1

Welcome to the GIG Event

2

MICROSOFT ACTIVE DIRECTORY SERVICES

Presenter: AvineshMCP, MCTS

3

What is ADS?

• Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security.

• Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain.

Active Directory Structure

• Hierarchical• Base object

Domain

OU

Domain

DomainOUOU

Objects

Domain

Tree

Domain

Domain

Domain

Tree

Forest

Authentication

Administration

Storage

Compliance

Unified Inbox & Presence

AudioConferencing

E-mail andCalendaring

WebConferencing Telephony

VideoConferencing Voice Mail

InstantMessaging (IM)

Authentication

Administration

Storage

User ExperienceAuthentication

Administration

Storage

UserExperience

Authentication

Administration

Storage

User Experience

Authentication

Administration

Storage

UserExperience

Authentication

Administration

Storage

User Experience

Authentication

Administration

Storage

UserExperience

Authentication

Administration

Storage

User Experience

Telephony andVoice Mail

InstantMessaging

E-mail andCalendaring

Unified Conferencing: Audio, Video,

Web

On-Premises Hybrid In the Cloud

Communications TodayFuture of Communications

6

Domain Controllers on VM’s

• How do you backup your domain controllers running on virtual machines??

Taking snapshot? What are the side effects??

7

Active Directory Security Fundamentals

• Forests• Domains• Trusts• Kerberos• OUs• Group policy (GPO’s)

• ACLs• Authentication• Authorization• Replication• FSMOs• Delegation

8

Securing Active Directory

• Planning• Creating• Maintaining• Best Practices

9

Planning AD Security

• Considerations upon deployment of AD DC’s– Datacenter (Microsoft Online Services)• Centralized & Secure (ADFS and Single sign 0n)• High End Performance (uptime guarantee)

– Branch Offices• Lack of IT Expertise• Slow connectivity to rest of organization

10

Planning AD Security

• Identifying Types of Threats– Spoofing– Data Tampering– Repudiation– Information Disclosure– Denial of Service– Elevation of Privilege

• Identifying Sources of Threats– Anonymous Users– Authenticated Users– Service Administrators– Data Administrators– Users with Physical Access

11

Establishing Secure AD Boundaries

• Delegation of Administration– Needs to be flexible, limited, secure, dynamic and

meet the needs of the organization based upon need for autonomy and isolation

• Forest/Domain Model• Establish Secure Trusts

12

Deploying Secure Domain Controllers

• Ensure predictable, repeatable, and secure domain controller deployments.– Create strong administrator password

• 9 characters, non-dictionary, symbols, etc.– Use TCP/IP only if possible– Disable non-essential services

• IIS, Messenger, SMTP, Telnet, etc.– Format partitions with NTFS– Install latest service packs and security updates– Prohibit the use of cached credentials when unlocking DC console– Install anti-virus scanning software– Maintain Secure Physical Access to Domain Controllers

13

Best Practices

• Domain Policies– Password Policies• History• Age• Length• Complexity

– Lockout Policy• Duration• Threshold• Reset

14

Best Practices

• Domain Controller Policies– User Rights

• Log on locally• System Shutdown

– Enable Auditing• Account logon• Account Management• Directory Service Access• Logon events• Policy changes• System events

– Event Logging• Security log size set to 128 MB• Retention – set to overwrite events as needed

15

Best Practices

• Secure Service Admin Accounts– Enterprise Admins– Schema Admins– Administrators– Domain Admins – rename this acct– Server Operators– Account Operators– Backup Operators

• Best Practices– Rename the administrator account– Limit the number of service admin accts– Separate administrator accts from end user accts

16

Deploy Secure DNS

• Protecting DNS Servers– Use Active Directory–integrated DNS zones.– Implement secure updates between DNS clients and servers

– Protect the DNS cache on domain controllers.– Monitor network activity.– Close all unused firewall ports.

• Protecting DNS Data– Use secure dynamic update.– Ensure that third-party DNS servers support secure dynamic

update.– Ensure that only trusted individuals are granted DNS

administrator privileges– Set ACLs on DNS data.– Use separate internal and external namespaces.

17

Maintaining Secure AD Operations

• Maintain Baseline Information– Create a baseline database of Active Directory infrastructure

information.• Audit Policies• List of GPO’s and their assignments• List of Trusts• List of Domain Controllers, Administrative workstations• Service Administrators• Operations Masters (FSMO roles)• Replication topology• Database size (.DIT file)• OS version, Service Packs, Hotfixes, Anti-Virus version

– Detect and verify infrastructure changes

18

Maintaining Secure AD Operations

• Monitoring the AD Infrastructure– Collect information in real time or at specified

time intervals.• Security Event Logs

– Compare this data with previous data or against a threshold value.

– Respond to a security alert as directed in your organization’s practices.

– Summarize security monitoring in one or more regularly scheduled reports

19

Maintaining Secure AD Operations

• Monitoring the AD Infrastructure– Monitoring Forest-level Changes• Detect changes in the Active Directory schema.• Identify when domain controllers are added or

removed.• Detect changes in replication topology.• Detect changes in LDAP policies.• Detect changes in forest-wide operations master roles.

20

Maintaining Secure AD Operations

• Monitoring Domain-level Changes– Detect changes in domain-wide operations master roles.– Detect changes in trusts.– Detect changes in GPOs for the Domain container and

the Domain Controllers OU.– Detect changes in GPO assignments for the Domain

container and the Domain Controllers OU.– Detect changes in the membership of the built-in

groups.– Detect changes in the audit policy settings for the

domain.

21

Best Practices DNS

• Use AD-integrated zones if at all possible• Use forwarders instead of secondaries– Eliminates text-based zone files

• Treat DNS admins as service admins

22

Best Practices DHCP

• Configure so that:– Client updates A record– DHCP service updates PTR record

23

Best PracticesDC policies

• Enable auditing• Disable anonymous connections• Digitally sign client communications• Disable cached credentials

24

Best Practices FSMO placement

• Implications per role• Availability• Survivability

25

Best PracticesGroup Memberships

• Severely limit membership in administrative groups

• Set ACLs on groups so that only service admins can modify service admin groups

• Remove everyone from the Schema Administrators group– Add someone back in when needed

• Audit changes to service admin groups

26

Best PracticesMonitoring

• Monitor for any unexpected DC outages– Can indicate an attack

• Monitor for unexpected query loads– Can indicate a DOS attack

• Monitor for disk space use– Can indicate a replicating DOS attack

• Monitor for DNS request traffic– Can indicate a DOS attack on DNS

27

Best Practices Service Administration

• Create separate admin and user accounts• Create a separate service admin OU• Establish secure admin workstations– Don’t give admin privileges on workstation

• Use secure updates (NTLM) between admin workstations and DCs

• Use the “logon locally” policy to limit service admin logons to specific admin workstations

28

Best Practices Data Administration

• Always use NTFS• Use encryption where appropriate

29

Thank You

Q And A?