Harness AD

Views:
 
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Slide1: 

Presented by Chris Henley chenley@microsoft.com Blogs.TechNet.com/chenley Harness the Power of Active Directory

Active Directory Security : 

Hacker Goals Footprint (Gather info about the network) Scan (Find all available points of entry) Enumerate (Intrusion and Exploitation) Get The Admin Account and Password!!! Hacking Exposed Network Security Secrets andamp; Solutions 5th Ed. McClure, Scambray and Kurtz; McGraw Hill Emeryville, CA 2005 Active Directory Security

Active Directory Security Securing the Administrator Account: 

Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group Admin Groups Admin Accounts

Active Directory Security Securing the Administrator Account: 

Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group

Slide5: 

DEMO Protecting the Administrators Account

Slide6: 

Be aware of the 500 SID’s Rename Administrators Account Change Description on Account Create a Decoy Use Group Policy Restricted Accounts Setting Control Local Admin Accounts and Active Directory Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx Active Directory Security Securing the Administrator Account Recommendations

Slide7: 

Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operators DS Restore Mode Administrator AdminSDHolder Admin Groups

Slide8: 

Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create Controlled Subtree OU’s

Slide9: 

Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create the OU structure. Set the permissions. Move service administrator groups. Move service administrator user accounts. Move service administrator workstation accounts. Enable auditing on the controlled subtree OUs.

Slide10: 

DEMO Administrative Service Architecture

Slide11: 

Create the OU’s Assign permissions as directed Move the service groups Don’t forget Administrators, Server Operators, Account Operators, and Backup Operators cannot be moved Don’t forget to include your decoy Admin Account Auditing, Auditing, Auditing Recommendations Active Directory Security Securing the Administrative Services Accounts Securing Active Directory Administrative Groups and Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx

When is Group Policy Applied?: 

When is Group Policy Applied?

Administrative Template Extension: 

Administrative Template Extension Simple way to configure policy Largest Group Policy extension .ADM files enable user interface

Administrative Template (Notes): 

Administrative Template (Notes) Simple way to configure policy Largest Group Policy extension .ADM files enable user interface

Using ADM Template Extensions: 

Using ADM Template Extensions

Slide16: 

DEMO Reviewing ADM Templates

Custom ADM Templates: 

Custom ADM Templates Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy

Custom ADM Templates (Notes): 

Custom ADM Templates (Notes) Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy

Registry Policies: 

Registry Policies HKEY_LOCAL_MACHINE\SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER\SOFTWARE\policies HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Slide20: 

DEMO Customizing ADM Templates

Software Restriction Policies: 

Software Restriction Policies Application started

Software Restriction Policies (Notes): 

Software Restriction Policies (Notes) Application started

Group Policy Software Deployment: 

Group Policy Software Deployment

Exclude Accounts from Group Policy: 

Exclude Accounts from Group Policy

Slide25: 

DEMO Configuring Group Policy ACL’s

Delegating Control of GPOs: 

Delegating Control of GPOs

Security Configuration and Analysis: 

Security Configuration and Analysis

Security Configuration (Notes): 

Security Configuration (Notes)

Security Configuration Wizard: 

Security Configuration Wizard download.microsoft.com/download/f/7/1/f71adf6e-dbab-48a2-9a29-9e481110fd55/SCWQuickStartDoc.doc

Windows Vista Improvements: 

Windows Vista Improvements Extended Coverage Reliable and Efficient Application of Policy Ease of Use

Group Policy Service: 

More efficient Service has been hardened Group Policy Service Winlogon

Network Awareness: 

Network Awareness Ping Ping Ping Connecting over VPN

Network Awareness - Notes: 

Network Awareness - Notes Ping Ping Ping Connecting over VPN

Group Policy Management Console: 

Group Policy Management Console

Events and Logging: 

Events and Logging

Events and Logging – Notes: 

Events and Logging – Notes

Slide37: 

DEMO Using Group Policy Features

Administrative Template Files: 

Administrative Template Files

Administrative Template Files- Notes: 

Administrative Template Files- Notes

Choosing the Right Settings: 

Choosing the Right Settings Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC

Choosing the Right Settings - Notes: 

Choosing the Right Settings - Notes Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC

Security Pain Points: 

Security Pain Points Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default

Security Pain Points - Notes: 

Security Pain Points - Notes Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default

UAC Policy Settings: 

UAC Policy Settings

Slide45: 

DEMO Defining UAC Settings with Group Policy

Slide46: 

Restart-able Active Directory Read only domain Controllers Longhorn Server Active Directory Sneak Peek

Slide47: 

Introduction to Restartable Active Directory Restart Active Directory without rebooting Can be done through command line and MMC Can’t boot the DC to stopped mode of Active Directory No effect on non-related services while restarting Active Directory Several ways to process login under stopped mode Longhorn Server Restartable Active Directory

Slide48: 

Benefits of Restartable Active Directory Reduces time for offline operations Improves availability for other services on DC when Active Directory is stopped Reduces overall DC servicing requirements with Server Core Longhorn Server Restartable Active Directory

Longhorn Server Read Only DC: 

Read Only DC How it works: Secret caching during first logon RODC: Looks in DB: 'I don't have the users secrets' Forwards Request to Windows Server 'Longhorn' DC Windows Server 'Longhorn' DC authenticates request Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets 7) Hub DC checks Password Replication Policy to see if Password can be replicated AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT Hub Windows Server 'Longhorn' Longhorn Server Read Only DC

Longhorn Server Read Only DC: 

Planning to Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM Best Effort Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. Application guidance whitepaper will be published by Beta2 Will include checklist to verify RODC app compatibility Longhorn Server Read Only DC

Summary: 

Summary Secure Administrative Accounts Use existing Features of Group Policy to enhance network Control Use .Adm Files to extend GPO Controls Anticipate changes in Windows Vista/ Longhorn Timeframe

Slide52: 


authorStream Live Help