Best Practices for Securing Active Directory

1
Best Practices for Securing Active Directory
Dana J. WillisSecurity EngineerNetIQ
Corporationdana.willis_at_netiq.com
2
Securing Active Directory Agenda

• Planning
• Creating
• Establish Secure AD Boundaries
• Deploy Secure Domain Controllers
• Establish Secure Domain and DC Policies
• Establish Secure Administrative Practices
• Secure DNS
• Maintaining
• Maintain Secure Domain Controller Operations
• Staying Current with Service Packs and Security
  Hotfixes
• Monitor the AD Infrastructure
• Best Practices Summary
• AD Security Solutions to Invest In

3
Active Directory Security Fundamentals

• Forests
• Domains
• Trusts
• Kerberos
• OUs
• Group policy (GPOs)
• Configuration NC

• Schema NC
• ACLs
• Authentication
• Authorization
• Replication
• FSMOs
• Delegation

4
Planning AD Security

• Considerations upon deployment of AD DCs
• Datacenter
• Centralized Secure
• High End Performance
• Branch Offices
• Lack of IT Expertise
• Slow connectivity to rest of organization

5
Planning AD Security

• Identifying Types of Threats
• Spoofing
• Data Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
• Social Engineering
• Identifying Sources of Threats
• Anonymous Users
• Authenticated Users
• Service Administrators
• Data Administrators
• Users with Physical Access

6
Establishing Secure AD Boundaries

• Delegation of Administration
• Needs to be flexible, limited, secure, dynamic
  and meet the needs of the organization based upon
  need for autonomy and isolation
• Forest/Domain Model
• Establish Secure Trusts

7
Deploying Secure Domain Controllers

• Establish secure domain controller build
  practices
• Limit physical access to trusted personnel
• Restricted access area
• Build automated process for installation of DCs
• SYSPREP, RIS, Unattended Setup

8
Deploying Secure Domain Controllers

• Ensure predictable, repeatable, and secure domain
  controller deployments.
• Create strong administrator password
• 9 characters, non-dictionary, symbols, etc.
• Use TCP/IP only if possible
• Disable non-essential services
• IIS, Messenger, SMTP, Telnet, etc.
• Format partitions with NTFS
• Install latest service packs and security updates
• Prohibit the use of cached credentials when
  unlocking DC console
• Install anti-virus scanning software
• Maintain Secure Physical Access to Domain
  Controllers

9
Establish Secure Domain and Domain Controller
Policy Settings

• Domain Policies
• Password Policies
• History
• Age
• Length
• Complexity
• Lockout Policy
• Duration
• Threshold
• Reset

10
Establish Secure Domain and Domain Controller
Policy Settings

• Domain Controller Policies
• User Rights
• Log on locally
• System Shutdown
• Enable Auditing
• Account logon
• Account Management
• Directory Service Access
• Logon events
• Policy changes
• System events
• Event Logging
• Security log size set to 128 MB
• Retention set to overwrite events as needed

11
Establishing Secure Administrative Practice

• Secure Service Admin Accounts
• Enterprise Admins
• Schema Admins
• Administrators
• Domain Admins rename this acct
• Server Operators
• Account Operators
• Backup Operators
• Best Practices
• Rename the administrator account
• Limit the number of service admin accts
• Separate administrator accts from end user accts
• Use delegation solution from 3rd Party

12
Deploy Secure DNS

• Protecting DNS Servers
• Use Active Directoryintegrated DNS zones.
• Implement IPSec between DNS clients and servers
• Protect the DNS cache on domain controllers.
• Monitor network activity.
• Close all unused firewall ports.
• Protecting DNS Data
• Use secure dynamic update.
• Ensure that third-party DNS servers support
  secure dynamic update.
• Ensure that only trusted individuals are granted
  DNS administrator privileges
• Set ACLs on DNS data.
• Use separate internal and external namespaces.

13
Maintaining Secure AD Operations

• Domain Controller and Administrative Workstation
  Security
• DC backup and restore.
• Limit backup services and media to secure
  location.
• Develop a secure remote backup process.
• Ensure backup media is available when needed.
• DC and administrative workstation hardware
  retirement.
• DC and administrative workstation virus scans
• Obtain regular virus signature updates.

14
Maintaining Secure AD Operations

• Stay Current with Security Hotfixes and Service
  Packs
• Select a Security Update Strategy
• Select Notification, Deployment, and Auditing
  Methods
• Microsoft Security Notification Service
  Newsletter
• Windows Update Service
• Software Update Services

15
Maintaining Secure AD Operations

• Deploying Security Hotfixes and Service Packs
• Obtain notification and download most current
• Windows Update and SUS
• Evaluate the threat
• Arrange to install
• Test the updates on Domain Controllers in a test
  lab
• Distribute and Deploy to production environment
• Windows Update and SUS

16
Maintaining Secure AD Operations

• Maintain Baseline Information
• Create a baseline database of Active Directory
  infrastructure information.
• Audit Policies
• List of GPOs and their assignments
• List of Trusts
• List of Domain Controllers, Administrative
  workstations
• Service Administrators
• Operations Masters (FSMO roles)
• Replication topology
• Database size (.DIT file)
• OS version, Service Packs, Hotfixes, Anti-Virus
  version
• Detect and verify infrastructure changes
• Update Baseline information

17
Maintaining Secure AD Operations

• Monitoring the AD Infrastructure
• Collect information in real time or at specified
  time intervals.
• Security Event Logs
• Compare this data with previous data or against a
  threshold value.
• Respond to a security alert as directed in your
  organizations practices.
• Summarize security monitoring in one or more
  regularly scheduled reports

18
Maintaining Secure AD Operations

• Monitoring the AD Infrastructure
• Monitoring Forest-level Changes
• Detect changes in the Active Directory schema.
• Identify when domain controllers are added or
  removed.
• Detect changes in replication topology.
• Detect changes in LDAP policies.
• Detect changes in dSHeuristics.
• Detect changes in forest-wide operations master
  roles.

