September 8, 2015 University of Tulsa - Center for Information Security NSA Guide to Securing Microsoft Windows 2000 Active Directory Ch 1-5 October 23,

April 19, 2023 University of Tulsa - Center for Information Security

NSA Guide to Securing NSA Guide to Securing Microsoft Windows 2000 Microsoft Windows 2000

Active DirectoryActive DirectoryCh 1-5Ch 1-5

October 23, 2002Bryan CarterBuddy CarterRyan Blanton


• Ch. 1: Active Directory Overview• Ch. 2: Domain Name System• Ch. 3: Active Directory Installation• Ch. 4: Domains and Organizational

Units• Ch. 5: Trees and Forests


Chapter 1:Active Directory

Overview


Active Directory Active Directory OverviewOverview

•Discusses approach of Active Directory Mini-guide

•Provides some Topology considerations



• Simple Definition: Hierarchical namespace of objects that is tightly integrated with the Domain Name System (DNS)

• AD is the directory service used for Windows 2000 domain controllers

• AD uses DNS naming for its domains



• Dependent upon DNS to act as a locator service

• Includes:- Information source- Services making information available to

users• Holds information on objects stored in

underlying domains, trees, and forests• Provides security mechanisms against

unauthorized access of directory objects



• Guide is intended to highlight AD security capabilities and issues

• Provides security configuration guidance and recommendations

• Intended to provide tools to improve security configurations

• Does not include specific design or integration policies

- for these issues, see the NSA Guide to Securing Windows 2000



• Different approach than other guides• Recommendations are somewhat more

flexible• Does not provide discrete settings that

implement a predicable security configuration outcome

• Intended to inform and aid administrators in arriving at their own policy implementations


Chapter 2:Domain Name

System


DNS OutlineDNS Outline

• Overview• Active Directory Integrated

Zones• Active Directory DNS Interface• Chapter Security Summary


DNS-OverviewDNS-Overview

• Provides: - guidance about the Domain Name System (DNS) as it relates to

Active Directory- information about Active Directory

DNS security functionality• Bugs and incompatibilities are pointed out



• AD uses DNS for:1. Name Resolution2. Locating Services3. Establishing the domain namespace for AD hierarchy

• DNS should be the first concept designed since DNS affects the design of the organizational layout (including forests, trees, domains, and sites)



• DNS design should not be taken lightly because AD does not currently allow the naming convention to be changed without completely reinstalling AD for all affected domains

• Any additional DNS guidance not pertaining to AD can be found in the Guide to Securing Windows 2000 DNS


Active Directory Active Directory Integrated ZonesIntegrated Zones

• Overview• DNS server properties tab• Dynamic Zone Updates


AD Integrated ZonesAD Integrated Zones

• When DNS is integrated into AD, the DNS zone benefits from AD’s native multi-master replication

- An update is received for a zone by any domain controller

- The DC writes update to AD, which is then replicated to all other DCs installed

with DNS - Any DNS server, which is also a DNS server with that AD integrated zone anywhere in the network, will receive the updated information

• Active Directory integrated zones allow access control over who can update DNS and provide better replication and fault tolerance capability


AD Integrated ZonesAD Integrated Zones

• Using AD integrated zones, the DNS server properties interface can be used to manage Access Control Lists (ACLs)

- ACL: list for which groups and users can access and modify a specified zone or

resource record • This can be done using the DNS server

properties tab


AD Integrated Zones- AD Integrated Zones- DNS Server DNS Server Properties TabProperties Tab


AD Integrated Zones- AD Integrated Zones- DNS Server DNS Server Properties TabProperties Tab

• Can be used to:- link users and designated DNS

administrators groups- configure permissions

• Groups and users can then be placed into a designated Organizational Unit (OU) or other container so that the appropriate Group Policy Object (GPO) can be applied.


