1 / 43

Secure your Active Directory Environment

Secure your Active Directory Environment. Juan Martinez Information Security Consultant International Network Services. Agenda. Active Directory design issues Trust Relationships Schema Protection Firewall Considerations Protecting Service Management Group Policy Architecture

balin
Download Presentation

Secure your Active Directory Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure your Active Directory Environment Juan Martinez Information Security Consultant International Network Services

  2. Agenda • Active Directory design issues • Trust Relationships • Schema Protection • Firewall Considerations • Protecting Service Management • Group Policy Architecture • System Hardening

  3. Active Directory Design Issues

  4. Security Boundaries • Forest – security boundary • Domain – boundaries for administration • Why is the forest the security boundary? • Forest-level service management • Implicit transitive trusts between all domains in a forest.

  5. Forest-level Service Management

  6. Implicit Transitive Trusts

  7. Domain Trust Vulnerability • User’s authorization data contains SIDs

  8. Domain Trust Vulnerability • Trusting domain doesn’t verify SIDs

  9. Domain Trust Vulnerability • Solution: SID Filtering

  10. Design Implications • You can’t delete trusts between domains in a forest • You can’t implement SID Filtering between domains in a forest • Well… You can, but it will break stuff • So… a domain can’t be considered a security boundary • All Domain Admins must be trusted

  11. Design Spec – Empty Root

  12. DMZ Considerations • Preferred –> no AD systems in DMZ • Extranet considerations • Separate forest to provide isolation • Administrators that span forests should have separate accounts for each

  13. Trust Relationships

  14. Restricting Trust Relationships • SID Filtering • Enabled by default for external or forest trusts

  15. Restricting Trust Relationships • Limit Trust • TopLevelExclusion Record • Selective Authentication vs. Forest-wide Authentication • Selective authentication – restricts “Allowed to Authenticate” permission • Use carefully

  16. Protect the Schema

  17. Soft Controls • Protecting the AD Schema is more about following sound security practices than technical solutions • Policy • Guidelines • Configuration Management • Roles / responsibilities

  18. Schema Policy • Ownership • Management of schema naming prefix • Delegating OIDs • Configuration Management • Define evaluation criteria for proposed schema extensions • Provide final approval/disapproval • Maintenance and documentation

  19. Soft Controls • Guidelines • Configuration management evaluation criteria • OID Maintenance • Documentation • Splitting application deployment • Schema testing guidelines • Access Control • Most important – protect Schema Admins group!

  20. Firewall Considerations

  21. Firewall Considerations • Firewall the Root domain? • No real security gained, just added complexity • Firewall the Schema Master?

  22. Firewall the Schema Master

  23. Firewall Considerations • When a firewall exists between Active Directory systems • Use IPSEC tunnels

  24. Protecting Service Management

  25. Stronger Password Policies • Policy: stronger password requirements for “elevated privilege” accounts • Two options: • Custom password complexity requirements • Store all service management accounts in forest root domain

  26. Stronger Password Policies • Controlled OU structure in forest root domain

  27. Controlled OU Security

  28. Controlled OU Audit Settings

  29. Gotchas • Several issues with using separate domain for service management accounts model • Custom Domain Admin type group requires Domain Admin-level permissions • Can’t add directly to Domain Admins group • Procedures must be followed closely

  30. Best Practices • Restrict membership to within forest • Separate accounts • Cached credentials • Default service management accounts • Don’t use Account Operators, Server Operators

  31. Group Policy Architecture

  32. The Basics

  33. The Problem • How do I enforce enterprise-wide security policies? • Problem • Domains are boundaries for Group Policy • Possible solutions • Site-level GPOs • Non-technical solutions

  34. Site-Level GPOs

  35. Disadvantages • UGLY!!! • Replication issues • Performance issues • Issues with placement of ROOT DCs • Does not apply to Password policies • Non-technical solutions can be just as effective

  36. Group Policy Best Practices • Local Group Policy vs. Domain Group Policy • Use synchronous mode • Security Policy Processing • Process even if the Group Policy objects have not changed • Explore capabilities • Extend group policy

  37. Group Policy Best Practices • Minimize use of “block policy inheritance” and “Enforce” options • Limit number of GPOs • Link GPOs as closely as possible • Disable user/computer configuration when possible • Avoid cross domain linking of GPOs

  38. System Hardening

  39. Adopt a Baseline/Guideline • BASELINE !! • BASELINE !! • BASELINE !! • BASELINE !!

  40. Hardening Guideline Components • Preliminary Security Measures (Done offline) • BIOS level protection • AV • Physical security • Patch • Verify software, shares, users • Patches

  41. Hardening Guideline Components • Apply group policy • Automatic OU placement (netdom) • Manual hardening procedures • DS restore mode password • Verify functionality and security • Back out procedures • Known vulnerabilities register

  42. Domain Controllers and DHCP • Don’t run DHCP on Domain Controllers if you’re using dynamic updates (DNSUpdateProxy group issue)

  43. Questions Juan Martinez – juan.martinezjr@ins.com www.ins.com

More Related