1 / 30

Module 3

Module 3. Securing AD DS . Module Overview. Securing Domain Controllers Implementing Password and Lockout Policies Implementing Audit Authentication. Lesson 1: Securing Domain Controllers.

tosca
Download Presentation

Module 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 3 Securing AD DS

  2. Module Overview • Securing Domain Controllers Implementing Password and Lockout Policies Implementing Audit Authentication

  3. Lesson 1: Securing Domain Controllers • Domain Controller Security Risks Modifying the Security Settings of Domain Controllers Minimizing the Attack Surface of Domain Controllers Implementing Secure Authentication Securing Physical Access to Domain Controllers What are RODCs? Deploying an RODC Planning and Configuring RODC Credential Caching Demonstration: Configure a Password Replication Policy Administrator Role Separation

  4. Domain Controller Security Risks • Domain controllers are a prime target for attacks and the most important resource to secure • Security risks include: • Network security • Authentication attacks • Elevation of privilege • Denial of Service • Operating system, service, or application attacks • Operational risks • Physical security threats

  5. Modifying the Security Settings of Domain Controllers • Use a GPO to apply the same security settings to all domain controllers • Consider custom GPOs linked to the Domain Controllers OU • Security settings include: • Account policies, such as passwords and account lockout • Local policies, such as auditing, user rights, and security options • Event log configuration • Secure system services • Windows Firewall with Advanced Security • Public key policies • Advanced auditing

  6. Minimizing the Attack Surface of Domain Controllers • To minimize the attack surface on domain controllers, you should: • Establish update management processes • Increase the security of communication protocols: • Secure LDAP • IPsec • SMB signing • Secure the operating system by using: • Baseline security by using SCW • Server Core installation • BitLocker Drive Encryption

  7. Implementing Secure Authentication • Consider the following factors when implementing secure authentication: • Secure user accounts and passwords • Secure groups with elevated permissions • Audit critical object changes • Deploy secure authentication, such as smart cards • Secure network activity • Establish deprovisioning and cleanup processes • Secure client computers

  8. Securing Physical Access to Domain Controllers When securing physical access to your domain controllers, consider the following: • RODCs • BitLocker • Hot-swap disk systems can lead to domain controller theft • Protect virtual disks: virtual machine admins must be highly trusted • Store backups in secure locations

  9. What are RODCs? AD DS AD DS

  10. Deploying an RODC Deploying an RODC: • Prerequisites: • Adprep /rodcprep • Sufficient Windows Server 2008 or newer replication partners for the RODCs • One-step deployment: • Server Manager with Add Roles and Features, then Active Directory Domain Services Configuration Wizard • Windows PowerShell: Install-ADDSDomainController –ReadOnlyReplica • Two-step deployment: pre-staging and delegated promotion: • Create the account: Active Directory Administrative Center or Add-ADDSReadOnlyDomainControllerAccount • Join the RODC as delegated admin: Server Manager or Install-ADDSDomainController -ReadOnlyReplica

  11. Planning and Configuring RODC Credential Caching • A password replication policy determines which users’ credentials are cached on a specific RODC • You can configure these credentials by using: • Domain-wide password replication policy • RODC-specific password replication policy • RODC filtered attribute set

  12. Demonstration: Configure a Password Replication Policy • In this demonstration, you will see how to: • Stage a delegated installation of an RODC • View an RODC’s password replication policy • Configure an RODC-specific password replication policy • Verify the resultant password policy

  13. Administrator Role Separation • Allows performance of local administrative tasks on the RODC for non-domain administrators • Each RODC maintains a local Security Accounts Manager database of groups for specific administrative purposes • Configure the local administrator by: • Adding the user or group when pre-creating or installing the RODC • Adding a user or group on the Managed By tab on the RODC account properties

  14. Lesson 2: Implementing Password and Lockout Policies • Password Policies Account Lockout Policies Demonstration: Configure Domain Account Policies Fine-Grained Password and Lockout Policies Understanding PSOs Demonstration: Configuring a Fine-Grained Password Policy PSO Precedence and Resultant PSO

