logging in or signing up Harness AD Sharck Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1220 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Presented by Chris Henley chenley@microsoft.com Blogs.TechNet.com/chenley Harness the Power of Active Directory Active Directory Security : Hacker Goals Footprint (Gather info about the network) Scan (Find all available points of entry) Enumerate (Intrusion and Exploitation) Get The Admin Account and Password!!! Hacking Exposed Network Security Secrets andamp; Solutions 5th Ed. McClure, Scambray and Kurtz; McGraw Hill Emeryville, CA 2005 Active Directory Security Active Directory Security Securing the Administrator Account: Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group Admin Groups Admin Accounts Active Directory Security Securing the Administrator Account: Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group Slide5: DEMO Protecting the Administrators Account Slide6: Be aware of the 500 SID’s Rename Administrators Account Change Description on Account Create a Decoy Use Group Policy Restricted Accounts Setting Control Local Admin Accounts and Active Directory Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx Active Directory Security Securing the Administrator Account Recommendations Slide7: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operators DS Restore Mode Administrator AdminSDHolder Admin Groups Slide8: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create Controlled Subtree OU’s Slide9: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create the OU structure. Set the permissions. Move service administrator groups. Move service administrator user accounts. Move service administrator workstation accounts. Enable auditing on the controlled subtree OUs. Slide10: DEMO Administrative Service Architecture Slide11: Create the OU’s Assign permissions as directed Move the service groups Don’t forget Administrators, Server Operators, Account Operators, and Backup Operators cannot be moved Don’t forget to include your decoy Admin Account Auditing, Auditing, Auditing Recommendations Active Directory Security Securing the Administrative Services Accounts Securing Active Directory Administrative Groups and Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx When is Group Policy Applied?: When is Group Policy Applied? Administrative Template Extension: Administrative Template Extension Simple way to configure policy Largest Group Policy extension .ADM files enable user interface Administrative Template (Notes): Administrative Template (Notes) Simple way to configure policy Largest Group Policy extension .ADM files enable user interface Using ADM Template Extensions: Using ADM Template Extensions Slide16: DEMO Reviewing ADM Templates Custom ADM Templates: Custom ADM Templates Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy Custom ADM Templates (Notes): Custom ADM Templates (Notes) Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy Registry Policies: Registry Policies HKEY_LOCAL_MACHINE\SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER\SOFTWARE\policies HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies Slide20: DEMO Customizing ADM Templates Software Restriction Policies: Software Restriction Policies Application started Software Restriction Policies (Notes): Software Restriction Policies (Notes) Application started Group Policy Software Deployment: Group Policy Software Deployment Exclude Accounts from Group Policy: Exclude Accounts from Group Policy Slide25: DEMO Configuring Group Policy ACL’s Delegating Control of GPOs: Delegating Control of GPOs Security Configuration and Analysis: Security Configuration and Analysis Security Configuration (Notes): Security Configuration (Notes) Security Configuration Wizard: Security Configuration Wizard download.microsoft.com/download/f/7/1/f71adf6e-dbab-48a2-9a29-9e481110fd55/SCWQuickStartDoc.doc Windows Vista Improvements: Windows Vista Improvements Extended Coverage Reliable and Efficient Application of Policy Ease of Use Group Policy Service: More efficient Service has been hardened Group Policy Service Winlogon Network Awareness: Network Awareness Ping Ping Ping Connecting over VPN Network Awareness - Notes: Network Awareness - Notes Ping Ping Ping Connecting over VPN Group Policy Management Console: Group Policy Management Console Events and Logging: Events and Logging Events and Logging – Notes: Events and Logging – Notes Slide37: DEMO Using Group Policy Features Administrative Template Files: Administrative Template Files Administrative Template Files- Notes: Administrative Template Files- Notes Choosing the Right Settings: Choosing the Right Settings Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC Choosing the Right Settings - Notes: Choosing the Right Settings - Notes Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC Security Pain Points: