Documente Academic
Documente Profesional
Documente Cultură
Hardening
Windows Server
Security
#39
SysAdmin Magazine August 2018
SysAdmin Contents
Magazine
2
SysAdmin Magazine August 2018
Credentials are the keys to an account. By harvesting Use Kerberos long-term keys
laterally and escalate their privileges to steal your data. Use NT LAN Manager (NTLM) for authentication
Windows Server 2016 has several features for minimizing Use DES for Kerberos pre-authentication
the chance that attackers will be able to harvest Use RC4 cipher suites for Kerberos pre-authentication
in the “Protected Users” group helps you protect Using Account Preferences
against compromise of their credentials by disabling
Hackers, Go Away!
USER ACCOUNTS
authentication options that are less secure. For example,
Windows does not cache the credentials of members of Logon Hours — Enables you to specify when users
5 Ways to Protect this group locally, so they are never left on workstations can use an account.
are members of this group cannot: computers the account can sign in to.
Windows Server
Use Windows Digest
don’t configure this option for privileged accounts.
Use NTLM
3
SysAdmin Magazine August 2018
Smart card is required for interactive logon — assigns it a password. AD manages these passwords and There are three types of built-in service accounts:
Requires a smart card to be presented for the account updates them automatically every 30 days.
Local system — The NT AUTHORITY\SYSTEM account
to sign in.
has privileges equivalent to the local Administrators
Account is sensitive and cannot be delegated — To manage the permissions of computer accounts and
group on the computer.
Ensures that trusted applications cannot forward the control which Group Policies are applied to them, you can
Local service — The NT AUTHORITY\LocalService
account’s credentials to other services or computers add them to groups and move them to different OUs. You
account has privileges equivalent to the local Users
on the network. can also disable and reset computer accounts:
group on the computer.
This account supports Kerberos AES 128-
Disabling a computer account means that the Network service — The NT AUTHORITY\
bit encryption — Allows Kerberos AES 128-bit
computer cannot connect to the domain anymore. If NetworkService account has privileges equivalent to
encryption.
you delete a computer account and the computer is the local Users group on the computer.
This account supports Kerberos AES 256-
still operational, you’ll need to rejoin the computer
bit encryption — Allows Kerberos AES 128-bit
to the domain if you want it to regain domain To protect these accounts, ensure a sysadmin updates their
encryption.
membership. passwords on a regular basis. This is a manual process if you
Account expires — Enables you to specify an end
Resetting a computer account removes the use native tools.
date for the account.
connection between the computer and the domain.
4
SysAdmin Magazine August 2018
Using Windows Defender You can manage Windows Defender Credential assigns it a password. AD manages these passwords and
Credential Guard Guard using Group Policy, Windows Management updates them automatically every 30 days.
How to be a good system administrator? It requires To manage the permissions of computer accounts and
more than technical knowledge of Windows or Linux Windows Defender Credential Guard does not allow the control which Group Policies are applied to them, you can
Windows Defender Credential Guard is a new technology use of: add them to groups and move them to different OUs. You
in Windows 10 and Windows Server 2016 that helps to can also disable and reset computer accounts:
Unconstrained Kerberos delegation
protect credentials from attackers who try to harvest
NT LAN Manager version 1 (NTLMv1) User accounts whose passwords never expire — You
them by using malware. Windows Defender Credential
Microsoft Challenge Handshake Authentication should avoid configuring accounts with fixed passwords
Guard uses virtualization-based security that allows you
Protocol (MS-CHAPv2) because they are less secure than accounts with passwords
to isolate secrets, such as cached credentials, so that only
Digest that users have to update periodically.
privileged software can access them.
Credential Security Support Provider (CredSSP)
Kerberos DES encryption Inactive user accounts — Inactive user accounts usually
In virtualization-based security, the specific processes
belong to a person who has left the organization. The Active
that use credentials or data, and the memory associated
Directory Administrative Center console enables you to find
with those processes, run in a separate operating system
accounts that haven’t signed in for a specified number of days.
parallel with, but independent of, the host operating
Using the Active Directory
system. This virtual operating system protects processes Deleting or disabling these user accounts prevents them from
for the following types of accounts: can use some or all of them.
