Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardening Active Directory Windows 2000/20003 Network Infrastructure Presented by: James Placer Senior Security Analyst, ISG.

Published byBrendon McLean Modified over 9 years ago

Similar presentations

Presentation on theme: "Hardening Active Directory Windows 2000/20003 Network Infrastructure Presented by: James Placer Senior Security Analyst, ISG."— Presentation transcript:

1 Hardening Active Directory Windows 2000/20003 Network Infrastructure Presented by: James Placer Senior Security Analyst, ISG

2 James Placer Over 17 years of IT and Security experience. Certifications: Cisco CCSP, CCDP, CCNP Checkpoint CCSE, NSA InfoSec 4011, Microsoft MCSE 2000 and is a contributing author to two Cisco certification books. Authored and contributed to numerous trade magazine articles in the security field.

3 Agenda Current State of Network Security Security Policy Development Security Application Architecture and Security Configuring AD Hardening Servers and Clients Questions

4 Cert Coordination Center Statistics

5 Threat Capabilities: More Dangerous & Easier To Use Sophistication of Hacker Tools Packet Forging/ Spoofing 19901980 Password Guessing Self Replicating Code Password Cracking Exploiting Known Vulnerabilities Disabling Audits Back Doors Sweepers Sniffers Stealth Diagnostics Technical Knowledge Required High Low 2000 DDOS Internet Worms

6 2002 FBI Security Survey Results 92% of surveyed companies were hacked in 2002 90% of surveyed companies have firewalls in place 82% of the companies hacked suffered financial losses totaling over $464 million 70% of hacks are internal

7 External Exploitation External Exploitation 75% Vulnerable (95+% Vulnerable Externally with Secondary Exploitation) 75% Vulnerable (95+% Vulnerable Externally with Secondary Exploitation) Internet Vulnerabilities to Network Attack 100% Vulnerable Internal Exploitation Internal Exploitation Dial-In Exploitation Dial-In Exploitation 65+% Vulnerable

8 Security Policy Development 70% of companies who reported that they were hacked also stated that they lacked a current security policy, and that the lack of a security policy was the primary contributor.

9 W5 WHAT do you need to protect? WHO needs access to it? WHY do they need access? From WHERE do they need access to it? WHEN do they need access?

10 State and Federal Statutes affecting Security Feingold / California Break Law - Expect federal statute in eight months Sarbanes Oxley Act Gramm Leach Bliley Act HIPAA FDA 21CFR11 ISO 17999

11 Security is a process not a Product or a Reaction!

12 Security Policy Application Appropriate Design and Architecture Appropriate Monitoring and Accountability Appropriate Change Management Appropriate Technology Appropriate User Awareness Training

13 Architecture Is Fundamental to Security Domain Controllers Authentication Servers Web Servers File and Print Servers Bastion Hosts, IAS servers, etc

14 Ultimate Architecture Goal One Service One System One Appropriately Secured System Practically speaking. May not be possible More Services lead to More Vulnerabilities

15 Architecture Steps Define Physical Architecture Define Server Roles Define Server Services Define Security Levels Required Define Physical Security Guidelines

16 Determine Appropriate Security Level

17 Windows Security Windows 2003 / 2000 is Common Criteria Certified Extreme levels of security are possible but compatibility and performance will be degraded Level of Hardening is a business decision based or business requirements.

18 Securing AD Organizational Unit Design Organizational Unit permissions Inheritance Server Security Network Security

19 Windows Policy Precedent

20 Define OU’s for all Functional Server Groups Include Administration and Infrastructure

21 Apply OU Policies 2003 ships with extensive default OU policies. Store on single Domain Controller Member Servers, Domain Controllers, File Servers, print Servers Infrastructure, IIS, Bastion, Etc

22 Secure User Groups Create appropriate User OU’s Apply default templates if appropriate Create Custom templates as needed Review Microsoft “Threats and Countermeasures Guide” for appropriate settings

23 Hardening Servers Windows 2003 / 2000 is Common Criteria Certified Extreme levels of security are possible but compatibility and performance will be degraded Level of Hardening is a business decision based or business requirements.

24 Hardening Servers Cont. Configurations beyond the default hardening settings in the MMC settings May involve third party products, ie IPS systems. Determine what level of service is acceptable.

25 Bastion Hosts Externally accessible Servers, IE Web, DNS High Attack Probability Must be Tightly Controlled

26 Bastion Hosts cont. DELETE, not disable, any extra services Use DEPENDS from the resource kit to determine dependencies Should be one service to one server Not published or integrated into AD, No internal access ideally.

27 Bastion Hosts cont. Rename all accounts Create dummy administrator account with no rights for logging USE EFS if possible Use IP security and log. Enable local logon only. Lock down further as appropriate. Scan for vulnerabilities regularly, ie.Languard, Nessus, NMAP

28 Internal Server Hardening Security rests on 6 items 1.Secure the system 2. Secure the database 3. Securing the replication 4. Securing normal access methods 5. Securing the objects 6. Audit Scan for changes. ie. Tripwire Scan for vulnerabilities regularly, ie.Languard, Nessus, NMAP, MCC

29 Internal Server Hardening cont. USE EFS WHERE POSSIBLE USE XCACLES and MCC Audit TO VERIFY FILE PERMISSIONS AND RIGHTS Use root forest controller as NTP server Use Ipsec filtering Tighten the system drive Audit the critical operations such as policy data and critical file access Block access to ports that can be used to access the AD if not required.

30 Internal Server Hardening cont. Install service packs and hotfixes Remove OS2 and Posix registry values Delete associated files Enable DNS scavenging and do it rigorously Clean up anonymous registry access Tighten the system drive Use NTLM v2 only for authentication Test and retest ( Tripwire for baseline, languard, nmap, nessus, MBSA, MCC).

31 Client Hardening Eliminate Win 9X from environment Use NTFS / EFS exclusively on hard drives Use NTLM v2 authentication only. Disable file and print sharing Do not allow local administrative rights! Pay attention to remote VPN clients! Scan network frequently Use internal client IPS if available

32 Tools and References NSA Server Security Guides http://nsa2.www.conxion.com/win2k/ Microsoft “Threats and Countermeasures Guide” “Windows Server 2003 Security Guide” “ Windows 2000 Common Criteria Guide” Windows 2000 / 2003 resource kit www.Nessus.org Vulnerability Scanner www.Nessus.org

33 Tools and References cont. www.Languard.com vulnerabiltiy and device scanner. NMAP Fport from Foundstone.com Tripwire. File integrity checker. Commercial but excellent product

34 Q&A Contact Information: Email: jplacer@goisg.com Phone: (616) 393 7250

Download ppt "Hardening Active Directory Windows 2000/20003 Network Infrastructure Presented by: James Placer Senior Security Analyst, ISG."

Similar presentations

Planning and Administering Windows Server® 2008 Servers

Planning and Administering Windows Server® 2008 Servers
Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor

Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Similar presentations

Ads by Google