Architecture Is Fundamental to Security
  • Domain Controllers
  • Authentication Servers
  • Web Servers
  • File and Print Servers
  • Bastion Hosts, IAS servers, etc
ultimate architecture goal
Ultimate Architecture Goal
  • One Service
  • One System
  • One Appropriately Secured System
  • Practically speaking. May not be possible
  • More Services lead to More Vulnerabilities
architecture steps
Architecture Steps
  • Define Physical Architecture
  • Define Server Roles
  • Define Server Services
  • Define Security Levels Required
  • Define Physical Security Guidelines
windows security
Windows Security
  • Windows 2003 / 2000 is Common Criteria Certified
  • Extreme levels of security are possible but compatibility and performance will be degraded
  • Level of Hardening is a business decision based or business requirements.
securing ad
Securing AD
  • Organizational Unit Design
  • Organizational Unit permissions
  • Inheritance
  • Server Security
  • Network Security
apply ou policies
Apply OU Policies
  • 2003 ships with extensive default OU policies.
  • Store on single Domain Controller
  • Member Servers, Domain Controllers, File Servers, print Servers
  • Infrastructure, IIS, Bastion, Etc
secure user groups
Secure User Groups
  • Create appropriate User OU’s
  • Apply default templates if appropriate
  • Create Custom templates as needed
  • Review Microsoft “Threats and Countermeasures Guide” for appropriate settings
hardening servers
Hardening Servers
  • Windows 2003 / 2000 is Common Criteria Certified
  • Extreme levels of security are possible but compatibility and performance will be degraded
  • Level of Hardening is a business decision based or business requirements.
hardening servers cont
Hardening Servers Cont.
  • Configurations beyond the default hardening settings in the MMC settings
  • May involve third party products, ie IPS systems.
  • Determine what level of service is acceptable.
bastion hosts
Bastion Hosts
  • Externally accessible Servers, IE Web, DNS
  • High Attack Probability
  • Must be Tightly Controlled
bastion hosts cont
Bastion Hosts cont.
  • DELETE, not disable, any extra services
  • Use DEPENDS from the resource kit to determine dependencies
  • Should be one service to one server
  • Not published or integrated into AD, No internal access ideally.
bastion hosts cont27
Bastion Hosts cont.
  • Rename all accounts
  • Create dummy administrator account with no rights for logging
  • USE EFS if possible
  • Use IP security and log.
  • Enable local logon only.
  • Lock down further as appropriate.
  • Scan for vulnerabilities regularly, ie.Languard, Nessus, NMAP
internal server hardening
Internal Server Hardening
  • Security rests on 6 items
  • 1.Secure the system
  • 2. Secure the database
  • 3. Securing the replication
  • 4. Securing normal access methods
  • 5. Securing the objects
  • 6. Audit
  • Scan for changes. ie. Tripwire
  • Scan for vulnerabilities regularly, ie.Languard, Nessus, NMAP, MCC
internal server hardening cont
Internal Server Hardening cont.
  • USE EFS WHERE POSSIBLE
  • USE XCACLES and MCC Audit TO VERIFY FILE PERMISSIONS AND RIGHTS
  • Use root forest controller as NTP server
  • Use Ipsec filtering
  • Tighten the system drive
  • Audit the critical operations such as policy data and critical file access
  • Block access to ports that can be used to access the AD if not required.
internal server hardening cont30
Internal Server Hardening cont.
  • Install service packs and hotfixes
  • Remove OS2 and Posix registry values
  • Delete associated files
  • Enable DNS scavenging and do it rigorously
  • Clean up anonymous registry access
  • Tighten the system drive
  • Use NTLM v2 only for authentication
  • Test and retest ( Tripwire for baseline, languard, nmap, nessus, MBSA, MCC)
  • .
client hardening
Client Hardening
  • Eliminate Win 9X from environment
  • Use NTFS / EFS exclusively on hard drives
  • Use NTLM v2 authentication only.
  • Disable file and print sharing
  • Do not allow local administrative rights!
  • Pay attention to remote VPN clients!
  • Scan network frequently
  • Use internal client IPS if available
tools and references
Tools and References
  • NSA Server Security Guides

http://nsa2.www.conxion.com/win2k/

  • Microsoft

“Threats and Countermeasures Guide”

“Windows Server 2003 Security Guide”

“ Windows 2000 Common Criteria Guide”

Windows 2000 / 2003 resource kit

  • www.Nessus.orgVulnerability Scanner
tools and references cont
Tools and References cont.
  • www.Languard.com

vulnerabiltiy and device scanner.

  • NMAP
  • Fport from Foundstone.com
  • Tripwire. File integrity checker. Commercial but excellent product
slide34
Q&A

Contact Information:

Email: jplacer@goisg.com

Phone: (616) 393 7250