5
SysAdmin Magazine August 2018
Administrator accounts work differently in virtualized or network while it is being backed up.
environments than they do in physical ones. In particular, Guarded fabrics can run three types of VMs:
have limited or isolated rights. In contrast, in a virtual An encryption-supported VM whose protections can
Service (HGS) that can manage and run shielded virtual Host Guardian Service
machines (VMs).
HGS is the centerpiece of the guarded fabric solution.
Features in Windows
Windows Server 2016 That provides the Attestation
protect hosts and their VMs from malicious software that
Service and Key Protection Service (KPS) that enable
Server
might be inside them. Because a VM is just a file, you
Hyper-V to run shielded VMs. A Hyper-V host becomes
need to protect it from attacks from the storage system
6
SysAdmin Magazine August 2018
a guarded host as soon as the Attestation Service Shielded VMs A malicious employee who attempts to move a shielded
affirmatively validates its identity and configuration. KPS VM to an untrusted host will discover that the new host
provides the transport key that is needed to unlock and To help protect a fabric against compromise, Windows will not be recognized. Trusted hosts are added to HGS
run shielded VMs. Server 2016 with Hyper-V introduced shielded virtual by means of identifiers unique to their TPMs and are
machines. A shielded VM is a generation 2 VM that has protected even if they are moved to another HGS.
HGS supports two different attestation modes for a a virtual TPM, is encrypted by using BitLocker Drive
guarded fabric: Encryption, and can run only on healthy and approved
protection, but also requires more configuration steps. Here are three examples that illustrate how shielded VMs
The host’s hardware and firmware must include TPM help protect against attacks:
encrypted.
7
SysAdmin Magazine August 2018
Continuously auditing the activity in your network is one Event Log Forwarding
of the most critical security best practice, since it helps
You should also move event logs off your computers
you notice potentially malicious activity early enough to
regularly, because attackers often scrub event logs to
take action and prevent data breaches, system downtime
escape detection. Windows Server’s event log forwarding
and compliance failures. Here are the top ways to audit
feature enables you to automatically forward events logs
activity in Windows Server 2016.
from all your computers to a designated machine (the
Event logs record the activity on a particular computer. an event subscription on the event collector computer
When you configure auditing properly, almost all events without defining the source computers. Then you
that have security significance are logged. This makes use Group Policy to control which source computers
event logs the first thing to look at during IT security forward events to the event collector.
Configure the event log size to the maximum (4GB) to create an event subscription that specifies the source
Windows Server You you can look at older event logs to find out exactly
8
SysAdmin Magazine August 2018
Auditing and Advanced Audit directory service access — Audits events that Advanced Audit Policy
Auditing are specified in the system access control list, such as
Since Windows Server 2008 R2, administrators can audit
permissions.
Auditing policies enable you to record a variety of more specific events using advanced audit policy settings
activities to the Windows security log. You then can Audit logon events — Creates an event when a user in the following categories:
examine these auditing logs to identify issues that logs on to a computer interactively (locally) or over the
Account Logon — These settings control auditing of
need further investigation. Auditing successful activities network (remotely).
the validation of credentials and other Kerberos-specific
provides documentation of changes so you can
Audit object access — Audits access to objects such as authentication and ticket operation events.
troubleshoot which changes led to a failure or a breach.
files, folders, registry keys and printers that have their
Logging failed attempts can spot malicious hackers or Account Management — These policy settings are
own SACLs.
unauthorized users to access enterprise resources. related to the modification of user accounts, computer
Your auditing policy specifies the categories of security- Audit policy change — Audits changes to user rights accounts and groups, and the logging of password
related events that you want to audit. Here are the basic assignment policies, audit policies and trust policies. change events.
Audit account logon events — Creates an event when audit successful attempts, failed attempts or both. creation and termination events, and remote procedure
Audit account management — Audits events such as handle duplication and indirect object access. to track access to AD, AD changes and replication.
security logs.
9
SysAdmin Magazine August 2018
Object Access — These settings cover access to AD, the location in order to simplify security auditing and log feature that makes it possible to enable detailed tracking
registry, applications and file storage. analysis — Audit Collection Services (ACS). ACS is an and analysis of the use of Windows PowerShell scripting
agent-based utility that aggregates the logs into a on a system. If you enable detailed script tracing,
Policy Change — These settings control tracking of
Microsoft SQL Server database. Windows PowerShell logs all script blocks to the Event
changes to policy settings.