Security Pain Points Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default Security Pain Points - Notes: Security Pain Points - Notes Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default UAC Policy Settings: UAC Policy Settings Slide45: DEMO Defining UAC Settings with Group Policy Slide46: Restart-able Active Directory Read only domain Controllers Longhorn Server Active Directory Sneak Peek Slide47: Introduction to Restartable Active Directory Restart Active Directory without rebooting Can be done through command line and MMC Can’t boot the DC to stopped mode of Active Directory No effect on non-related services while restarting Active Directory Several ways to process login under stopped mode Longhorn Server Restartable Active Directory Slide48: Benefits of Restartable Active Directory Reduces time for offline operations Improves availability for other services on DC when Active Directory is stopped Reduces overall DC servicing requirements with Server Core Longhorn Server Restartable Active Directory Longhorn Server Read Only DC: Read Only DC How it works: Secret caching during first logon RODC: Looks in DB: 'I don't have the users secrets' Forwards Request to Windows Server 'Longhorn' DC Windows Server 'Longhorn' DC authenticates request Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets 7) Hub DC checks Password Replication Policy to see if Password can be replicated AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT Hub Windows Server 'Longhorn' Longhorn Server Read Only DC Longhorn Server Read Only DC: Planning to Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM Best Effort Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. Application guidance whitepaper will be published by Beta2 Will include checklist to verify RODC app compatibility Longhorn Server Read Only DC Summary: Summary Secure Administrative Accounts Use existing Features of Group Policy to enhance network Control Use .Adm Files to extend GPO Controls Anticipate changes in Windows Vista/ Longhorn Timeframe Slide52: You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Harness AD Sharck Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1220 Category: Product Traini.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Presented by Chris Henley chenley@microsoft.com Blogs.TechNet.com/chenley Harness the Power of Active Directory Active Directory Security : Hacker Goals Footprint (Gather info about the network) Scan (Find all available points of entry) Enumerate (Intrusion and Exploitation) Get The Admin Account and Password!!! Hacking Exposed Network Security Secrets andamp; Solutions 5th Ed. McClure, Scambray and Kurtz; McGraw Hill Emeryville, CA 2005 Active Directory Security Active Directory Security Securing the Administrator Account: Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group Admin Groups Admin Accounts Active Directory Security Securing the Administrator Account: Active Directory Security Securing the Administrator Account Understanding Admin Accounts The default administrator account Any account to which you directly assign adminstrative privileges Any additional account to which you assign membership in an administrative group Slide5: DEMO Protecting the Administrators Account Slide6: Be aware of the 500 SID’s Rename Administrators Account Change Description on Account Create a Decoy Use Group Policy Restricted Accounts Setting Control Local Admin Accounts and Active Directory Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx Active Directory Security Securing the Administrator Account Recommendations Slide7: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operators DS Restore Mode Administrator AdminSDHolder Admin Groups Slide8: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create Controlled Subtree OU’s Slide9: Active Directory Security Securing the Administrative Services Accounts What about all of those Administrative Service Accounts? Create the OU structure. Set the permissions. Move service administrator groups. Move service administrator user accounts. Move service administrator workstation accounts. Enable auditing on the controlled subtree OUs. Slide10: DEMO Administrative Service Architecture Slide11: Create the OU’s Assign permissions as directed Move the service groups Don’t forget Administrators, Server Operators, Account Operators, and Backup Operators cannot be moved Don’t forget to include your decoy Admin Account Auditing, Auditing, Auditing Recommendations Active Directory Security Securing the Administrative Services Accounts Securing Active Directory Administrative Groups and Accounts http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx When is Group Policy Applied?: When is Group Policy Applied? Administrative Template Extension: Administrative Template Extension Simple way to configure policy Largest Group Policy extension .ADM files