AD Integrated Zones- AD Integrated Zones- Dynamic Zone UpdatesDynamic Zone Updates

• Updates are used within the AD replication scheme

• Avoids the traditional DNS master server from becoming a single point of failure

• Zones are replicated and synchronized to new domain controllers automatically when a new zone is added to an AD domain


Active Directory DNS Active Directory DNS InterfaceInterface

• Active Directory DNS interface allows: - administrators to specify the servers

allowed to participate in zone transfers- logging and monitoring of certain events

• Captured DNS audit events are viewable from the “DNS Server” log in the Event Viewer

• Enabling only secure DNS updates at a server causes all updates to the particular server to be encrypted during transmission over the network


Static Service LocationsStatic Service Locations

• Overview– Problem– Solution



• Instead of using dynamic service location, AD uses static service locations

• Problem:– When service records remain in the DNS

after a service has been removed or become unstable, servers and clients will continue to believe that the service is still available



• Solution:– Microsoft provides a proprietary

aging/scavenging solution that makes use of previously unused DNS extension

– This allows servers to age out and remove old DNS service records (default is 7 days)

– This presents another problem: services will appear available to servers and clients until they have been scavenged (this may also affect locating new services)



• Another problem is that non-Windows 2000 DNS servers do not have ability to age or scavenge old service records

• This issue must be considered when deciding if or how to implement DNS in a non-Windows 2000 DNS server or mixed DNS server environment


Chapter Security Chapter Security SummarySummary

•Recommendations•Good Practices


Chapter Security Chapter Security Summary: Summary:

RecommendationsRecommendations• Implement Active Directory integrated zones• Use or create Active Directory DNS administrators

groups and users to manage DNS• Link only the designated DNS administrators

groups and users and configure permissions through the DNS server properties security tab

• Place the DNS administrators groups and users into a designated OU and apply the appropriate Group Policy

• See the Guide to Securing Windows 2000 DNS


Chapter Security Chapter Security Summary: Good Summary: Good

PracticesPractices• Configure support for dynamic updates and

incremental zone transfer• Enable secure dynamic updates for this zone• Routinely check currency of service records and

manually scavenge as needed• Make use of the Windows 2000 DNS installation

wizard when creating zones• Become familiar with and test issues regarding

interoperating with non-Windows 2000 DNS servers, such as service record aging and scavenging, and version stability


Chapter Security Chapter Security Summary: Good Summary: Good

PracticesPractices• Create an enterprise DNS audit policy; use Active

Directory DNS interface to log and monitor DNS events

• Use more than one DNS server to host each zone (for fault tolerance)

• DNS servers should be local, not across a site connection (such as WAN or slow-speed link)


Chapter 3:Active Directory

InstallationRyan Blanton


InstallationInstallation

• Active Directory Installation Wizard -DCPROMO.EXE (Command Prompt)

-Start, Administrative Tools, Configure Your Server

• Installation Wizard Functions-Add domain controller to existing domain

-Create first domain controller of new domain-Create new child domain-Create new domain tree-Install a DNS server with a default configuration-Create the database and database log files-Create the shared system volume-Remove Active Directory services from a domain controller


InstallationInstallation

• Active Directory Domain, Organizational Unit, and Site Topologies should be carefully considered before installation.

• DNS services should be installed and configured prior to Active Directory installation, unless default Active Directory Installation Wizard DNS configuration is acceptable.


Default PermissionsDefault Permissions

• Two options for permission preferences1. permissions compatible with pre-Windows

2000 servers2. permissions compatible only with Windows

2000 servers

• Built-in Pre-Windows 2000 Compatible Access Group is added to Access Control Lists and user rights throughout Active Directory and domain controller



• Pre-Windows 2000 option:– Permissions compatible with pre-Windows 2000 based

servers are selected– Everyone Group nested in pre-Windows 2000

Compatible Access Group– Allows anonymous users read access to information on

the domain – Allows anonymous connections to server

• Windows 2000 servers only option:– Everyone Group is not nested



• Adding/Deleting Everyone Group– net localgroup “Pre-Windows 2000 Compatible Access” everyone /add– net localgroup “Pre-Windows 2000 Compatible Access” everyone

