Secure your active directory environment
1 / 43

Secure your Active Directory Environment - PowerPoint PPT Presentation

  • Updated On :

Secure your Active Directory Environment. Juan Martinez Information Security Consultant International Network Services. Agenda. Active Directory design issues Trust Relationships Schema Protection Firewall Considerations Protecting Service Management Group Policy Architecture

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure your Active Directory Environment' - balin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Secure your active directory environment l.jpg

Secure your Active Directory Environment

Juan Martinez

Information Security Consultant

International Network Services

Agenda l.jpg

  • Active Directory design issues

  • Trust Relationships

  • Schema Protection

  • Firewall Considerations

  • Protecting Service Management

  • Group Policy Architecture

  • System Hardening

Security boundaries l.jpg
Security Boundaries

  • Forest – security boundary

  • Domain – boundaries for administration

  • Why is the forest the security boundary?

    • Forest-level service management

    • Implicit transitive trusts between all domains in a forest.

Domain trust vulnerability l.jpg
Domain Trust Vulnerability

  • User’s authorization data contains SIDs

Domain trust vulnerability8 l.jpg
Domain Trust Vulnerability

  • Trusting domain doesn’t verify SIDs

Domain trust vulnerability9 l.jpg
Domain Trust Vulnerability

  • Solution: SID Filtering

Design implications l.jpg
Design Implications

  • You can’t delete trusts between domains in a forest

  • You can’t implement SID Filtering between domains in a forest

  • Well… You can, but it will break stuff

  • So… a domain can’t be considered a security boundary

  • All Domain Admins must be trusted

Dmz considerations l.jpg
DMZ Considerations

  • Preferred –> no AD systems in DMZ

  • Extranet considerations

    • Separate forest to provide isolation

    • Administrators that span forests should have separate accounts for each

Restricting trust relationships l.jpg
Restricting Trust Relationships

  • SID Filtering

    • Enabled by default for external or forest trusts

Restricting trust relationships15 l.jpg
Restricting Trust Relationships

  • Limit Trust

    • TopLevelExclusion Record

  • Selective Authentication vs. Forest-wide Authentication

    • Selective authentication – restricts “Allowed to Authenticate” permission

    • Use carefully

Soft controls l.jpg
Soft Controls

  • Protecting the AD Schema is more about following sound security practices than technical solutions

  • Policy

  • Guidelines

  • Configuration Management

  • Roles / responsibilities

Schema policy l.jpg
Schema Policy

  • Ownership

    • Management of schema naming prefix

    • Delegating OIDs

    • Configuration Management

      • Define evaluation criteria for proposed schema extensions

      • Provide final approval/disapproval

    • Maintenance and documentation

Soft controls19 l.jpg
Soft Controls

  • Guidelines

    • Configuration management evaluation criteria

    • OID Maintenance

    • Documentation

    • Splitting application deployment

    • Schema testing guidelines

  • Access Control

    • Most important – protect Schema Admins group!

Firewall considerations21 l.jpg
Firewall Considerations

  • Firewall the Root domain?

    • No real security gained, just added complexity

  • Firewall the Schema Master?

Firewall considerations23 l.jpg
Firewall Considerations

  • When a firewall exists between Active Directory systems

    • Use IPSEC tunnels

Stronger password policies l.jpg
Stronger Password Policies

  • Policy: stronger password requirements for “elevated privilege” accounts

  • Two options:

    • Custom password complexity requirements

    • Store all service management accounts in forest root domain

Stronger password policies26 l.jpg
Stronger Password Policies

  • Controlled OU structure in forest root domain

Gotchas l.jpg

  • Several issues with using separate domain for service management accounts model

    • Custom Domain Admin type group requires Domain Admin-level permissions

      • Can’t add directly to Domain Admins group

    • Procedures must be followed closely

Best practices l.jpg
Best Practices

  • Restrict membership to within forest

  • Separate accounts

  • Cached credentials

  • Default service management accounts

    • Don’t use Account Operators, Server Operators

The problem l.jpg
The Problem

  • How do I enforce enterprise-wide security policies?

  • Problem

    • Domains are boundaries for Group Policy

  • Possible solutions

    • Site-level GPOs

    • Non-technical solutions

Disadvantages l.jpg

  • UGLY!!!

    • Replication issues

    • Performance issues

    • Issues with placement of ROOT DCs

    • Does not apply to Password policies

  • Non-technical solutions can be just as effective

Group policy best practices l.jpg
Group Policy Best Practices

  • Local Group Policy vs. Domain Group Policy

  • Use synchronous mode

  • Security Policy Processing

    • Process even if the Group Policy objects have not changed

  • Explore capabilities

    • Extend group policy

Group policy best practices37 l.jpg
Group Policy Best Practices

  • Minimize use of “block policy inheritance” and “Enforce” options

  • Limit number of GPOs

  • Link GPOs as closely as possible

  • Disable user/computer configuration when possible

  • Avoid cross domain linking of GPOs

Adopt a baseline guideline l.jpg
Adopt a Baseline/Guideline





Hardening guideline components l.jpg
Hardening Guideline Components

  • Preliminary Security Measures (Done offline)

    • BIOS level protection

    • AV

    • Physical security

    • Patch

    • Verify software, shares, users

    • Patches

Hardening guideline components41 l.jpg
Hardening Guideline Components

  • Apply group policy

    • Automatic OU placement (netdom)

  • Manual hardening procedures

    • DS restore mode password

  • Verify functionality and security

  • Back out procedures

  • Known vulnerabilities register

Domain controllers and dhcp l.jpg
Domain Controllers and DHCP

  • Don’t run DHCP on Domain Controllers if you’re using dynamic updates (DNSUpdateProxy group issue)

Questions l.jpg


Juan Martinez –