{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

Managing User, Computer and Group Accounts

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Module 4: Implementing User, Group, and Computer Accounts

Security+ Guide to Network Security Fundamentals

System and Network Security Practices COEN 351 E-Commerce Security.

Chapter 7 HARDENING SERVERS.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

Module 8: Implementing Administrative Templates and Audit Policy.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Task Scheduler Pro Managing scheduled tasks across the enterprise Joe Vachon Sales Engineer.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Securing Windows Servers Using Group Policy Objects

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Module 6: Designing Active Directory Security in Windows Server 2008.

Designing Active Directory for Security

System Center 2012 Certification and Training May 2012.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

Module 14: Configuring Server Security Compliance

Securing AD DS Module A 3: Securing AD DS

Module 7: Fundamentals of Administering Windows Server 2008.

Chapter 6 of the Executive Guide manual Technology.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Working with Workgroups and Domains Lesson 9. Objectives Understand users and groups Create and manage local users and groups Understand the difference.

Chapter 2 Securing Network Server and User Workstations.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

If a bad guy can alter the operating system on your computer, it's not your computer anymore A bad guy could have altered the operating system on EVERY.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Module 7: Implementing Security Using Group Policy.

Module 10: Implementing Administrative Templates and Audit Policy.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Module 7: Designing Security for Accounts and Services.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Tactic 1: Adopt Least Privilege

Critical Security Controls

Configuring Windows Firewall with Advanced Security

Determined Human Adversaries: Mitigations

How to Mitigate the Consequences What are the Countermeasures?

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

PLANNING A SECURE BASELINE INSTALLATION

Determined Human Adversaries: Mitigations

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

{ Best Practice Why reinvent the wheel?

  Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs   GPOs Quick AD overview

 Most security gaps are unintentional  Estimated 97% can be fixed or avoided  Entry point  Only need one  Initial targets  Attractive accounts for credential theft Commonly Leveraged Vulnerabilities

 In Active Directory  Accounts with elevated privileges  On Domain Controller (DC)  Consider it Critical Infrastructure  Operating systems  Inconsistency Misconfiguration

 High privileged accounts are usually the targets  Not maintaining separate admin credentials  Logging into unsecure computers  Browsing the internet  Same credentials on all local machines  Improper management Activities Likely to Increase Compromise

 Principal of least privilege  Users should have least privileges needed to complete the task.  Privileged accounts are dangerous accounts  Model privilege reduction in every area of the network Reduce AD Attack Surface

 Larger the organization, the more complex, the more difficult to secure  Securing local administrator accounts  workstations  member servers  Securing local privileged accounts in AD  Built-in admin accounts  Audit changes to this account  Securing Administrator, Domain Admin and Enterprise Admin groups  Securing Domain Admins Group  Securing Administrators Groups Reducing Privileges

 Grouping user based on daily tasks and access needs, ex:  Accounting  Marketing  Controls unnecessary privileges  Simplest implementation -> roles in AD DS  Commercial, off-the-shelf (COTF) available Role-Based Access Controls (RBAC)

  Design, creation and implementation used to managed privileged accounts  Manually created or third-party software Privileged Identity/Account Management

 Exponential growth in credential theft attacks due to widely available tools  Identify accounts most likely to be targeted  Do not use single factor authentication Robust Authentication Controls

 Never administer a trusted system from an insecure host.  Do not rely on single authentication  Do not ignore physical security  Even if organization does not use smart cards consider using it for privileged accounts Secure Administrative Hosts

 Same practices already discussed  Physical security  Limit RDP  Patch  Security configuration wizard  Microsoft Security Compliance Manager  Block Internet access on DC  Perimeter firewall restrictions  DC firewall Security DC Against Attack

 Windows Audit Policy  Events to monitor  AD objects and attributes to monitor  Classify security events Signs of Compromise

  “It is generally well-accepted that if an attacker has obtained SYSTEM, Administrator, root, or equivalent access to a computer, regardless of operating system, that computer can no longer be considered trustworthy, no matter how many efforts are made to “clean” the system. Active Directory is no different. “   Prevention is better than reaction Planning for Compromise

Best Practice Tactical or Strategic Preventative or Detective 1Patch applications.TacticalPreventative 2Patch operating systems.TacticalPreventative 3 Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. TacticalBoth 4 Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. TacticalDetective 5Protect and monitor accounts for users who have access to sensitive dataTacticalBoth 6Prevent powerful accounts from being used on unauthorized systems.TacticalPreventative 7Eliminate permanent membership in highly privileged groups.TacticalPreventative 8 Implement controls to grant temporary membership in privileged groups when needed. TacticalPreventative 9Implement secure administrative hosts.TacticalPreventative 10 Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems. TacticalPreventative 11Identify critical assets, and prioritize their security and monitoring.TacticalBoth 12 Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems. StrategicPreventative 13Isolate legacy systems and applications.TacticalPreventative 14Decommission legacy systems and applications.StrategicPreventative 15Implement secure development lifecycle programs for custom applications.StrategicPreventative 16 Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. StrategicPreventative 17 Migrate critical assets to pristine forests with stringent security and monitoring requirements. StrategicBoth 18Simplify security for end users.StrategicPreventative 19Use host-based firewalls to control and secure communications.TacticalPreventative 20Patch devices.TacticalPreventative 21Implement business-centric lifecycle management for IT assets.StrategicN/A 22Create or update incident recovery plans.StrategicN/A

  Best Practices for Securing Active Directory. (2013)   Melber, D. (n.d.). The Administrator Shortcut Guide to Active Directory Security. Sources