/delete


Directory Services Restore Directory Services Restore ModeMode

• During installation, Directory Services Restore Mode Administrator password is supplied

• Used to restore Active Directory DB from a backup and protect access to Active Directory database file stored on server (ntds.dit)

• Restore Mode password and user passwords stored in server’s local Security Accounts Manager (SAM) data store

• Password must be protected


RecommendationsRecommendations

• Set permissions compatible only with Windows 2000 servers if possible– choose “permissions compatible only with Windows

2000 servers” option

• Use robust password guidelines when setting the Directory Services Restore Modes Administrator’s password.– consider using SYSKEY for additional security


Chapter 4:Domains and

Organizational UnitsBuddy Carter


OverviewOverview

• Domain Basics• Domain Administrators• Group Policy Objects• Default Users and Computers• Hiding Active Directory Objects in OUs• Summary


Background of Active Background of Active DirectoryDirectory

• Hierarchical structure• Domains are the fundamental container

objects in Active Directory• Organizational Units (OUs) are created to

further organized objects• Security concerns specifically related to

domains and OUs


Domain BasicsDomain Basics

• Overview-Domain and Active Directory Characteristics-Permissions-Domain and OU Structure-OU Characteristics-Active Directory Installation Wizard



• Domain and Active Directory Characteristics-Domains maintain backward compatibility with Windows NT domains and must match DNS names.-Active Directory domains represent a security boundary or partition due to permissions and authority



• Permissions-Permissions and authority do not flow in or out of a domain-Therefore, Active Directory creates a security boundary-Can flow in and out of sites and OUs


Domain BasicsDomain Basics((Domain and OU Structure)Domain and OU Structure)



• OU Characteristics-Typically created within the domain to further organize and contains individual resource objects (leaf objects)

userscomputersshared folders

-Primary container object used to delegate authority and link to GPOs-The other container objects used to delegate authority and link are domains and sites



• Active Directory Installation Wizard-Used when creating a new child domain-What the AD Installation Wizard does:

-creates a new domain-promotes the computer to a new domain controller-establishes a 2-way trust relationship with

the parent domain-replicates schema and configuration

directory partitions


Domain AdministratorsDomain Administrators

• Overview-Default settings-Control-Domains Administrators Group-Delegating Administration Within a Domain



• Default settings-Domain Administrators are members of the Domain Admins group and the built-in Administrator account-Within the domain, domain administrators have full control-Have the right to take ownership of any object in the domain



• Control-Domain administrators can gain full control over any object in the domain, regardless of set permissions on that object-No way to prevent a domain admin or administrator from being able to take ownership (control) of an OU anywhere in the domain-NOTE: The Active Directory interface indicates that blocking or denying permissions is effective in blocking out any group or user including domain administrators, which is misleading



• Domains Administrators Group-Membership of the domains administrators group should be kept small and controlled.-Members should not be placed in OUs to manage sub-domain elements of the directory tree-Delegate administration within a domain



• Delegating Administration Within a Domain (example)-Create an OU for each logical subdivision of the domain-Create a local group for each subdivision representing the highest level administration in that subdivision-Assign the given group full control over its OU-If the subdivision is allowed to set their membership, place the subdivision’s administrators group into the OU. Otherwise, leave the group outside the OU.


Group Policy ObjectsGroup Policy Objects

• Overview-Access Control List (ACL)-GPO Properties-Inheritance



• Access Control List (ACL)-Default ACL is applied when an object is created in the directory-Beyond the default permissions of the ACLs, security management for Active Directory user and computer objects is largely performed with GPOs



• GPO Properties-Performs security management for user and computer objects that are linked (applied) to domain, OU, and site container objects-Guidance for Group Policy can be found in the Guide to Securing Microsoft Windows 2000 Group Policy mini-guide-By default, GPOs are inherited.



