secure your active directory environment id 194

8/4/2019 Secure Your Active Directory Environment Id 194

1/43

Secure your Active Directory

Environment

Juan Martinez

Information Security ConsultantInternational Network Services


2/43

Agenda

Active Directory design issues

Trust Relationships

Schema Protection Firewall Considerations

Protecting Service Management

Group Policy Architecture System Hardening


3/43

Active Directory Design Issues


4/43

Security Boundaries

Forest security boundary

Domain boundaries for administration

Why is the forest the security boundary?1. Forest-level service management

2. Implicit transitive trusts between all domains

in a forest.


5/43

Forest-level Service Management


6/43

Implicit Transitive Trusts


7/43

Domain Trust Vulnerability

Users authorization data contains SIDs


8/43


Trusting domain doesnt verify SIDs


9/43


Solution: SID Filtering


10/43

Design Implications

You cant delete trusts between domainsin a forest

You cant implement SID Filtering between

domains in a forest

Well You can, but it will break stuff

So a domain cant be considered asecurity boundary

All Domain Admins must be trusted


11/43

Design Spec Empty Root


12/43

DMZ Considerations

Preferred > no AD systems in DMZ

Extranet considerations

Separate forest to provide isolation

Administrators that span forests should have

separate accounts for each


13/43

Trust Relationships


14/43

Restricting Trust Relationships

SID Filtering

Enabled by default for external or forest trusts


15/43


16/43

Protect the Schema


17/43


18/43

Schema Policy

Ownership

Management of schema naming prefix

Delegating OIDs

Configuration Management

Define evaluation criteria for proposed schema

extensions

Provide final approval/disapproval Maintenance and documentation


19/43


20/43

Firewall Considerations


21/43

Firewall Considerations

Firewall the Root domain?

No real security gained, just added complexity

Firewall the Schema Master?


22/43

Firewall the Schema Master


23/43


24/43

Protecting Service

Management


25/43

Stronger Password Policies

Policy: stronger password requirements

for elevated privilege accounts

Two options:

Custom password complexity requirements

Store all service management accounts in

forest root domain


26/43

Stronger Password Policies

ROOT Domain

Service Management -

Users and Groups

Controlled OU structure in forest root

domain


27/43

Controlled OU Security

Type Name Access Applies To

Allow Enterprise Admins Full Control This object and all childobjects

Allow Service Management Owners -

Full Control This object and all childobjects

Allow SYSTEM Full Control This object and all childobjects

Allow \Domain Admins List ContentsRead All PropertiesRead Permissions

This object and all childobjects

Allow Pre-Windows 2000 Compatible Access List Contents

Read All PropertiesRead Permissions

This object and all child

objects

Allow Enterprise Domain Controllers List ContentsRead All PropertiesRead Permissions

This object and all childobjects


28/43

Controlled OU Audit Settings

Type Name Access Applies To

Success Everyone Write All PropertiesDeleteDelete SubtreeModify PermissionsModify OwnerAll Validated WritesAll Extended RightsCreate All Child ObjectsDelete All Child Objects

This object and all child objects


29/43

Gotchas

Several issues with using separate

domain for service management accounts

model

Custom Domain Admin type group requires

Domain Admin-level permissions

Cant add directly to Domain Admins group

Procedures must be followed closely


30/43

Best Practices

Restrict membership to within forest

Separate accounts

Cached credentials Default service management accounts

Dont use Account Operators, Server

Operators


31/43

Group Policy Architecture


32/43

The Basics


33/43

The Problem

How do I enforce enterprise-wide security

policies?

Problem

Domains are boundaries for Group Policy

Possible solutions

Site-level GPOs

Non-technical solutions


34/43

Site-Level GPOs


35/43

Disadvantages

UGLY!!!

Replication issues

Performance issues

Issues with placement of ROOT DCs

Does not apply to Password policies

Non-technical solutions can be just as

effective


36/43

Group Policy Best Practices

Local Group Policy vs. Domain Group

Policy

Use synchronous mode

Security Policy Processing

Process even if the Group Policy objects have

not changed

Explore capabilities

Extend group policy


37/43

Group Policy Best Practices

Minimize use of block policy inheritance

and Enforce options

Limit number of GPOs

Link GPOs as closely as possible

Disable user/computer configuration when

possible

Avoid cross domain linking of GPOs


38/43


39/43

Adopt a Baseline/Guideline

BASELINE !!

BASELINE !!

BASELINE !! BASELINE !!


40/43

Hardening Guideline Components

1. Preliminary Security Measures (Done

offline)

BIOS level protection

AV

Physical security

Patch

Verify software, shares, users

Patches


41/43

Hardening Guideline Components

2. Apply group policy

Automatic OU placement (netdom)

2. Manual hardening procedures

DS restore mode password

2. Verify functionality and security

3. Back out procedures4. Known vulnerabilities register


42/43

Domain Controllers and DHCP

Dont run DHCP on Domain Controllers if

youre using dynamic updates

(DNSUpdateProxy group issue)


43/43

Questions

Juan Martinez

[email protected]
mailto:[email protected]://www.ins.com/http://www.ins.com/mailto:[email protected]

secure your active directory environment id 194

Documents