Documente Academic
Documente Profesional
Documente Cultură
Securing
YourActive
Directory
Chapters
Roberta Bragg
MCSE, CISSP, Author, Columnist,
Speaker, Consultant
1. Perform a Self-Audit
2. Know and Use Security Tools and Techniques
3. Monitor Active Directory Operations
4. Leverage People and Processes
5. Active Directory Security Maintenance
Sponsored by:
CONTENTS
INTRODUCTION .................................................................................................5
WHO SHOULD READ THIS BOOK ..................................................................6
CHAPTER 1: PERFORM A SELF-AUDIT...........................................................7
FIRST, LOOK IN THE MIRROR ..........................................................................8
YOU CAN CHANGE THINGS, SHOULD YOU? .............................................10
PERFORM THE AUDIT......................................................................................12
STEP 1: DOCUMENT YOUR INFRASTRUCTURE ................................................................. 12
STEP 2: CHECK PHYSICAL SECURITY FOR DOMAIN CONTROLLERS ............................... 13
STEP 3: CHECK ACTIVE DIRECTORY HEALTH .................................................................. 15
Check Connectivity ............................................................................................................. 15
Evaluate DNS Operation.................................................................................................. 16
Evaluate DNS Security ...................................................................................................... 16
Evaluate Time Services Operation ................................................................................. 17
Evaluate AD Replication ................................................................................................... 18
Evaluate FRS Replication .................................................................................................. 18
STEP 4: EVALUATE AD INFRASTRUCTURE DESIGN .......................................................... 19
Examine Security Boundaries .......................................................................................... 19
STEP 5: EXAMINE NETWORK INFRASTRUCTURE DESIGN AND DEFENSE............................ 21
Review Network Design.................................................................................................... 21
Review Intrusion Detection and Response................................................................... 22
STEP 6: EXAMINE ADMINISTRATIVE ROLES AND STRUCTURES ........................................ 22
Review Default Administrative Groups ......................................................................... 22
Evaluate Delegated Permissions on AD Objects ........................................................ 24
Evaluate Group Policy Administration ........................................................................... 26
Secure Administrative Workstations.............................................................................. 26
Secure Administrative Access .......................................................................................... 27
Evaluate the Security of Administrative Communications between
Workstations and DCs...................................................................................................... 28
Evaluate Administrative Practices................................................................................... 28
Evaluate Management of Administrative Tools.......................................................... 30
STEP 7: EXAMINE GROUP POLICY DETAILS ...................................................................... 30
Check GPO Files and AD Records.................................................................................. 32
Evaluate Policy Application............................................................................................... 33
STEP 8: REVIEW TECHNICAL CONTROLS .......................................................................... 33
Evaluate the Domain Security Policy ............................................................................. 33
Evaluate the DC Security Policy ...................................................................................... 35
Review Audit Policy............................................................................................................. 35
Review User Rights on DCs ............................................................................................. 36
Evaluate Security Options................................................................................................. 37
Evaluate Services ................................................................................................................ 38
Evaluate Event Log Settings............................................................................................. 39
Evaluate EFS ........................................................................................................................ 39
STEP 9: EVALUATE FILE AND REGISTRY PERMISSIONS ON DCS ....................................... 40
STEP 10: REVIEW PROTECTION FOR AD COMMUNICATIONS ........................................ 41
STEP 11: REVIEW MAINTENANCE PROCEDURES............................................................... 42
Review Logging Configuration and Management ...................................................... 42
Review Change Management Procedures ................................................................... 43
Review Security Patch Processing ................................................................................... 44
INTRODUCTION
Active Directory (AD) is the backbone of a Windows Server 2003 or
Windows 2000 Server domain infrastructure, providing a channel for
security implementation and maintenance in the forest. Secure AD
and you have advanced the protection of all forest elements.
Ignoring AD security can put your entire infrastructure at risk.
Securing AD, however, is not a trivial task. Many Windows security
subsystems are integrated with it, and many of them can be used to
secure it. The account database, Kerberos authentication protocol,
password policy, definition of user rights and system controls,
assignment of object permissionsall are contained in or managed
with AD. You must also consider the distribution of its elements and
the nature of the people who interact with it. AD is not some entity
that can be localized on a single machine but spans multiple
computers and networks. It presents a broad attack surface and many
threats must be evaluated. There are literally hundreds of steps that
should be at least considered when designing, implementing, and
maintaining AD security. This e-book can help you with that task.
It consists of five lessons:
Chapter 1: Perform a Self-auditA checklist to assist in
determining current Active Directory security status.
Chapter 2: Know and Use Security Tools and TechniquesHow
tos with an emphasis on securing Active Directory.
Chapter 3: Monitor Active Directory OperationsHow to monitor
and improve Active Directory health.
Chapter 4: Leverage People and ProcessesTraining, awareness,
security policy, accountability, physical security, and business
continuity.
Chapter 5: Active Directory Security MaintenanceAuditing and
monitoring, policy and process reviews.
Note
Part of the review looks for any evidence of fraud. If insiders are
used, they may be the perpetrators or blinded by their
relationships with the people whose systems they are auditing,
and therefore gloss over any evidence of a crime.
10
However, if you are the one responsible in these areas you must
determine if the problem requires immediate attention. If the DNS
issue you discover is preventing all Group Policy processing, then
stop auditing and start fixing. If a specific GPO is not being applied
and that GPO is the domain GPO, stop auditing and find the
problem. If your settings are out of compliance and you know that
compliance causes no operational problems, you may want to
correct them.