• Inheritance-Flows from site to domain to OU

Ex) Child OUs inherit GPOs from parent OUs-There is no GPO inheritance hierarchy for domains like there is for OUs


Group Policy ObjectsGroup Policy Objects(GPO Inheritance)(GPO Inheritance)


Default Users and Default Users and ComputersComputers

• Overview-Default objects-Default users and computers folders



• Default objects-Several default objects are created when Active Directory is installed on the first domain controller in a new domain-Objects include the following folders:

BuiltinComputer Users



• Default users and computers folders-Should only be used, if needed, to initially plan and create a manageable OU structure-User and computer objects should be relocated to OU within the target structure as soon as possible


Hiding Active Directory Hiding Active Directory Objects in OUs Objects in OUs

• Overview-Hiding Objects-Analyzing Hidden OUs-Regaining Control of Hidden Objects



• Hiding Objects-OUs can be created to hide objects-Blocking the “List Contents” permission for an OU makes the OU and its contents invisible to affected users.-Only users who can modify the ACL on an OU can hide objects in this way. -Helps with policies and objectives-Problem: Can be used as a “backdoor” to create a privileged user and place that user into a hidden OU container



• Analyzing Hidden OUs-When an administrator attempts to view a hidden OU, it will appear as an object without an icon-When the object’s security tab is selected, the security information will be unavailable.-These are indications to administrators that an OU has been created to hide Active Directory objects.-Administrator can take steps to regain control of a hidden object if the activity is suspicious



• Regaining Control of Hidden Objects1) Open another object to which the administrator has privilege2) View the security setting of the other object3) Return to the the security tab of the hidden object4) The security setting will now be visible and can be managed by the administrator5) The administrator can grant other objects rights to this OU6) The administrator can reset inherited permissions


Domain Controller Domain Controller SecuritySecurity

• Overview-Physical Security-SYSKEY Information-SYSKEY Concerns-Fault Tolerance



• Physical Security-Having fewer copies of domain controller information physically accessible to unsupervised people reduces the risk for unauthorized access-Recommended to put domain controllers in a locked room to be kept physically secure-Physical access could allow an intruder to get copies of encrypted password data to use for an off-line attack



• SYSKEY Information-Provides additional security

-Described by Microsoft http://support.microsoft.com/support/kb/articles/q143/4/75.asp

-Uses its own key that must be protected.



• SYSKEY Concerns-A floppy containing the binary key could be used to bypass SYSKEY-Unattended system restart could require the SYSKEY material to be stored on the local hard drive, thus reducing the level of security-Forgetting a password-Could affect repair options for system recovery-Different Options for storage of SYSKEY startup keys



(SYSKEY Password Storage)(SYSKEY Password Storage)



• Fault Tolerance-When Active Directory in first installed on the first domain controller, at least one additional domain controller should be installed-Prevents loss of the database if the first server crashes


SummarySummary

• Recommendations-Create separate domains as need to partition or compartment portions of Active Directory requiring different security or administrative policies-Physically secure domain controllers-As soon as possible, move default user and computer objects into OUs within the target OU structures


SummarySummary

• Good Practices-Membership of the domain administrators group should be kept small and controlled-Members of the domain administrators group generally should not be placed in OUs to manage sub-domain elements of the directory tree-Take steps to ensure that unauthorized hidden OU objects do not exist within the directory structure-Use SYSKEY to augment the the physical protection of domain controllers-At least one sub-domain or replica domain controller should be installed shortly after the first domain controller is installed to prevent loss of the database if the first server crashes


Chapter 5:Trees and Forests

Ryan Blanton


DefinitionsDefinitions

• Tree: collection of domains, connected by trust relationships, which share a contiguous DNS namespace

• Forest: collection of domains, connected by trust relationships, whose DNS namespace is not contiguous


