1 / 54

Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team

Windows 2000 and Active Directory Security Guidelines. Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team. Agenda. Overview Windows System Hardening Suggestions Active Directory Security Suggestions Security Best Practices Guidelines Reminders References.

elwyn
Download Presentation

Tom Duke Systems Engineer RAZOR Team Mel Pless Systems Engineer RAZOR Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows 2000 and Active Directory Security Guidelines Tom DukeSystems EngineerRAZOR TeamMel PlessSystems EngineerRAZOR Team

  2. Agenda • Overview • Windows System Hardening Suggestions • Active Directory Security Suggestions • Security Best Practices Guidelines • Reminders • References

  3. Role of Corporate Culture • Paramount to the success of an enterprise security program are the relationships among risk analysis, the organization’s culture, and security policy.

  4. Security is Everyone’s Responsibility • A security policy should communicate to • everyone in your organization the simple principle • that information is a valuable asset and • everyone is responsible for protecting it.

  5. Philosophy of Protection • Security is embedded • Security is logically centralized but distributed globally • Security is applied to multiple layers • Security is an enabler, not a roadblock • External validation of security is required

  6. Security Concepts • Need-to-Protect • Least Privilege • Separation of Duties • Defense in Depth • Role-base Access Control • Identification

  7. Things To Remember • Policies are cross-platform • Implementations are not • Policies must be designed to be implemented • Nirvana security polices are not effective • Implementation should include • Ongoing auditing • Enforcement • Non-IT remedies • Leverage solutions to speed process

  8. Windows 2000 SystemHardening Suggestions

  9. System Hardening Intent • Process should result in a server with virtually everything locked down and disabled. • This should provide a secure base upon which to build. • After this procedure is completed, the services this machine is to offer can be selectively enabled.

  10. Recommendations • Updated Patches • Service Packs • Hotfixes • High Encryption Pack • Enable Auditing • Set Password Policy • Account Lockout • User Rights • Event Log • Services • Other Settings

  11. Updates • PATCH, PATCH, PATCH!!!

  12. Implementing an Auditing Policy • Audit settings should be tested to see if: • They capture the expected events • Audit log data can be analyzed and understood • The amount of audit log data is manageable

  13. Windows 2000 AuditingRAZOR Recommendations • Enable Auditing: • Account logon Success Failure • Account Management Success Failure • Directory Service Access Failure • Logon Events Success Failure • Object Access Failure • Policy Change Success Failure • Privilege Use Failure • Process Tracking • System Event Success Failure

  14. Password PolicyRAZOR Recommendations • Enforce Password History: 7 (or higher) • Maximum Password Age: 42 (default) • Minimum Password Age: 0 (default) • Minimum Password Length: 7 • Password Must Meet Complexity Requirements: Enable

  15. Account Lockout PolicyRAZOR Recommendations • Account Lockout Duration: 10 minutes (or more) • Account Lockout Threshold: 5 • Reset account lockout counter after: 10 minutes

  16. User RightsRAZOR Recommendations • Never assign the following user rights to any user or group: • Act as part of the OS • Create a token object • Create permanent shared objects • Debug programs • Generate security audits • Lock pages in memory • Manage auditing and security log* • Modify firmware environment variables • Replace a process level token • Synchronize directory service data

  17. User RightsRAZOR Recommendations • Access from the network: • Remove Everyone, User, Power Users, and Backup Operators (if possible) • Bypass traverse checking: • Change Everyone to Authenticated Users • Change system time: • Remove Power Users • Deny access to this computer from network: • Add ANONYMOUS LOGON • Deny logon as a batch job: • Add ANONYMOUS LOGON

  18. User Rights (cont’d.)RAZOR Recommendations • Deny logon as a service: • Add ANONYMOUS LOGON • Deny logon locally: • Add ANONYMOUS LOGON • Log on locally: • Remove Users, Power Users, Guest, TsInternetUser • “EVERYONE” should not be listed in any right at this point

  19. Event Log SettingsRAZOR Recommendations • Set each log to a minimum of 10MB in size • If exporting to a central repository, set to NOT overwrite • Otherwise, overwrite as needed

  20. Securing the Security Event Log • Security Event Log • Records unauthorized access to system • Control should be limited • Create an “Auditors” group • Give Full Control • Remove all administrators • Grant User Right – “Manage auditing and security log”

  21. Service SettingsRAZOR Recommendations • All non-essential services should be disabled • Only enable services “as needed”

  22. Other SettingsRAZOR Recommendations • Create a registry key HKLM\SYSTEM\CCS\Control\LSA\NoLmHash. • Reboot and change all passwords. • Rename Administrator account • Unbind Netbios from TCP/IP on all adapters • Disable register adapter in DDNS • Disable LMHOSTS lookup

  23. Other Items to Consider • Remove unused subsystems • POSIX • OS/2 • Rename Local Machine User Accounts

  24. Best Practices • Patches, patches, patches • The first line of defense is up-to-date patches. Most widely exploited problems have patches. • Minimal Services • Many widely exploited flaws exist in services that are installed by default but rarely used. Disable all unused services. • Anti-Virus Software • Up-to-date AV software will prevent problems from spreading out of control. • Strong Passwords • Password crackers are fast and getting faster. Exploit tools automate logging in to a variety of services use blank or default passwords. Use a one-time password pad whenever possible and strong passwords the rest of the time. Users must be educated to understand the risks. • Egress Filtering • Trojans like to “phone home,” as do lots of malicious programs. Use a web proxy and limit outbound connections strictly.