Tracing for Windows (ETW) event log in the “Microsoft-
Privilege Use — These settings determine whether By default, when an audit policy is implemented on a Windows-PowerShell/Operational” path.
to audit privilege use attempts within the Windows Windows-based computer, that computer automatically
environment. saves all events generated by the audit policy to its local
PowerShell is disabled. You can enable it by setting the visibility into what’s going on in your Windows Server
from servers running Windows Server to a centralized Windows PowerShell also offers a detailed script tracing
10
SysAdmin Magazine August 2018
Ensuring that systems are patched and that defense-in- Analyzing Security
depth security protections are working effectively, top Dependencies
the list of concerns for IT departments. But despite these
efforts, security breaches are still on the rise because But failing to grant privileges just before access is
operational issues are commonly ignored. required, and for a limited time, isn’t the only mister
means groups like Domain Administrators, BUILT-IN\ which they use for everyday tasks like browsing the
Security Expert, IT consultant
Administrators, and Enterprise Administrators, should Internet and reading email, with domain admin rights,
only be populated when an approved change is being then the clean source principle has been broken because
applied to Active Directory. But the reality is that many the security of users’ accounts rely on the security of the
organizations issue IT staff with accounts that are devices they log in to.
other privileged AD groups. Compromised devices put the accounts of users that log
In this blog post, we’ll talk about a tiered administration the aim of getting access to privileged Active Directory
model which ESAE is based on to smarter restructure accounts. Once a hacker has access to a domain-joined
organization.
device, credentials can be harvested to get access to
Model
11
SysAdmin Magazine August 2018
machines (VMs) on the PCs. The VMs can be used or indirect administrative control of the AD forest,
Hackers often target user perform everyday computing tasks. But deploying VMs should be categorized as tier 0. These objects can
for managing domain controllers breaks the clean source manage assets across all three tiers but can only log in
workstations with the aim of principle because the security of the VMs is dependent on interactively to tier 0 assets, which again means that
getting access to privileged the host. domain administrators should never log in interactively
Because security dependencies can endanger the According to the ESAE host sensitive business data, and accounts used
only to log in to domain controllers or devices that objects. Tier 1 user accounts can access and manage
are configured to the same level of trust as domain As part of the Active Directory Enhanced Security tier 1 objects. Tier 1 user accounts can access tier 0
controllers. To achieve this goal, set up PCs that are Administrative Environment (ESAE) model or the objects using the network logon type but cannot log
specially configured for the purposes of managing so-called Red Forest in Active Directory, Microsoft in to tier 0 devices interactively. They can manage tier
domain controllers. Jump servers also break the clean recommends using tiered administration to create 1 and tier 2 objects but can only log in interactively to
source principle because they are dependent on the zones that separate administration of high-risk end- tier 1 devices.
security of the device from where remote desktop user devices and critical business systems. AD objects,
If budgets are tight or you don’t want to deploy devices the highest level of trust, and tier 2 the lowest.
option is to configure IT staffers’ PCs to the same level Domain administrator accounts, privileged AD groups,
as your domain controllers and deploy guest virtual domain controllers, and domains that have direct
12
SysAdmin Magazine August 2018
Privileged Access
Tier 0
Same Tier Logon Management
Admin
Forest/Domain Admins Workstation Domain Controllers
Higher Tier Logon
Organizations need to be much more stringent with how
13
SysAdmin Magazine August 2018
The free edition of Netwrix Auditor for Windows It tracks changes to your Windows Server configuration,
Server delivers visibility into what’s happening in your such as the installation of software and hardware, and
Tool of the Month Windows-based server infrastructure. changes to services, network settings and scheduled tasks.
Netwrix Auditor
Added 1
Removed 1
Modified 1
Server
Modified Local Audit Local Audit Policies\Object Access\File System ws1 ws1 4/17/2017
Policy 4:37:32 AM
Failure audit disabled
14
SysAdmin Magazine August 2018
How-to for IT Pro 3. Open the file produced by the script in MS Excel.
export:
calAccount=’True’” |
Select PSComputername, Name, Status, Disab-
led, AccountType, Lockout, PasswordRequired,
PasswordChangeable, SID | Export-csv C:\
data\local_users.csv -NoTypeInformation
15
[Recorded Webinar]
User right assignments Logon right changes Any attempt to logon as local
Administrator
Local account authentication Local group membership changes
policy changes Firewall policy change
New software installed
Local user account changes New device attached
Watch Now
Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.