windows 2008 active directory branch office management_mvp sampath perera
TRANSCRIPT
Windows 2008 Active Directory Branch office
ManagementSampath Perera
[email protected], [email protected]
www.khgeeks.org
Session Objectives & Takeaways
• Session Objectives: – Identify the key new AD DS features in WS08– Explain the value of deploying these features– Demonstrate these features in real life scenarios
• Key Takeaways:– Understand when and how to deploy the key new
AD DS features
Key Investments areas
Security Manageability
Branch Office
Key Investments areas
Security Manageability
Branch Office
Hub Site
Branch Office
Windows 2008 Branch Office Benefits
SecurityBitLockerServer CoreRead-Only Domain ControllerAdmin Role Separation
OptimizationSysVol RéplicationDFS RéplicationProtocols
AdministrationPrint Management ConsolePowerShell, WinRS, WinRMVirtualizationRestartable Active Directory
Branch Office Dilemma
Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist
HQ Data CenterHub Network
Branch Office
Option 1:Consolidate and remove DCs from branch
Branch authentication & authorization fails when WAN goes down
Option 2:Put full DC in branch
Either give branch admin privilege or manage remotelyBranch DC being compromised jeopardizes security of corporate AD!!!
Branch Office
HQ Data CenterHub Network
Branch Office Dilemma
So how can we deploy a Domain Controller in this environment?!
RODC Server Admin does NOT need to be a Domain AdminPrevents Branch Admin from accidentally causing harm to the ADDelegated promotion
Admin Role Separation
Policy to configure caching branch specific passwords (secrets) on RODCPolicy to filter schema attributes from replicating to RODC
Passwords not cached by-default
No replication from RODC to Full-DC
1-Way Replication
Attack on RODC does not propagate to the AD
RO
D C
Read-Only Domain Controller
RODC – Attacker “experience”
Let’s intercept Domain Admin
credentials sent to this RODC
With Admin role separation, the Domain
Admin doesn’t need to log-in to me.
Let’s steal this RODC
By default I do not have any secrets cached.
I do not hold any custom app specific attributes
either.
Let’s tamper data on this RODC and
use its identity
I have a Read-Only database. Also, no other DC in the enterprise replicates
data from me.Damn!
Attacker RODC
RO
D C
Read-Only Domain ControllerPassword Replication Policy
Read-Only Domain ControllerHow it works?
2.RODC: Looks in DB "I don't have the users secrets"3.Forwards Request to Full DC4.Full DC authenticates user5.Returns authentication response and TGT back to the RODC6.RODC gives TGT to User and Queues a replication request for the secrets7.Hub DC checks Password Replication Policy to see if Password can be replicated
1.Logon request sent to RODC
1
2
34
5
6
6
7
7
BranchHUBFull DC RODC
Read-Only Domain ControllerRecommended Deployment Models
• No accounts cached (default)– Pro: Most secure, still provides fast authentication and policy
processing– Con: No offline access for anyone
• Most accounts cached– Pro: Ease of password management. Manageability improvements of
RODC and not security. – Con: More passwords potentially exposed to RODC
• Few accounts (branch-specific accounts) cached – Pro: Enables offline access for those that need it, and maximizes
security for other– Con: Fine grained administration is new task
Read-Only Domain ControllerUpgrade path from Windows 2003 Domain
• Deployment steps:1. ADPREP /ForestPrep2. ADPREP /DomainPrep3. Promote a Windows Server 2008 DC4. Verify Forest Functional Mode is Windows 20035. ADPREP /RodcPrep6. Promote RODC
Test RODCs for application compatibility in your environment!
Not RODC specific
RODC Specific task
Read-Only Domain ControllerDelegated Administrator (“Local Roles”)
• Delegated RODC Promotion
Read-Only Domain ControllerAdmin role separation
Branch Office & Replication Optimization
• DFS-R replication provides more robust and detailed replication of SYSVOL contents– Requires Windows Server 2008 Domain Mode
Key Investments areas
Security Manageability
Branch Office
Directory Service AuditingNew Directory Service Changes Events
• Event logs tell you exactly:– Who made a change– When the change was made– What object/attribute was changed– The beginning & end
values
• Auditing controlled by– Global audit policy– SACL– Schema
Event ID Event type Event description
5136 Modify This event is logged when a successful modification is made to an attribute in the directory.
5137 Create This event is logged when a new object is created in the directory.
5138 Undelete This event is logged when an object is undeleted in the directory.
5139 Move This event is logged when an object is moved within the domain.
Directory Service Auditingin Windows Server 2008
Fine-Grained Password PoliciesOverview
• Granular administration of password and lockout policies within a domain
• Usage Examples:– Administrators
• Strict setting (passwords expire every 14 days)– Service accounts
• Moderate settings (passwords expire every 31 days, minimum password length 32 characters)
– Average User• “light” setting (passwords expire every 90 days)
Fine-Grained Password PoliciesAt a glance
• Policies can be applied to:– Users– Global security groups
• Does NOT apply to: – Computer objects– Organizational Units
• Multiple policies can be associated with the user, but only one applies
Password Settings Object PSO 1
Password Settings Object PSO 2
Precedence = 20
Applies To
Resultant PSO = PSO1
Fine-Grained Password PoliciesExample
Precedence = 10
Resultant PSO = PSO1
Applies To
Applies To
Key Investments areas
Security Manageability
Branch Office
Restartable AD DS
• Without a reboot you can now perform offline defragmentation
• DS stopped similar to member server:– NTDS.dit is offline– Can log on locally with DSRM password
Server CoreRestartable AD DS
Fewer reboots for
servicing
Manageability Improvements
Summary – Key features in Active Directory Directory Services 2008
• Read-Only Domain Controller (RODC)• Fine Grained Password Policies• Enhanced Auditing Capabilities• Restartable AD DS• AD DS Database Mounting Tool• DFS-R Sysvol Replication
Your potential. Our passion.