DefinitionsDefinitions

• All domains in trees or forests have:– Global Catalog: holds a copy of every object in Active

Directory, but with a limited number of each object’s attributes. (stores only attributes most frequently used in search operations and user logon, and attributes required to locate a full replica of the object)

– Schema: defines classes and attributes of objects that can be created in the Active Directory DB

– Configuration: naming context that is replicated to every domain controller in the forest


Design ConsiderationsDesign Considerations

• First domain created is root domain controller, tree root domain, and forest root domain

• First domain controller stores the Global Catalog, Schema, and Configuration

• Forest root domain, two predefined security groups created to manage forests1. Enterprise Admins: group authorized to make changes

to entire forest in Active Directory (e.g. adding child domains)

2. Schema Admins: group authorized to make schema changes in Active Directory



• DNS, tree, and forest implementation hinges on first domain created

• sub-domains and trees to be included in forest must be linked with the first domain as Active Directory configurations are installed

• an established domain or tree cannot later join a forest

• non-transitive trust relationships can be provided to established domains, trees, or forests, but two-way transitive trust relationship is not available if domain or tree is not installed into forest root domain



• After first domain is created, later Active Directory installations within forest can accomplish:– create a replica within a domain– create sub-domain that extends the namespace– create sub-domain with non-contiguous namespace

• Active Directory exchanges copies of Global Catalog, Schema, and Configuration among domain controllers when subsequent domain controllers are installed

• Within domain large portions of DBs exchanged• Between domains only changes or updates are

exchanged



• Advantages of Single Domain Architecture– simplifies system management– easier to manage and trace Active Directory object access

control and Group Policy inheritance (security benefit)– domain administrators have complete control over entire

system (security benefit)

• Advantages of Multiple Domain Architecture– multiple domains can reduce replication traffic – might be easier to implement distinct security settings by

using separate domains (security benefit)– might aid in transition from Windows NT domains to Windows

2000 domains– separate domains may be required to block administrative

authority from one part of system to another (security benefit)


Active Directory TrustsActive Directory Trusts

• As each domain controller installed into a forest, a two-way, transitive trust between forest root or parent domain and new domain is created

• Since trust is transitive, the trust relationship is extended to all domains connected together with a transitive trust

• Transitive trusts distinguished as either parent-child trusts or trusts between tree roots



• Forest Trust Relationships



• Non-Transitive Trust: a one way trust that can be created between domains where transitive trust relationship does not or cannot exist

• Only necessary trust should be created• Some situations:

– between Windows 2000 domain and Windows NT domain– between two Windows 2000 domains in separate forests

• Non-transitive trusts are manually created (refer to guide)

• Can be created in both directions to provide for transitive trust



• Trusts between multiple forests– possible to link multiple forests with non-transitive trust

relationships– reasons: merging systems, merging companies

• Currently no “good” forest merge capability, so system decision makers face with choices– maintain separate forests– manually recreate and copy objects from one forest to

another



• Consequences of multiple forests– multiple schemas (maintaining consistency difficult and costly)– multiple configuration containers (maintaining consistency

difficult)– explicit trusts between individual domains must be established

and maintained– explicit queries must be made for resources outside forest– replication of information between forests will be manual– users logging on to computers in forests outside their own

must use default (full domain path) User Principle Name (UPN) when logging in

– accounts not easily moved between forests. Account moves must use cloning or a bulk import utility


RecommendationsRecommendations

• Do a significant amount of planning before creating DNS namespace, trees, and forests because many aspects of these structures cannot be later modified

• Maintain separate domains as needed to block administrative authority from one part of a system to another

• Bulk imported accounts should be inactive; a secure method to create or change the account as each account is activated must be devised


Questions?Questions?

Documents

September 8, 2015 University of Tulsa - Center for Information Security NSA Guide to Securing Microsoft Windows 2000 Active Directory Ch 1-5 October 23,