1 / 19

Tactic 4: Defend Your Domain Controllers

Tactic 4: Defend Your Domain Controllers. Zaid Arafeh Microsoft Services Cybersecurity. Recap. Tactic #3: Defend your Directory. AD Control Categories. Credentials. Domain Controller Host. Active Directory Data. Security Dependencies. C:>. Active Directory Service.

lesliew
Download Presentation

Tactic 4: Defend Your Domain Controllers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tactic 4: Defend Your Domain Controllers Zaid Arafeh Microsoft Services Cybersecurity

  2. Recap • Tactic #3: Defend your Directory

  3. AD Control Categories Credentials Domain Controller Host Active Directory Data Security Dependencies C:\> Active Directory Service

  4. Part I – Harden HOST Based PRIVILEGES

  5. Control on the Host 1 2 Microsoft Windows C:\> WHO CAN EXECUTE COMMANDS ON A DC? WHAT PRIVILEGES CAN THEY EXECUTE WITH? • Back up files and directories • Create a token object • Debug programs • Load and unload device drivers • Restore files and directories • Modify an object label • Take ownership of files or other objects • Logon rights • PowerShell Remoting • Remote access tools • $IPC share • WMI • Network Applications

  6. Assign User Logon rights & privileges in accordance with Microsoft Baselines

  7. User Rights Assignment

  8. Establish Baselines • Use Microsoft policy baselines • Microsoft Security Compliance Manager • Specify allowed applications • Keep these to the bare minimum! • Baseline the OS image • Microsoft Deployment Toolkit (MDT)

  9. Part II – Protecting the security Boundary

  10. Think of domain controllers as appliance machines

  11. Verizon Data Breach Investigation Report 2015

  12. Host Patching • Install security updates a.s.a.p. • Install all other updates within 90 days • Keep Antimalware up to date • Patch third party software • After you remove ALL unnecessary software • Test updates in a lab • Develop mitigation plans for updates that can’t be installed • Automate • Windows Software Update Services (WSUS) • System Center Configuration Manager (SCCM)

  13. Restrict Applications • AppLocker • Note: Limitations • Implement AppLocker whitelisting • Thorough testing in Audit Mode is necessary • Review NSA guidance on AppLocker • Code Integrity (Server 2016 Feature) • Help protect against • Code injection and malware • Administrators unintentionally running non-permitted code • Powerful whitelisting technique for Kernel and User mode • Can use hardware-level security to protect • Test thoroughly and start with unsigned policies

  14. Network Access • Enable host-based firewall • Disable Internet Access • Remove unnecessary services (ex: IIS) • Restrict RDP access • Restrict to the Administrators group using User Rights Assignment • Defense in depth

  15. Protect Startup Components • Universal Extensible Firmware Interface (UEFI) Secure Boot • Only trusted pre-boot components are allowed • Early Load Antimalware (ELAM) • Choose an ELAM compatible AV • Measured Boot • Allows for measuring startup component integrity

  16. Physical Security • Physical Domain Controllers • BitLocker (TPM Protection) • Physical access control • Virtual Domain Controllers • Hyper-V fabric using Windows Server 2016 • Supports existing 2012 VMs • Backups • Backups are a security dependency of AD • Backups must be protected to the same extent as Domain Controllers • Encrypt backups and control their storage and transportation Mitigates a number of Security Dependencies

  17. Coming up next • Tactic 5: Beware of Security Dependencies

  18. Resources • Shielded VMs Session Sweet • Device Guard • Security Baselines for Win8.1/Server 2012 R2 by Aaron Margosis • Microsoft Security Compliance Manager • Microsoft Guidance on running AppLocker Use on DCs • NSA Guidance on AppLocker For other machines • User Rights Assignments documentation • Need help from Microsoft Services Cybersecurity? CyberRFI@microsoft.com

More Related