DESIGNING ACTIVE DIRECTORY SECURITY

1
DESIGNING ACTIVE DIRECTORY SECURITY

• Chapter 5

2
AUTHENTICATION PROTOCOLS

• LAN Manager (LM)
• NT LAN Manager (NTLM) v1
• NTLM v2
• Kerberos

3
PASSWORD SECURITY

• Password dictionaries simplify the cracking of
  common passwords
• Use strong passwords or passphrases
• Protect against password resets
• Implement physical security
• Require Multifactor authentication
• Use Encrypting File System (EFS)
• Do not enable account lockout policy

4
PASSWORD RESET TOOL SCREENSHOT
5
DESIGNING MULTIFACTOR AUTHENTICATION

• Requires two of the following
• Something you have
• Something you know
• Something you are
• Reduces the risk of
• Sharing passwords
• Stealing passwords
• Abusing cracked passwords

6
DESIGNING ACTIVE DIRECTORY FORESTS

• Assess the need for isolation
• Identify the forest model
• Identify the domain model
• Select the forest root domain
• Harden trust security

7
ASSESS THE NEED FOR ISOLATION

• Gather isolation requirements for
• Organizational structure
• Operational requirements
• Legal requirements
• Determine the risk posed by rogue administrators
• Determine the need to limit the scope of a
  break-in

8
ASSESS THE NEED FOR ISOLATION (CONT.)

• Creating multiple forests requires you to
• Establish forest trusts
• Enable cross-forest DNS
• Synchronize sites and subnets
• Synchronize printer locations
• Integrate multiple Microsoft Exchange Server
  computers

9
IDENTIFY THE FOREST MODEL

• Single-forest model
• Organizational forest model
• Resource forest model
• Restricted access forest model

10
ORGANIZATIONAL FOREST MODEL
11
RESOURCE FOREST MODEL
12
RESTRICTED ACCESS FOREST MODEL
13
IDENTIFY THE DOMAIN MODEL

• Use the smallest number of domains possible
• Domains do not form security boundaries
• Create separate domains for which you need
  different password polices
• If you do not trust the other domain
  administrators in your forest, create a separate
  forest

14
MULTIPLE DOMAIN ILLUSTRATION
15
IDENTIFY THE FOREST ROOT DOMAIN

• Not a concern with the single domain model
• Use a dedicated forest root domain if
• Required to separate forest and domain
  administrators
• No domain must appear subordinate to another
• Otherwise, make a regional domain the forest root
  domain

16
HARDEN TRUST SECURITY

• Use Kerberos version 5 protocol for trust
  authentication whenever possible
• Enable Security Identifier (SID) filtering on
  trusts
• Use the most limited trust possible
• Disable the domain info record
• Restrict authentication across external trusts

17
SUPPORTING EARLIER VERSIONS OF WINDOWS

• You might have to weaken Windows Server 2003
  Active Directory security if
• Using Windows NT 4.0 Remote Access Service (RAS)
• Windows NT 4.0 computers browse shared folders
• Users browse shared folders or domain users
  across a one-way cross-forest trust
• Early Windows clients require it to change Active
  Directory password

18
INTEROPERATING WITH UNIX

• Most UNIX/Linux clients can join domains
• Non-Active Directory Kerberos domains require
  Realm external trusts
• Use account mappings for Kerberos principals from
  trusted realms

19
SUMMARY

• Early versions of Windows might require
  less-secure authentication settings and
  permissions
• Use strong passwords and multifactor
  authentication to reduce the risk of password
  cracking
• Use physical security and EFS to reduce the risk
  of password resets
• Create separate forest when groups need isolation
• Create separate domains when groups need
  different password policies