540 likes | 754 Views
Windows 2000 and Active Directory Security Guidelines. Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team. Agenda. Overview Windows System Hardening Suggestions Active Directory Security Suggestions Security Best Practices Guidelines Reminders References.
E N D
Windows 2000 and Active Directory Security Guidelines Tom DukeSystems EngineerRAZOR TeamMel PlessSystems EngineerRAZOR Team
Agenda • Overview • Windows System Hardening Suggestions • Active Directory Security Suggestions • Security Best Practices Guidelines • Reminders • References
Role of Corporate Culture • Paramount to the success of an enterprise security program are the relationships among risk analysis, the organization’s culture, and security policy.
Security is Everyone’s Responsibility • A security policy should communicate to • everyone in your organization the simple principle • that information is a valuable asset and • everyone is responsible for protecting it.
Philosophy of Protection • Security is embedded • Security is logically centralized but distributed globally • Security is applied to multiple layers • Security is an enabler, not a roadblock • External validation of security is required
Security Concepts • Need-to-Protect • Least Privilege • Separation of Duties • Defense in Depth • Role-base Access Control • Identification
Things To Remember • Policies are cross-platform • Implementations are not • Policies must be designed to be implemented • Nirvana security polices are not effective • Implementation should include • Ongoing auditing • Enforcement • Non-IT remedies • Leverage solutions to speed process
System Hardening Intent • Process should result in a server with virtually everything locked down and disabled. • This should provide a secure base upon which to build. • After this procedure is completed, the services this machine is to offer can be selectively enabled.
Recommendations • Updated Patches • Service Packs • Hotfixes • High Encryption Pack • Enable Auditing • Set Password Policy • Account Lockout • User Rights • Event Log • Services • Other Settings
Updates • PATCH, PATCH, PATCH!!!
Implementing an Auditing Policy • Audit settings should be tested to see if: • They capture the expected events • Audit log data can be analyzed and understood • The amount of audit log data is manageable
Windows 2000 AuditingRAZOR Recommendations • Enable Auditing: • Account logon Success Failure • Account Management Success Failure • Directory Service Access Failure • Logon Events Success Failure • Object Access Failure • Policy Change Success Failure • Privilege Use Failure • Process Tracking • System Event Success Failure
Password PolicyRAZOR Recommendations • Enforce Password History: 7 (or higher) • Maximum Password Age: 42 (default) • Minimum Password Age: 0 (default) • Minimum Password Length: 7 • Password Must Meet Complexity Requirements: Enable
Account Lockout PolicyRAZOR Recommendations • Account Lockout Duration: 10 minutes (or more) • Account Lockout Threshold: 5 • Reset account lockout counter after: 10 minutes
User RightsRAZOR Recommendations • Never assign the following user rights to any user or group: • Act as part of the OS • Create a token object • Create permanent shared objects • Debug programs • Generate security audits • Lock pages in memory • Manage auditing and security log* • Modify firmware environment variables • Replace a process level token • Synchronize directory service data
User RightsRAZOR Recommendations • Access from the network: • Remove Everyone, User, Power Users, and Backup Operators (if possible) • Bypass traverse checking: • Change Everyone to Authenticated Users • Change system time: • Remove Power Users • Deny access to this computer from network: • Add ANONYMOUS LOGON • Deny logon as a batch job: • Add ANONYMOUS LOGON
User Rights (cont’d.)RAZOR Recommendations • Deny logon as a service: • Add ANONYMOUS LOGON • Deny logon locally: • Add ANONYMOUS LOGON • Log on locally: • Remove Users, Power Users, Guest, TsInternetUser • “EVERYONE” should not be listed in any right at this point
Event Log SettingsRAZOR Recommendations • Set each log to a minimum of 10MB in size • If exporting to a central repository, set to NOT overwrite • Otherwise, overwrite as needed
Securing the Security Event Log • Security Event Log • Records unauthorized access to system • Control should be limited • Create an “Auditors” group • Give Full Control • Remove all administrators • Grant User Right – “Manage auditing and security log”
Service SettingsRAZOR Recommendations • All non-essential services should be disabled • Only enable services “as needed”
Other SettingsRAZOR Recommendations • Create a registry key HKLM\SYSTEM\CCS\Control\LSA\NoLmHash. • Reboot and change all passwords. • Rename Administrator account • Unbind Netbios from TCP/IP on all adapters • Disable register adapter in DDNS • Disable LMHOSTS lookup
Other Items to Consider • Remove unused subsystems • POSIX • OS/2 • Rename Local Machine User Accounts
Best Practices • Patches, patches, patches • The first line of defense is up-to-date patches. Most widely exploited problems have patches. • Minimal Services • Many widely exploited flaws exist in services that are installed by default but rarely used. Disable all unused services. • Anti-Virus Software • Up-to-date AV software will prevent problems from spreading out of control. • Strong Passwords • Password crackers are fast and getting faster. Exploit tools automate logging in to a variety of services use blank or default passwords. Use a one-time password pad whenever possible and strong passwords the rest of the time. Users must be educated to understand the risks. • Egress Filtering • Trojans like to “phone home,” as do lots of malicious programs. Use a web proxy and limit outbound connections strictly.
