1 / 16

Best Practice

Best Practice. Why reinvent the wheel?. Domain controllers Member servers Client computers User accounts Group accounts OUs GPOs. Quick AD overview. Most security gaps are unintentional Estimated 97% can be fixed or avoided Entry point Only need one Initial targets

ivie
Télécharger la présentation

Best Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Best Practice Why reinvent the wheel?

  2. Domain controllers • Member servers • Client computers • User accounts • Group accounts • OUs • GPOs Quick AD overview

  3. Most security gaps are unintentional • Estimated 97% can be fixed or avoided • Entry point • Only need one • Initial targets • Attractive accounts for credential theft Commonly Leveraged Vulnerabilities

  4. In Active Directory • Accounts with elevated privileges • On Domain Controller (DC) • Consider it Critical Infrastructure • Operating systems • Inconsistency Misconfiguration

  5. High privileged accounts are usually the targets • Not maintaining separate admin credentials • Logging into unsecure computers • Browsing the internet • Same credentials on all local machines • Improper management Activities Likely to Increase Compromise

  6. Principal of least privilege • Users should have least privileges needed to complete the task. • Privileged accounts are dangerous accounts • Model privilege reduction in every area of the network Reduce AD Attack Surface

  7. Larger the organization, the more complex, the more difficult to secure • Securing local administrator accounts • workstations • member servers • Securing local privileged accounts in AD • Built-in admin accounts • Audit changes to this account • Securing Administrator, Domain Admin and Enterprise Admin groups • Securing Domain Admins Group • Securing Administrators Groups Reducing Privileges

  8. Grouping user based on daily tasks and access needs, ex: • Accounting • Marketing • Controls unnecessary privileges • Simplest implementation -> roles in AD DS • Commercial, off-the-shelf (COTF) available Role-Based Access Controls (RBAC)

  9. Design, creation and implementation used to managed privileged accounts • Manually created or third-party software Privileged Identity/Account Management

  10. Exponential growth in credential theft attacks due to widely available tools • Identify accounts most likely to be targeted • Do not use single factor authentication Robust Authentication Controls

  11. Never administer a trusted system from an insecure host. • Do not rely on single authentication • Do not ignore physical security • Even if organization does not use smart cards consider using it for privileged accounts Secure Administrative Hosts

  12. Same practices already discussed • Physical security • Limit RDP • Patch • Security configuration wizard • Microsoft Security Compliance Manager • Block Internet access on DC • Perimeter firewall restrictions • DC firewall Security DC Against Attack

  13. Windows Audit Policy • Events to monitor • AD objects and attributes to monitor • Classify security events Signs of Compromise

  14. “It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. “ • Prevention is better than reaction Planning for Compromise

  15. Best Practices for Securing Active Directory. (2013). 314. • Melber, D. (n.d.). The Administrator Shortcut Guide to Active Directory Security. Sources

More Related