1 / 39

Taha Raja Senior Systems Engineer

Windows 2000 & Active Directory Security Best Practices & Using Tools to Help Audit. Taha Raja Senior Systems Engineer. Agenda. Overview Windows System Hardening Suggestions Active Directory Security Suggestions Security Best Practices Guidelines Reminders References.

randilyn-garcia
Télécharger la présentation

Taha Raja Senior Systems Engineer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2000 & Active Directory Security Best Practices & Using Tools to Help Audit Taha RajaSenior Systems Engineer

  2. Agenda • Overview • Windows System Hardening Suggestions • Active Directory Security Suggestions • Security Best Practices Guidelines • Reminders • References

  3. Role of Corporate Culture • Paramount to the success of an enterprise security program are the relationships among risk analysis, the organization’s culture, and security policy.

  4. Security is Everyone’s Responsibility • A security policy should communicate to everyone in your organization the simple principle that information is a valuable asset and everyone is responsible for protecting it.

  5. Things To Remember • Policies are cross-platform • Implementations are not • Policies must be designed to be implemented • Nirvana security polices are not effective • Implementation should include • Ongoing auditing • Enforcement • Non-IT remedies • Leverage solutions to speed process

  6. Windows NT/2000 SystemHardening Suggestions

  7. System Hardening Intent • Process should result in a server with virtually everything locked down and disabled. • This should provide a secure base upon which to build. • After this procedure is completed, the services this machine is to offer can be selectively enabled.

  8. Recommendations • Updated Patches • Service Packs • Hotfixes • High Encryption Pack • Enable Auditing • Set Password policy • Account Lockout • User Rights • Event Log • Services • Other Settings

  9. Windows 2000 AuditingRAZOR Recommendations • Enable Auditing: • Account logon Success Failure • Account Management Success Failure • Directory Service Access Failure • Logon Events Success Failure • Object Access Failure • Policy Change Success Failure • Privilege Use Failure • Process Tracking Failure • System Event Success Failure

  10. Password PolicyRAZOR Recommendations • Enforce Password History: 7 (or higher) • Maximum Password Age: 42 (default) • Minimum Password Age: 0 (default) • Minimum Password Length: 7 • Password Must Meet Complexity Requirements: Enable

  11. Account Lockout PolicyRAZOR Recommendations • Account Lockout Duration: 10 minutes(or more) • Account Lockout Threshold: 5 • Reset account lockout counter after: 10 min

  12. User RightsRAZOR Recommendations • Never assign the following user rights to any user or group: • Act as part of the OS • Create a token object • Create permanent shared objects • Debug programs • Generate security audits • Lock pages in memory • Manage auditing and security log* • Modify firmware environment variables • Replace a process level token • Synchronize directory service data

  13. User RightsRAZOR Recommendations • Access from the network: • Remove Everyone, User, Power Users, and Backup Operators (if possible) • Bypass traverse checking: • Change Everyone to Authenticated Users • Change system time: • Remove Power Users • Deny access to this computer • from network: • Add ANONYMOUS LOGON • Deny logon as a batch job: • Add ANONYMOUS LOGON

  14. User Rights (cont’d.)RAZOR Recommendations • Deny logon as a service: • Add ANONYMOUS LOGON • Deny logon locally: • Add ANONYMOUS LOGON • Log on locally: • Remove Users • Remove Power Users • Remove Guest • Remove TsInternetUser • “EVERYONE” should not be listed in any right at this point

  15. Event Log SettingsRAZOR Recommendations • Set each log to a minimum of 10MB in size • If exporting to a central repository, set to NOT overwrite • Otherwise, overwrite as needed

  16. Securing the Security Event Log • Security Event Log • Records unauthorized access to system • Control should be limited • Create an “Auditors” group • Give Full Control • Remove all administrators • Grant User Right – “Manage auditing and security log”

  17. Best Practices • Patches, patches, patches • The first line of defense is up-to-date patches. Most widely exploited problems have patches. • Minimal Services • Many widely exploited flaws exist in services that are installed by default but rarely used. Disable all unused services. • Anti-Virus Software • Up-to-date AV software will prevent problems from spreading out of control. • Strong Passwords • Password crackers are fast and getting faster. Exploit tools automate logging in to a variety of services use blank or default passwords. Use a one-time password pad whenever possible and strong passwords the rest of the time. Users must be educated to understand the risks. • Egress Filtering • Trojans like to “phone home,” as do lots of malicious programs. Use a web proxy and limit outbound connections strictly.

  18. Active DirectorySecurity Suggestions

  19. Security Features in Active Directory • Granular Delegation • Group Policy Objects (GPOs) • ACLs

  20. Opposite of NT • The granularity of authorizations has been greatly extended in Win2K to cover not only an object but also the attributes of an object. • As a result, you can allow a group of administrators to do nothing but reset user passwords. • This granularity works because each attribute of an AD object can have its own ACL; there isn’t just a single ACLfor the entire object.

  21. Delegation • A preferred way to delegate administrative control over Active Directory objects is to create OUs within a domain and use the Delegation of Control Wizard to assign granular permissions for administrators. • When you’re designing the OU structure for each of your domains, consider only creating OUs when you want to delegate administration.

  22. Group Policy Objects • Group Policy will allow you to uniformly enforce defined security policies throughout your computing infrastructure by creating domain-level GPOs that define the most critical security related settings. These settings will then be enforced on each and every computer in the domain. No longer will security settings have to be managed on individual computers.

  23. Group Policy Object Initialization • Computer-related policy settings are applied when the OS initializes. • User-related policy settings are applied when users log on to their computers. • NOTE: If computer settings and user settings come into conflict, the computer configuration settings override the user configuration settings.

  24. Take-away Note • The most important thing to remember when you’re setting up access control in your Win2K environment is to give people the minimum number of rights they need to do their jobs.

  25. Security BestPractices Guidelines

  26. Best Practice Overview • Secondary Authentication • General Recommendations • Physical Security • Other Considerations

  27. Using Secondary Authentication • No system administrators in your environment should ever again read their mail and compose simple documents while running as a member of the Domain Administrators group!

  28. Best Practices - General • Use legal notice captions on all machines • Use legal notice text on all machines • Do not display last logon name

  29. Physical Security Best Practices • Keep servers in a locked room • Disable the removable media based boot option if available • Remove or restrict access to the removable media drives • The CPU case should be secured by a key stored safely away from the computer • Implement a system bios password

  30. Reminders

  31. Reminder • Security is Everyone’s responsibility • Management • IT Staff • Users

  32. Reminder • Technical support staff should be reminded never to reveal or reset passwords for anyone over the phone • User community education • Password use and “storage” • Social engineering techniques

  33. Importance Of A Strong Password • Estimated time to brute force password crack at 100,000 per second

  34. References

  35. Links • razor.bindview.com • www.gartner.com • www.bindview.com/ebook • www.microsoft.com/security • www.nipc.gov • www.sans.org • nsa1.www.conxion.com

  36. BindView Products bv-Admin Product Suite bv-Control Product Suite Microsoft Windows (NT, 2000 and Active Directory) Microsoft Exchange Novell Netware Migrate for Windows 2000 Migrate for Novell NDS Mobile Password Self Service Microsoft Active Directory Microsoft Windows (NT/2000) Microsoft Exchange Microsoft SQL Server Internet Security UNIX Novell Netware Novell NDS eDirectory OS/400 SAP NETinventory Security Advisor

  37. Windows 2000 & Active Directory Security Best Practices & Using Tools to Help Audit Taha RajaSenior Systems Engineer Traja@bindview.com Copy of Presentation at: www.isaca-la.org

More Related