Security Features in Active Directory • Granular Delegation • Group Policy Objects (GPOs) • ACLs
Opposite of NT • The granularity of authorizations has been greatly extended in Active Directory to cover not only an object but also the attributes of an object. • As a result, you can allow a group of administrators to do nothing but reset user passwords. • This granularity works because each attribute of an AD object can have its own ACL; there isn’t just a single ACL for the entire object.
Delegation • A preferred way to delegate administrative control over Active Directory objects is to create OUs within a domain and use the Delegation of Control Wizard to assign granular permissions for administrators. • When you’re designing the OU structure for each of your domains, consider only creating OUs when you want to delegate administration.
One Delegation Approach • Create an OU for each logical subdivision of the domain • Create a local group for each subdivision representing the highest level administration in that subdivision • Assign the given group full control over its OU • If the subdivision is allowed to set their membership, place the subdivision’s administrators group into the OU. Otherwise, leave the group outside the OU.
Delegation Best Practices • Create special OUs • Delegate access through groups rather than users • Assign access at the lowest possible level • Avoid granting Full Control over containers • Use group policy to control user rights • Consider separating object-creation tasks from object-management tasks • Delegating the ability to move objects requires Delete permissions in the source OU and Create permissions in the target OU • Group membership administration is granted in the OU where the group account resides • Remember that object owners, regardless of their explicit access level, can always gain Full Control over the object
Group Policy Objects • Group Policy will allow you to uniformly enforce defined security policies throughout your computing infrastructure by creating domain-level GPOs that define the most critical security related settings. These settings will then be enforced on each and every computer in the domain. No longer will security settings have to be managed on individual computers.
Group Policy Object Initialization • Computer-related policy settings are applied when the OS initializes. • User-related policy settings are applied when users log on to their computers. • NOTE: If computer settings and user settings come into conflict, the computer configuration settings override the user configuration settings.
GPO and Access Control • Security templates and GPOs are generally the best • approach to implementing a given security policy • for a group or category of users.
ACL Inheritance • Explicit ACEs are evaluated before inherited ACEs • Access-denied ACEs are evaluated before access-allowed ACEs
ACL Best Practices • Never assign rights, privileges, or ACLs to an individual computer or user object. Instead, create a security group, assign the appropriate permissions to it, then add computer or user objects to it.
Take-away Note • The most important thing to remember when you’re setting up access control in your Active Directory environment is to give people the minimum number of rights they need to do their jobs.
Best Practice Overview • Secondary Authentication • General Recommendations • Physical Security • Other Considerations
Using Secondary Authentication • No system administrators in your environment should ever again read their mail and compose simple documents while running as a member of theDomain Administrators group!
Best Practices - General • Use legal notice captions on all machines • Use legal notice text on all machines • Do not display last logon name
Physical Security • All DC’s contain RW copy of AD • NT BDC’s contained RO copy of SAM • Physically secure all DC’s • Even ones at remote locations • Tools to use once physical access is gained • L0phtCrack • NTFS2DOS
Physical Security • Secure wiring closets • Open network ports open security holes • Sniffers could be placed on the networkand capture passwords • Network access opens up a door for finding more access • Open shares • User names • ???
Physical Security Best Practices • Keep servers in a locked room • Disable the removable media based boot option if available • Remove or restrict access to the removable media drives • The CPU case should be secured by a key stored safely away from the computer • Implement a system bios password
Other Considerations • Other Microsoft Services • Exchange • DHCP/DNS • IIS • SQL • Desktop Clients • User Community “Buy-In”
Reminder • Security is Everyone’s responsibility • Management • IT Staff • Users
Reminder • Technical support staff should be reminded never to reveal or reset passwords for anyone over the phone • User community education • Password use and “storage” • Social engineering techniques
Importance Of A Strong Password • Estimated time to brute force password crack at 100,000 per second