19
Maintaining Secure AD Operations

• Monitoring Domain-level Changes
• Detect changes in domain-wide operations master
  roles.
• Detect changes in trusts.
• Detect changes in AdminSDHolder.
• Detect changes in GPOs for the Domain container
  and the Domain Controllers OU.
• Detect changes in GPO assignments for the Domain
  container and the Domain Controllers OU.
• Detect changes in the membership of the built-in
  groups.
• Detect changes in the audit policy settings for
  the domain.

20
Maintaining Secure AD Operations

• Monitoring Service Admin and Admin Workstation
  Changes
• Detect changes in service administrator accounts.
• Detect changes in GPOs for the Service
  Administrators controlled subtree.
• Detect changes in GPO assignments for the Service
  Administrators controlled subtree.
• Monitoring for Disk Space Consumed by Active
  Directory Objects
• Monitor for an inordinately large number of
  normal-sized objects.
• Monitor for a limited number of extraordinarily
  large-sized objects.
• Monitoring Domain Controller Availability
• Monitor domain controllers for active status.
• Monitor domain controllers for restarts.
• Monitoring Changes in Domain Controller
  Performance Counters
• Detect changes in domain controller system
  resources.
• Detect changes in LDAP responsiveness.

21
Best Practices Summary
Maintaining Secure Active Directory Operations
22
Best PracticesIP Infrastructure

• Virtual Private Network
• Private vice Public
• Firewalls
• IPSec
• Protect DC communications
• DMZ
• Protected private assets
• Intrusion detection system (IDS)

23
Best Practices DNS

• Use AD-integrated zones if at all possible
• Secure dynamic updates
• ACLs on resource records
• Improved replication
• Application partitions in WS2K3
• Use forwarders instead of secondaries
• Eliminates text-based zone files
• Treat DNS admins as service admins
• Create a split DNS namespace

24
Best Practices DHCP

• Configure so that
• Client updates A record
• DHCP service updates PTR record
• Dont run DHCP on a DC
• If necessary, use a service account

25
Best PracticesBuilding DCs

• Build DCs in a controlled environment
• Put DIT, SYSVOL, logs on a separate device
• Create a reserve disk space file
• Enable DNS
• Disable all unnecessary services
• IIS
• DHCP
• Change FS ACLs to Administrator

26
Best PracticesPhysical Security

• Data center
• Access list
• Cleared personnel
• Segregated equipment rack
• Tamper proof cages
• Domain controllers
• Highly restricted
• Cabling
• Concrete harden

27
Best PracticesDC policies

• Enable auditing
• Disable anonymous connections
• Digitally sign client communications
• Disable cached credentials
• See Best Practice Guide

28
Best PracticesDomain Policies

• Consider the impact
• Test
• Controlled application
• Part of CCB process
• Password policies
• Account lockout
• Kerberos

29
Best Practices FSMO placement

• Implications per role
• Availability
• Survivability

30
Best PracticesCreating Trusts

• Consider operational security of the other forest
• Admin membership
• sIDHistory and SID filtering
• Use NETDOM to enable SID filtering

31
Best PracticesGroup Memberships

• Severely limit membership in administrative
  groups
• Set ACLs on groups so that only service admins
  can modify service admin groups
• Remove everyone from the Schema Administrators
  group
• Add someone back in when needed
• Audit changes to service admin groups

32
Best Practices Vetting Administrators

• Security clearance
• Appropriate levels of training and expertise
• Organization specific training
• CONOPS (Concept of Operations)
• Policies and procedures
• Implementation guides

33
Best Practices AD Configuration Changes

• Formalized change management
• CCB
• Regression testing
• Limited pilot
• Operational implementation
• Schema changes
• DCPROMO
• Replication topology
• Group policies

34
Best PracticesMonitoring

• Monitor for any unexpected DC outages
• Can indicate an attack
• Monitor for unexpected query loads
• Can indicate a DOS attack
• Monitor for disk space use
• Can indicate a replicating DOS attack
• Monitor for DNS request traffic
• Can indicate a DOS attack on DNS

35
Best Practices Service Administration

• Create separate admin and user accounts
• Create a separate service admin OU
• Establish secure admin workstations
• Dont give admin privileges on workstation
• Use IPSec between admin workstations and DCs
• Use the logon locally policy to limit service
  admin logons to specific admin workstations

36
Best Practices Data Administration

• Always use NTFS
• Use encryption where appropriate
• Follow MSFT best practices for use of groups

37
Best PracticesBackup and Restore

• Secure backup handling and storage
• Treat backup admins as service admins

38
Best PracticesWhat to do in case of AD Attack

• Response plan
• Have one!
• Notify ACERT or network security for your
  organization
• Understand the nature and scope of the attack
  (know before you go)
• Determine nature and scope of attack
• Evaluate and test common scenarios
• Follow CONOPS for restore
• Recovery
• Have a forest recovery plan (see MSFT whitepaper)
• Authoritative restore issues

39
AD Security Solutions to Invest In

• Policy Awareness Compliance
• Formal well documented policies serve as the
  foundation of a security strategy
• Measuring users understanding is vital
• Administration Identity Management
• Securely granting users access to do their job
• Enabling self service
• Knowing who can do what to whom or which resource
• Real-Time Monitoring (HIDS, NIDS, HIPS)
• Reduce exposure time
• Correllation
• Incident Management
• Audit Vulnerability Assessment
• Continuing the process of baselining your
  environment and staying aware of changes

40
Questions?