If the issues are less importantfor example, you dont know what a
malfunctioning GPO does, Id continue the audit and make a list of
things to do. If your network and AD operations are well-run to begin
with, youre probably not going to turn up horrendous operational
problems during the audit. The audit is not meant to discover or
troubleshoot operational issues, but instead to identify whether
security is being done as it should and where it might be improved.
11
12
Step 2:
Check Physical Security for Domain Controllers
Questions to answer relative to your environment:
13
Does a specific process for physical access and console access exist?
Standard procedures can prevent attacks because everyone is
alert to abnormal behavior. Standard procedures should also
specify who, and exactly how, DCs are managed, ensuring the
greatest security.
14
Check Connectivity
DCs must connect to replication partners to update account
information and changes to security settings. Clients, including
computers used to administer DCs, must also have connectivity to
apply security changes. If security changes cant replicate, security
cant be enforced. Netdiag can test DC/DNS connectivity, and
DNSLint can test connectivity between replication partners.
15
Are directory service and file replication event logs scanned for
errors?
Windows event logs should be periodically scanned for connectivity
errors.
17
Evaluate AD Replication
If AD replication is not working correctly, Group Policy information
will not be transferred between DCs.
18
Financial institutions
Extranets
19
20
Step 5:
Examine Network Infrastructure Design and Defense
AD does not function in isolation. Though the forest provides a
security boundary, all its components sit on networks and use
network infrastructure for communication. A properly-protected
network increases AD security. A full review of network
infrastructure security is beyond the scope of a self-audit, but some
major issues should be reviewed.
21
Step 6:
Examine Administrative Roles and Structures
Reviewing the administrative structure of the forest and domain is
important because it can strengthen or weaken your ability to secure
AD. Just as it is not necessary to provide every user administrative rights
on his desktop computer or in the domain, it is not necessary to make
all IT administrators all-powerful in the forest or even in the domain.
22
23
24
Are
25
26
BIOS password
27
28
29
30
31
Are there any GPO inconsistencies between the file system and AD?
GPOtool can be used to check consistency of GPOs between the
file system and AD in Windows 2000 Server and Windows
Server 2003 domains. It compares version numbers between
SYSVOL and AD and looks for other indicators.
32
Appmgmts.dll
Dskquota.dll
Fdeploy.dll
Gptext.dll
Scecli.dll
Userenv.dll
Securing Your Active Directory. Chapter 1 - Perform a Self-Audit
GPMC
33
35
36
37
Evaluate Services
Every service that runs on the DC may reduce its security because it
increases the attack surface.
38
Evaluate EFS
Is EFS disabled in the domain if not managed?
EFS is a powerful file encryption system, but should not be
enabled unless properly managed. It should not be used to
encrypt system files.
39
Step 9:
Evaluate File and Registry Permissions on DCs
File and registry permissions strengthen or weaken security. Most
security settings created in the GUI are echoed in the registry. If
permissions are weak, registry settings can be manually hacked and
security compromised. The interaction between Group Policy and
the registry is complex; Group Policy refresh may override manual
registry configurations, but the system may already be compromised.
40
41
Are account logon and logon events audited for success and failure?
It is critical to monitor logon events for evidence of possible
attacks and account compromise.
42
of
managing
updates,
43
Are new DCs patched when built to ensure that they are brought
online as fully patched machines?
A new installation presents an easy target to malicious software.
Installation routines can be modified to include application of
the latest service packs and security patches.
provides
anonymous
access
to
45
Are users provided copies of the acceptable use and other security
policies and given opportunity to study and ask questions about
them?
Understanding does not guarantee compliance, but it does enable
it. It also has the benefit that users understand the penalties for
non-compliance; that may help enhance compliance.
Are DCs only used for AD? In other words, no server or user
applications should co-exist on the DC.
Every piece of code introduced onto a DC can weaken its
security. These applications may require access and
configuration changes that weaken security, and they expose the
DC to compromise if they have vulnerabilities.
46
47
SUMMARY
This chapter provides a set of questions that should be asked as part
of a self-audit of AD security. Some may need more details and
background in order to put it to use. Others may want to use it as the
basis for developing their own comprehensive security review plans.
Following this summary, there is a checklist created from the steps
reviewed in this chapter. It may be helpful for you to use this
checklist as a guide in completing the self-audit.
Future chapters of this e-book will delve further into topics.
Although this document can serve as a starting point, reading the
lessons cannot serve as your sole effort. You must put your new
knowledge into practice; once thats done, the next step is to
constantly update those practices. Knowledge of how to protect
systems changes rapidlyjust like the knowledge of those who try to
destroy them. I look forward to your comments, questions,
additions, and suggestions on how I can make this e-book even more
useful to you in succeeding chapters.
48
SELF-AUDIT CHECKLIST
Item
Comments
1) Documentation of AD infrastructure
2) Physical security for DCs
3) Active Directory health
a)
Connectivity
b)
DNS operation
c)
DNS security
d)
e)
AD replication
f)
FRS replication
Network design
b)
b)
c)
d)
Administrative workstations
e)
Administrative access
f)
g)
Administrative practices
h)
49
Item
Comments
b)
Policy application
8) Technical controls
a)
b)
DC security policy
c)
Audit policy
d)
e)
Security options
f)
Services
g)
h)
EFS
b)
c)
50
a)
Security policy
b)
c)
d)
Quest Software
Windows Management
6500 Emerald Parkway
Suite 400
Columbus, OH 43016
USA
Phone: 614-336-9223
1-800-263-0036
51