  15. Password Policies • Set password requirements by using the following settings: • Enforce password history • Maximum password age • Minimum password age • Minimum password length • Password complexity requirements: • Does not contain name or user name • Must have at least six characters • Contains characters from three different groups– uppercase, lowercase, numeric, and special characters

  16. Account Lockout Policies • Account lockout policies define whether accounts should be locked automatically after several failed attempts to log on • To configure these policy settings, you must consider: • Account lockout duration • Account lockout threshold • Reset account lockout counter after • Account lockout policies provide a level of security but also provide an opportunity for DoS attacks

  17. Demonstration: Configure Domain Account Policies • In this demonstration, you will see how to configure: • A domain-based password policy • An account lockout policy

  18. Fine-Grained Password and Lockout Policies • You can use fine-grained password policies to specify multiple password policies within a single domain • Fine-grained password policies: • Apply only to user objects, InetOrgPerson objects, or global security groups • Cannot be applied directly to an OU • Do not interfere with custom password filters that you might use in the same domain

  19. Understanding PSOs Windows Server 2012 provides two tools for configuring PSOs: • Windows PowerShell cmdlets: • New-ADFineGrainedPasswordPolicy • Add-FineGrainedPasswordPolicySubject • Active Directory Administrative Center

  20. Demonstration: Configuring a Fine-Grained Password Policy • In this demonstration, you will see how to configure and apply a fine-grained password policy

  21. PSO Precedence and Resultant PSO • If multiple PSOs apply to a user: • The directly applied PSOs are considered, rather than the PSOs that are applied via group memberships • The PSO with the lowest precedence wins • If two PSOs have the same precedence, the smallest objectGUID wins • To evaluate a user object to see which PSO has been applied, you can use: • msDS-ResultantPSO Active Directory attribute • Active Directory Administrative Center • Extensions • Attribute Editor • Filter: Show constructed attributes

  22. Lesson 3: Implementing Audit Authentication • Account Logon and Logon Events Demonstration: Configuring Authentication-Related Audit Policies Scope Audit Policies Demonstration: Viewing Logon Events

  23. Account Logon and Logon Events AD DS Advanced audit policies provide 53 auditable events: • Account logon events: • Registered by the system that authenticates the account • For domain accounts–domain controllers • For local accounts–local computer • Logon events: • Registered by the machine at or to which (or to which) a user logged on • Interactive logon–user's system • Network logon–server Account Logon Event Logon Event Logon Event

  24. Demonstration: Configuring Authentication-Related Audit Policies • In this demonstration, you will see where the authentication-related audit policies are configured

  25. Scope Audit Policies Default Domain Controllers Policy Account LogonEvents CustomGPO LogonEvents RemoteDesktop Servers DomainControllers HR Clients

  26. Demonstration: Viewing Logon Events • In this demonstration, you will see how to view logon events

  27. Lab: Securing AD DS • Exercise 1: Implementing Security Policies for Accounts, Passwords, and Administrative Groups Exercise 2: Deploying and Configuring an RODC Logon Information: Virtual machines: 10969A-LON-DC1 10969A-LON-DC2 10969A-LON-SVR1 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 45 minutes

  28. Lab Scenario • The security team at A. Datum Corporation has been examining the organization for possible security issues. It has been focusing on AD DS and is particularly concerned with AD DS authentication and branch-office domain controller security. • You have been asked to help improve the security and monitoring of authentication against the enterprise’s AD DS domain. You must enforce a specified password policy for all user accounts, and you must develop a more stringent password policy for security-sensitive administrative accounts. It also is important that you implement an appropriate audit trail to help monitor authentication attempts within AD DS. • The second part of your assignment includes the deployment and configuration of RODCs s to support AD DS authentication within a branch office

  29. Lab Review • In the lab, we configured the password settings for all users within the Default Domain Policy, and we configured the password settings for Administrators within a PSO. What other options were available to accomplish the solution? In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this?

  30. Module Review and Takeaways • Review Questions Tools

More Related