Secure your active directory environment
Download
1 / 43

Secure your Active Directory Environment - PowerPoint PPT Presentation


  • 512 Views
  • Updated On :

Secure your Active Directory Environment. Juan Martinez Information Security Consultant International Network Services. Agenda. Active Directory design issues Trust Relationships Schema Protection Firewall Considerations Protecting Service Management Group Policy Architecture

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure your Active Directory Environment' - balin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Secure your active directory environment l.jpg

Secure your Active Directory Environment

Juan Martinez

Information Security Consultant

International Network Services


Agenda l.jpg
Agenda

  • Active Directory design issues

  • Trust Relationships

  • Schema Protection

  • Firewall Considerations

  • Protecting Service Management

  • Group Policy Architecture

  • System Hardening



Security boundaries l.jpg
Security Boundaries

  • Forest – security boundary

  • Domain – boundaries for administration

  • Why is the forest the security boundary?

    • Forest-level service management

    • Implicit transitive trusts between all domains in a forest.




Domain trust vulnerability l.jpg
Domain Trust Vulnerability

  • User’s authorization data contains SIDs


Domain trust vulnerability8 l.jpg
Domain Trust Vulnerability

  • Trusting domain doesn’t verify SIDs


Domain trust vulnerability9 l.jpg
Domain Trust Vulnerability

  • Solution: SID Filtering


Design implications l.jpg
Design Implications

  • You can’t delete trusts between domains in a forest

  • You can’t implement SID Filtering between domains in a forest

  • Well… You can, but it will break stuff

  • So… a domain can’t be considered a security boundary

  • All Domain Admins must be trusted



Dmz considerations l.jpg
DMZ Considerations

  • Preferred –> no AD systems in DMZ

  • Extranet considerations

    • Separate forest to provide isolation

    • Administrators that span forests should have separate accounts for each



Restricting trust relationships l.jpg
Restricting Trust Relationships

  • SID Filtering

    • Enabled by default for external or forest trusts


Restricting trust relationships15 l.jpg
Restricting Trust Relationships

  • Limit Trust

    • TopLevelExclusion Record

  • Selective Authentication vs. Forest-wide Authentication

    • Selective authentication – restricts “Allowed to Authenticate” permission

    • Use carefully



Soft controls l.jpg
Soft Controls

  • Protecting the AD Schema is more about following sound security practices than technical solutions

  • Policy

  • Guidelines

  • Configuration Management

  • Roles / responsibilities


Schema policy l.jpg
Schema Policy

  • Ownership

    • Management of schema naming prefix

    • Delegating OIDs

    • Configuration Management

      • Define evaluation criteria for proposed schema extensions

      • Provide final approval/disapproval

    • Maintenance and documentation


Soft controls19 l.jpg
Soft Controls

  • Guidelines

    • Configuration management evaluation criteria

    • OID Maintenance

    • Documentation

    • Splitting application deployment

    • Schema testing guidelines

  • Access Control

    • Most important – protect Schema Admins group!



Firewall considerations21 l.jpg
Firewall Considerations

  • Firewall the Root domain?

    • No real security gained, just added complexity

  • Firewall the Schema Master?



Firewall considerations23 l.jpg
Firewall Considerations

  • When a firewall exists between Active Directory systems

    • Use IPSEC tunnels



Stronger password policies l.jpg
Stronger Password Policies

  • Policy: stronger password requirements for “elevated privilege” accounts

  • Two options:

    • Custom password complexity requirements

    • Store all service management accounts in forest root domain


Stronger password policies26 l.jpg
Stronger Password Policies

  • Controlled OU structure in forest root domain




Gotchas l.jpg
Gotchas

  • Several issues with using separate domain for service management accounts model

    • Custom Domain Admin type group requires Domain Admin-level permissions

      • Can’t add directly to Domain Admins group

    • Procedures must be followed closely


Best practices l.jpg
Best Practices

  • Restrict membership to within forest

  • Separate accounts

  • Cached credentials

  • Default service management accounts

    • Don’t use Account Operators, Server Operators




The problem l.jpg
The Problem

  • How do I enforce enterprise-wide security policies?

  • Problem

    • Domains are boundaries for Group Policy

  • Possible solutions

    • Site-level GPOs

    • Non-technical solutions



Disadvantages l.jpg
Disadvantages

  • UGLY!!!

    • Replication issues

    • Performance issues

    • Issues with placement of ROOT DCs

    • Does not apply to Password policies

  • Non-technical solutions can be just as effective


Group policy best practices l.jpg
Group Policy Best Practices

  • Local Group Policy vs. Domain Group Policy

  • Use synchronous mode

  • Security Policy Processing

    • Process even if the Group Policy objects have not changed

  • Explore capabilities

    • Extend group policy


Group policy best practices37 l.jpg
Group Policy Best Practices

  • Minimize use of “block policy inheritance” and “Enforce” options

  • Limit number of GPOs

  • Link GPOs as closely as possible

  • Disable user/computer configuration when possible

  • Avoid cross domain linking of GPOs



Adopt a baseline guideline l.jpg
Adopt a Baseline/Guideline

  • BASELINE !!

  • BASELINE !!

  • BASELINE !!

  • BASELINE !!


Hardening guideline components l.jpg
Hardening Guideline Components

  • Preliminary Security Measures (Done offline)

    • BIOS level protection

    • AV

    • Physical security

    • Patch

    • Verify software, shares, users

    • Patches


Hardening guideline components41 l.jpg
Hardening Guideline Components

  • Apply group policy

    • Automatic OU placement (netdom)

  • Manual hardening procedures

    • DS restore mode password

  • Verify functionality and security

  • Back out procedures

  • Known vulnerabilities register


Domain controllers and dhcp l.jpg
Domain Controllers and DHCP

  • Don’t run DHCP on Domain Controllers if you’re using dynamic updates (DNSUpdateProxy group issue)


Questions l.jpg

Questions

Juan Martinez – juan.martinezjr@ins.com

www.ins.com