  25. Active DirectorySecurity Suggestions

  26. Security Features in Active Directory • Granular Delegation • Group Policy Objects (GPOs) • ACLs

  27. Opposite of NT • The granularity of authorizations has been greatly extended in Active Directory to cover not only an object but also the attributes of an object. • As a result, you can allow a group of administrators to do nothing but reset user passwords. • This granularity works because each attribute of an AD object can have its own ACL; there isn’t just a single ACL for the entire object.

  28. Delegation • A preferred way to delegate administrative control over Active Directory objects is to create OUs within a domain and use the Delegation of Control Wizard to assign granular permissions for administrators. • When you’re designing the OU structure for each of your domains, consider only creating OUs when you want to delegate administration.

  29. One Delegation Approach • Create an OU for each logical subdivision of the domain • Create a local group for each subdivision representing the highest level administration in that subdivision • Assign the given group full control over its OU • If the subdivision is allowed to set their membership, place the subdivision’s administrators group into the OU. Otherwise, leave the group outside the OU.

  30. Delegation Best Practices • Create special OUs • Delegate access through groups rather than users • Assign access at the lowest possible level • Avoid granting Full Control over containers • Use group policy to control user rights • Consider separating object-creation tasks from object-management tasks • Delegating the ability to move objects requires Delete permissions in the source OU and Create permissions in the target OU • Group membership administration is granted in the OU where the group account resides • Remember that object owners, regardless of their explicit access level, can always gain Full Control over the object

  31. Group Policy Objects • Group Policy will allow you to uniformly enforce defined security policies throughout your computing infrastructure by creating domain-level GPOs that define the most critical security related settings. These settings will then be enforced on each and every computer in the domain. No longer will security settings have to be managed on individual computers.

  32. Group Policy Object Initialization • Computer-related policy settings are applied when the OS initializes. • User-related policy settings are applied when users log on to their computers. • NOTE: If computer settings and user settings come into conflict, the computer configuration settings override the user configuration settings.

  33. GPO and Access Control • Security templates and GPOs are generally the best • approach to implementing a given security policy • for a group or category of users.

  34. ACL Inheritance • Explicit ACEs are evaluated before inherited ACEs • Access-denied ACEs are evaluated before access-allowed ACEs

  35. ACL Best Practices • Never assign rights, privileges, or ACLs to an individual computer or user object. Instead, create a security group, assign the appropriate permissions to it, then add computer or user objects to it.

  36. Take-away Note • The most important thing to remember when you’re setting up access control in your Active Directory environment is to give people the minimum number of rights they need to do their jobs.

  37. Security BestPractices Guidelines

  38. Best Practice Overview • Secondary Authentication • General Recommendations • Physical Security • Other Considerations

  39. Using Secondary Authentication • No system administrators in your environment should ever again read their mail and compose simple documents while running as a member of theDomain Administrators group!

  40. RUN-AS Command

  41. Best Practices - General • Use legal notice captions on all machines • Use legal notice text on all machines • Do not display last logon name

  42. Physical Security • All DC’s contain RW copy of AD • NT BDC’s contained RO copy of SAM • Physically secure all DC’s • Even ones at remote locations • Tools to use once physical access is gained • L0phtCrack • NTFS2DOS

  43. Physical Security • Secure wiring closets • Open network ports open security holes • Sniffers could be placed on the networkand capture passwords • Network access opens up a door for finding more access • Open shares • User names • ???

  44. Physical Security Best Practices • Keep servers in a locked room • Disable the removable media based boot option if available • Remove or restrict access to the removable media drives • The CPU case should be secured by a key stored safely away from the computer • Implement a system bios password

  45. Other Considerations • Other Microsoft Services • Exchange • DHCP/DNS • IIS • SQL • Desktop Clients • User Community “Buy-In”

  46. Reminders

  47. Reminder • Security is Everyone’s responsibility • Management • IT Staff • Users

  48. Reminder • Technical support staff should be reminded never to reveal or reset passwords for anyone over the phone • User community education • Password use and “storage” • Social engineering techniques

  49. Importance Of A Strong Password • Estimated time to brute force password crack at 100,000 per second

More Related