welcome to the gig event
DESCRIPTION
Welcome to the GIG Event. MICROSOFT ACTIVE DIRECTORY SERVICES. Presenter: Avinesh MCP, MCTS. What is ADS?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/1.jpg)
1
Welcome to the GIG Event
![Page 2: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/2.jpg)
2
MICROSOFT ACTIVE DIRECTORY SERVICES
Presenter: AvineshMCP, MCTS
![Page 3: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/3.jpg)
3
What is ADS?
• Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security.
• Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain.
![Page 4: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/4.jpg)
Active Directory Structure
• Hierarchical• Base object
Domain
OU
Domain
DomainOUOU
Objects
Domain
Tree
Domain
Domain
Domain
Tree
Forest
![Page 5: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/5.jpg)
Authentication
Administration
Storage
Compliance
Unified Inbox & Presence
AudioConferencing
E-mail andCalendaring
WebConferencing Telephony
VideoConferencing Voice Mail
InstantMessaging (IM)
Authentication
Administration
Storage
User ExperienceAuthentication
Administration
Storage
UserExperience
Authentication
Administration
Storage
User Experience
Authentication
Administration
Storage
UserExperience
Authentication
Administration
Storage
User Experience
Authentication
Administration
Storage
UserExperience
Authentication
Administration
Storage
User Experience
Telephony andVoice Mail
InstantMessaging
E-mail andCalendaring
Unified Conferencing: Audio, Video,
Web
On-Premises Hybrid In the Cloud
Communications TodayFuture of Communications
![Page 6: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/6.jpg)
6
Domain Controllers on VM’s
• How do you backup your domain controllers running on virtual machines??
Taking snapshot? What are the side effects??
![Page 7: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/7.jpg)
7
Active Directory Security Fundamentals
• Forests• Domains• Trusts• Kerberos• OUs• Group policy (GPO’s)
• ACLs• Authentication• Authorization• Replication• FSMOs• Delegation
![Page 8: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/8.jpg)
8
Securing Active Directory
• Planning• Creating• Maintaining• Best Practices
![Page 9: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/9.jpg)
9
Planning AD Security
• Considerations upon deployment of AD DC’s– Datacenter (Microsoft Online Services)• Centralized & Secure (ADFS and Single sign 0n)• High End Performance (uptime guarantee)
– Branch Offices• Lack of IT Expertise• Slow connectivity to rest of organization
![Page 10: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/10.jpg)
10
Planning AD Security
• Identifying Types of Threats– Spoofing– Data Tampering– Repudiation– Information Disclosure– Denial of Service– Elevation of Privilege
• Identifying Sources of Threats– Anonymous Users– Authenticated Users– Service Administrators– Data Administrators– Users with Physical Access
![Page 11: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/11.jpg)
11
Establishing Secure AD Boundaries
• Delegation of Administration– Needs to be flexible, limited, secure, dynamic and
meet the needs of the organization based upon need for autonomy and isolation
• Forest/Domain Model• Establish Secure Trusts
![Page 12: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/12.jpg)
12
Deploying Secure Domain Controllers
• Ensure predictable, repeatable, and secure domain controller deployments.– Create strong administrator password
• 9 characters, non-dictionary, symbols, etc.– Use TCP/IP only if possible– Disable non-essential services
• IIS, Messenger, SMTP, Telnet, etc.– Format partitions with NTFS– Install latest service packs and security updates– Prohibit the use of cached credentials when unlocking DC console– Install anti-virus scanning software– Maintain Secure Physical Access to Domain Controllers
![Page 13: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/13.jpg)
13
Best Practices
• Domain Policies– Password Policies• History• Age• Length• Complexity
– Lockout Policy• Duration• Threshold• Reset
![Page 14: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/14.jpg)
14
Best Practices
• Domain Controller Policies– User Rights
• Log on locally• System Shutdown
– Enable Auditing• Account logon• Account Management• Directory Service Access• Logon events• Policy changes• System events
– Event Logging• Security log size set to 128 MB• Retention – set to overwrite events as needed
![Page 15: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/15.jpg)
15
Best Practices
• Secure Service Admin Accounts– Enterprise Admins– Schema Admins– Administrators– Domain Admins – rename this acct– Server Operators– Account Operators– Backup Operators
• Best Practices– Rename the administrator account– Limit the number of service admin accts– Separate administrator accts from end user accts
![Page 16: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/16.jpg)
16
Deploy Secure DNS
• Protecting DNS Servers– Use Active Directory–integrated DNS zones.– Implement secure updates between DNS clients and servers
– Protect the DNS cache on domain controllers.– Monitor network activity.– Close all unused firewall ports.