enable user interface Administrative Template (Notes): Administrative Template (Notes) Simple way to configure policy Largest Group Policy extension .ADM files enable user interface Using ADM Template Extensions: Using ADM Template Extensions Slide16: DEMO Reviewing ADM Templates Custom ADM Templates: Custom ADM Templates Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy Custom ADM Templates (Notes): Custom ADM Templates (Notes) Increase security Disable interface options Disable confusing items Control data Configure all settings Create unsupported policy Registry Policies: Registry Policies HKEY_LOCAL_MACHINE\SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER\SOFTWARE\policies HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies Slide20: DEMO Customizing ADM Templates Software Restriction Policies: Software Restriction Policies Application started Software Restriction Policies (Notes): Software Restriction Policies (Notes) Application started Group Policy Software Deployment: Group Policy Software Deployment Exclude Accounts from Group Policy: Exclude Accounts from Group Policy Slide25: DEMO Configuring Group Policy ACL’s Delegating Control of GPOs: Delegating Control of GPOs Security Configuration and Analysis: Security Configuration and Analysis Security Configuration (Notes): Security Configuration (Notes) Security Configuration Wizard: Security Configuration Wizard download.microsoft.com/download/f/7/1/f71adf6e-dbab-48a2-9a29-9e481110fd55/SCWQuickStartDoc.doc Windows Vista Improvements: Windows Vista Improvements Extended Coverage Reliable and Efficient Application of Policy Ease of Use Group Policy Service: More efficient Service has been hardened Group Policy Service Winlogon Network Awareness: Network Awareness Ping Ping Ping Connecting over VPN Network Awareness - Notes: Network Awareness - Notes Ping Ping Ping Connecting over VPN Group Policy Management Console: Group Policy Management Console Events and Logging: Events and Logging Events and Logging – Notes: Events and Logging – Notes Slide37: DEMO Using Group Policy Features Administrative Template Files: Administrative Template Files Administrative Template Files- Notes: Administrative Template Files- Notes Choosing the Right Settings: Choosing the Right Settings Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC Choosing the Right Settings - Notes: Choosing the Right Settings - Notes Examples of Expanded Policy Settings: BITS Client Help Disk Failure Diagnostics DVD Video Burning MMTP Network Quarantine Security Protection Shell Application Management UAC Security Pain Points: Security Pain Points Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default Security Pain Points - Notes: Security Pain Points - Notes Spyware and viruses Users over-privileged Lost productivity Administrative cost Secure by default UAC Policy Settings: UAC Policy Settings Slide45: DEMO Defining UAC Settings with Group Policy Slide46: Restart-able Active Directory Read only domain Controllers Longhorn Server Active Directory Sneak Peek Slide47: Introduction to Restartable Active Directory Restart Active Directory without rebooting Can be done through command line and MMC Can’t boot the DC to stopped mode of Active Directory No effect on non-related services while restarting Active Directory Several ways to process login under stopped mode Longhorn Server Restartable Active Directory Slide48: Benefits of Restartable Active Directory Reduces time for offline operations Improves availability for other services on DC when Active Directory is stopped Reduces overall DC servicing requirements with Server Core Longhorn Server Restartable Active Directory Longhorn Server Read Only DC: Read Only DC How it works: Secret caching during first logon RODC: Looks in DB: 'I don't have the users secrets' Forwards Request to Windows Server 'Longhorn' DC Windows Server 'Longhorn' DC authenticates request Returns authentication response and TGT back to the RODC RODC gives TGT to User and Queues a replication request for the secrets 7) Hub DC checks Password Replication Policy to see if Password can be replicated AS_Req sent to RODC (request for TGT) Note: At this point the user will have a hub signed TGT Hub Windows Server 'Longhorn' Longhorn Server Read Only DC Longhorn Server Read Only DC: Planning to Support ADFS,DNS, DHCP, FRS V1, DFSR (FRS V2), Group Policy, IAS/VPN, DFS, SMS, ADSI queries, MOM Best Effort Generic LDAP apps which support write referrals and can tolerate write failures if WAN is offline. Application guidance whitepaper will be published by Beta2 Will include checklist to verify RODC app compatibility Longhorn Server Read Only DC Summary: Summary Secure Administrative Accounts Use existing Features of Group Policy to enhance network Control Use .Adm Files to extend GPO Controls Anticipate changes in Windows Vista/ Longhorn Timeframe Slide52: