160 likes | 243 Views
Best Practice. Why reinvent the wheel?. Domain controllers Member servers Client computers User accounts Group accounts OUs GPOs. Quick AD overview. Most security gaps are unintentional Estimated 97% can be fixed or avoided Entry point Only need one Initial targets
E N D
Best Practice Why reinvent the wheel?
Domain controllers • Member servers • Client computers • User accounts • Group accounts • OUs • GPOs Quick AD overview
Most security gaps are unintentional • Estimated 97% can be fixed or avoided • Entry point • Only need one • Initial targets • Attractive accounts for credential theft Commonly Leveraged Vulnerabilities
In Active Directory • Accounts with elevated privileges • On Domain Controller (DC) • Consider it Critical Infrastructure • Operating systems • Inconsistency Misconfiguration
High privileged accounts are usually the targets • Not maintaining separate admin credentials • Logging into unsecure computers • Browsing the internet • Same credentials on all local machines • Improper management Activities Likely to Increase Compromise
Principal of least privilege • Users should have least privileges needed to complete the task. • Privileged accounts are dangerous accounts • Model privilege reduction in every area of the network Reduce AD Attack Surface
Larger the organization, the more complex, the more difficult to secure • Securing local administrator accounts • workstations • member servers • Securing local privileged accounts in AD • Built-in admin accounts • Audit changes to this account • Securing Administrator, Domain Admin and Enterprise Admin groups • Securing Domain Admins Group • Securing Administrators Groups Reducing Privileges
Grouping user based on daily tasks and access needs, ex: • Accounting • Marketing • Controls unnecessary privileges • Simplest implementation -> roles in AD DS • Commercial, off-the-shelf (COTF) available Role-Based Access Controls (RBAC)
Design, creation and implementation used to managed privileged accounts • Manually created or third-party software Privileged Identity/Account Management
Exponential growth in credential theft attacks due to widely available tools • Identify accounts most likely to be targeted • Do not use single factor authentication Robust Authentication Controls
Never administer a trusted system from an insecure host. • Do not rely on single authentication • Do not ignore physical security • Even if organization does not use smart cards consider using it for privileged accounts Secure Administrative Hosts
Same practices already discussed • Physical security • Limit RDP • Patch • Security configuration wizard • Microsoft Security Compliance Manager • Block Internet access on DC • Perimeter firewall restrictions • DC firewall Security DC Against Attack
Windows Audit Policy • Events to monitor • AD objects and attributes to monitor • Classify security events Signs of Compromise
“It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. “ • Prevention is better than reaction Planning for Compromise
Best Practices for Securing Active Directory. (2013). 314. • Melber, D. (n.d.). The Administrator Shortcut Guide to Active Directory Security. Sources