• Protecting DNS Data– Use secure dynamic update.– Ensure that third-party DNS servers support secure dynamic
update.– Ensure that only trusted individuals are granted DNS
administrator privileges– Set ACLs on DNS data.– Use separate internal and external namespaces.
![Page 17: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/17.jpg)
17
Maintaining Secure AD Operations
• Maintain Baseline Information– Create a baseline database of Active Directory infrastructure
information.• Audit Policies• List of GPO’s and their assignments• List of Trusts• List of Domain Controllers, Administrative workstations• Service Administrators• Operations Masters (FSMO roles)• Replication topology• Database size (.DIT file)• OS version, Service Packs, Hotfixes, Anti-Virus version
– Detect and verify infrastructure changes
![Page 18: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/18.jpg)
18
Maintaining Secure AD Operations
• Monitoring the AD Infrastructure– Collect information in real time or at specified
time intervals.• Security Event Logs
– Compare this data with previous data or against a threshold value.
– Respond to a security alert as directed in your organization’s practices.
– Summarize security monitoring in one or more regularly scheduled reports
![Page 19: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/19.jpg)
19
Maintaining Secure AD Operations
• Monitoring the AD Infrastructure– Monitoring Forest-level Changes• Detect changes in the Active Directory schema.• Identify when domain controllers are added or
removed.• Detect changes in replication topology.• Detect changes in LDAP policies.• Detect changes in forest-wide operations master roles.
![Page 20: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/20.jpg)
20
Maintaining Secure AD Operations
• Monitoring Domain-level Changes– Detect changes in domain-wide operations master roles.– Detect changes in trusts.– Detect changes in GPOs for the Domain container and
the Domain Controllers OU.– Detect changes in GPO assignments for the Domain
container and the Domain Controllers OU.– Detect changes in the membership of the built-in
groups.– Detect changes in the audit policy settings for the
domain.
![Page 21: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/21.jpg)
21
Best Practices DNS
• Use AD-integrated zones if at all possible• Use forwarders instead of secondaries– Eliminates text-based zone files
• Treat DNS admins as service admins
![Page 22: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/22.jpg)
22
Best Practices DHCP
• Configure so that:– Client updates A record– DHCP service updates PTR record
![Page 23: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/23.jpg)
23
Best PracticesDC policies
• Enable auditing• Disable anonymous connections• Digitally sign client communications• Disable cached credentials
![Page 24: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/24.jpg)
24
Best Practices FSMO placement
• Implications per role• Availability• Survivability
![Page 25: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/25.jpg)
25
Best PracticesGroup Memberships
• Severely limit membership in administrative groups
• Set ACLs on groups so that only service admins can modify service admin groups
• Remove everyone from the Schema Administrators group– Add someone back in when needed
• Audit changes to service admin groups
![Page 26: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/26.jpg)
26
Best PracticesMonitoring
• Monitor for any unexpected DC outages– Can indicate an attack
• Monitor for unexpected query loads– Can indicate a DOS attack
• Monitor for disk space use– Can indicate a replicating DOS attack
• Monitor for DNS request traffic– Can indicate a DOS attack on DNS
![Page 27: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/27.jpg)
27
Best Practices Service Administration
• Create separate admin and user accounts• Create a separate service admin OU• Establish secure admin workstations– Don’t give admin privileges on workstation
• Use secure updates (NTLM) between admin workstations and DCs
• Use the “logon locally” policy to limit service admin logons to specific admin workstations
![Page 28: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/28.jpg)
28
Best Practices Data Administration
• Always use NTFS• Use encryption where appropriate
![Page 29: Welcome to the GIG Event](https://reader035.vdocuments.us/reader035/viewer/2022070406/568142bc550346895daefede/html5/thumbnails/29.jpg)
29
Thank You
Q And A?