Presentation is loading. Please wait.

Presentation is loading. Please wait.

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

Similar presentations

Presentation on theme: "{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs "— Presentation transcript:

1 { Best Practice Why reinvent the wheel?

2   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs   GPOs Quick AD overview

3  Most security gaps are unintentional  Estimated 97% can be fixed or avoided  Entry point  Only need one  Initial targets  Attractive accounts for credential theft Commonly Leveraged Vulnerabilities

4  In Active Directory  Accounts with elevated privileges  On Domain Controller (DC)  Consider it Critical Infrastructure  Operating systems  Inconsistency Misconfiguration

5  High privileged accounts are usually the targets  Not maintaining separate admin credentials  Logging into unsecure computers  Browsing the internet  Same credentials on all local machines  Improper management Activities Likely to Increase Compromise

6  Principal of least privilege  Users should have least privileges needed to complete the task.  Privileged accounts are dangerous accounts  Model privilege reduction in every area of the network Reduce AD Attack Surface

7  Larger the organization, the more complex, the more difficult to secure  Securing local administrator accounts  workstations  member servers  Securing local privileged accounts in AD  Built-in admin accounts  Audit changes to this account  Securing Administrator, Domain Admin and Enterprise Admin groups  Securing Domain Admins Group  Securing Administrators Groups Reducing Privileges

8  Grouping user based on daily tasks and access needs, ex:  Accounting  Marketing  Controls unnecessary privileges  Simplest implementation -> roles in AD DS  Commercial, off-the-shelf (COTF) available Role-Based Access Controls (RBAC)

9   Design, creation and implementation used to managed privileged accounts  Manually created or third-party software Privileged Identity/Account Management

10  Exponential growth in credential theft attacks due to widely available tools  Identify accounts most likely to be targeted  Do not use single factor authentication Robust Authentication Controls

11  Never administer a trusted system from an insecure host.  Do not rely on single authentication  Do not ignore physical security  Even if organization does not use smart cards consider using it for privileged accounts Secure Administrative Hosts

12  Same practices already discussed  Physical security  Limit RDP  Patch  Security configuration wizard  Microsoft Security Compliance Manager  Block Internet access on DC  Perimeter firewall restrictions  DC firewall Security DC Against Attack

13  Windows Audit Policy  Events to monitor  AD objects and attributes to monitor  Classify security events Signs of Compromise

14   “It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. “   Prevention is better than reaction Planning for Compromise

15 Best Practice Tactical or Strategic Preventative or Detective 1Patch applications.TacticalPreventative 2Patch operating systems.TacticalPreventative 3 Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. TacticalBoth 4 Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. TacticalDetective 5Protect and monitor accounts for users who have access to sensitive dataTacticalBoth 6Prevent powerful accounts from being used on unauthorized systems.TacticalPreventative 7Eliminate permanent membership in highly privileged groups.TacticalPreventative 8 Implement controls to grant temporary membership in privileged groups when needed. TacticalPreventative 9Implement secure administrative hosts.TacticalPreventative 10 Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems. TacticalPreventative 11Identify critical assets, and prioritize their security and monitoring.TacticalBoth 12 Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems. StrategicPreventative 13Isolate legacy systems and applications.TacticalPreventative 14Decommission legacy systems and applications.StrategicPreventative 15Implement secure development lifecycle programs for custom applications.StrategicPreventative 16 Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. StrategicPreventative 17 Migrate critical assets to pristine forests with stringent security and monitoring requirements. StrategicBoth 18Simplify security for end users.StrategicPreventative 19Use host-based firewalls to control and secure communications.TacticalPreventative 20Patch devices.TacticalPreventative 21Implement business-centric lifecycle management for IT assets.StrategicN/A 22Create or update incident recovery plans.StrategicN/A

16   Best Practices for Securing Active Directory. (2013). 314.   Melber, D. (n.d.). The Administrator Shortcut Guide to Active Directory Security. Sources

Download ppt "{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs "

Similar presentations

Ads by Google