1 / 29

Welcome to the GIG Event

Welcome to the GIG Event. MICROSOFT ACTIVE DIRECTORY SERVICES. Presenter: Avinesh MCP, MCTS. What is ADS?.

iram
Télécharger la présentation

Welcome to the GIG Event

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Welcome to the GIG Event

  2. MICROSOFT ACTIVE DIRECTORY SERVICES Presenter: Avinesh MCP, MCTS

  3. What is ADS? • Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. • Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain.

  4. Domain Domain Domain Domain Domain Active Directory Structure • Hierarchical • Base objectDomain Tree Forest OU Domain OU OU Tree Objects

  5. Communications Today Future of Communications InstantMessaging (IM) Video Conferencing Web Conferencing E-mail and Calendaring AudioConferencing Voice Mail Telephony InstantMessaging Telephony and Voice Mail Unified Conferencing: Audio, Video, Web E-mail andCalendaring User Experience User Experience User Experience User Experience User Experience User Experience User Experience Unified Inbox & Presence Authentication Administration Storage Compliance Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage Authentication Administration Storage On-Premises Hybrid In the Cloud

  6. Domain Controllers on VM’s • How do you backup your domain controllers running on virtual machines?? • Taking snapshot? What are the side effects??

  7. Active Directory Security Fundamentals • Forests • Domains • Trusts • Kerberos • OUs • Group policy (GPO’s) • ACLs • Authentication • Authorization • Replication • FSMOs • Delegation

  8. Securing Active Directory • Planning • Creating • Maintaining • Best Practices

  9. Planning AD Security • Considerations upon deployment of AD DC’s • Datacenter (Microsoft Online Services) • Centralized & Secure (ADFS and Single sign 0n) • High End Performance (uptime guarantee) • Branch Offices • Lack of IT Expertise • Slow connectivity to rest of organization

  10. Planning AD Security • Identifying Types of Threats • Spoofing • Data Tampering • Repudiation • Information Disclosure • Denial of Service • Elevation of Privilege • Identifying Sources of Threats • Anonymous Users • Authenticated Users • Service Administrators • Data Administrators • Users with Physical Access

  11. Establishing Secure AD Boundaries • Delegation of Administration • Needs to be flexible, limited, secure, dynamic and meet the needs of the organization based upon need for autonomy and isolation • Forest/Domain Model • Establish Secure Trusts

  12. Deploying Secure Domain Controllers • Ensure predictable, repeatable, and secure domain controller deployments. • Create strong administrator password • 9 characters, non-dictionary, symbols, etc. • Use TCP/IP only if possible • Disable non-essential services • IIS, Messenger, SMTP, Telnet, etc. • Format partitions with NTFS • Install latest service packs and security updates • Prohibit the use of cached credentials when unlocking DC console • Install anti-virus scanning software • Maintain Secure Physical Access to Domain Controllers

  13. Best Practices • Domain Policies • Password Policies • History • Age • Length • Complexity • Lockout Policy • Duration • Threshold • Reset

  14. Best Practices • Domain Controller Policies • User Rights • Log on locally • System Shutdown • Enable Auditing • Account logon • Account Management • Directory Service Access • Logon events • Policy changes • System events • Event Logging • Security log size set to 128 MB • Retention – set to overwrite events as needed

  15. Best Practices • Secure Service Admin Accounts • Enterprise Admins • Schema Admins • Administrators • Domain Admins – rename this acct • Server Operators • Account Operators • Backup Operators • Best Practices • Rename the administrator account • Limit the number of service admin accts • Separate administrator accts from end user accts

  16. Deploy Secure DNS • Protecting DNS Servers • Use Active Directory–integrated DNS zones. • Implement secure updates between DNS clients and servers • Protect the DNS cache on domain controllers. • Monitor network activity. • Close all unused firewall ports. • Protecting DNS Data • Use secure dynamic update. • Ensure that third-party DNS servers support secure dynamic update. • Ensure that only trusted individuals are granted DNS administrator privileges • Set ACLs on DNS data. • Use separate internal and external namespaces.

  17. Maintaining Secure AD Operations • Maintain Baseline Information • Create a baseline database of Active Directory infrastructure information. • Audit Policies • List of GPO’s and their assignments • List of Trusts • List of Domain Controllers, Administrative workstations • Service Administrators • Operations Masters (FSMO roles) • Replication topology • Database size (.DIT file) • OS version, Service Packs, Hotfixes, Anti-Virus version • Detect and verify infrastructure changes

  18. Maintaining Secure AD Operations • Monitoring the AD Infrastructure • Collect information in real time or at specified time intervals. • Security Event Logs • Compare this data with previous data or against a threshold value. • Respond to a security alert as directed in your organization’s practices. • Summarize security monitoring in one or more regularly scheduled reports

  19. Maintaining Secure AD Operations • Monitoring the AD Infrastructure • Monitoring Forest-level Changes • Detect changes in the Active Directory schema. • Identify when domain controllers are added or removed. • Detect changes in replication topology. • Detect changes in LDAP policies. • Detect changes in forest-wide operations master roles.

  20. Maintaining Secure AD Operations • Monitoring Domain-level Changes • Detect changes in domain-wide operations master roles. • Detect changes in trusts. • Detect changes in GPOs for the Domain container and the Domain Controllers OU. • Detect changes in GPO assignments for the Domain container and the Domain Controllers OU. • Detect changes in the membership of the built-in groups. • Detect changes in the audit policy settings for the domain.

  21. Best Practices DNS • Use AD-integrated zones if at all possible • Use forwarders instead of secondaries • Eliminates text-based zone files • Treat DNS admins as service admins

  22. Best Practices DHCP • Configure so that: • Client updates A record • DHCP service updates PTR record

  23. Best PracticesDC policies • Enable auditing • Disable anonymous connections • Digitally sign client communications • Disable cached credentials

  24. Best Practices FSMO placement • Implications per role • Availability • Survivability

  25. Best PracticesGroup Memberships • Severely limit membership in administrative groups • Set ACLs on groups so that only service admins can modify service admin groups • Remove everyone from the Schema Administrators group • Add someone back in when needed • Audit changes to service admin groups

  26. Best PracticesMonitoring • Monitor for any unexpected DC outages • Can indicate an attack • Monitor for unexpected query loads • Can indicate a DOS attack • Monitor for disk space use • Can indicate a replicating DOS attack • Monitor for DNS request traffic • Can indicate a DOS attack on DNS

  27. Best Practices Service Administration • Create separate admin and user accounts • Create a separate service admin OU • Establish secure admin workstations • Don’t give admin privileges on workstation • Use secure updates (NTLM) between admin workstations and DCs • Use the “logon locally” policy to limit service admin logons to specific admin workstations

  28. Best Practices Data Administration • Always use NTFS • Use encryption where appropriate

  29. Thank You Q And A?

More Related