1. Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com Passwords everywhere aka why use smart cards instead

2. Agenda  Why are workstations doomed  Why not type strong accounts' passwords on insecure computers  Why use separate administrative accounts and thus limit attack surface  Why use smart cards instead of passwords wherever possible

3. Separate administrators (basic physical security principle) PC ForestA DomainB DC SRV ForestA DomainA DC1 SRV NTB ForestA DomainA DC2

4. Separate administrators (better physical security principle) PC open- space ForestA DomainB DC ForestA DomainA DC1 SRV in datacente r NTB no BitLocker ForestA DomainA DC2 PC in-office SRV in branche1 SRV in branche2 NTB with BitLocker

5. NTB no BitLocker NTB with BitLocker Separate administrators (server role principle) PC open- space ForestA DomainB DC ForestA DomainA DC1 SRV FS ForestA DomainA DC2 PC in-office SRV SQL SRV Web SRV Share Point SRV Exchange SRV RDP SRV Remote Access

6. Symantec Backup SQL Share Point Farm Intranet Share Point Farm Intranet Separate administrators (application principle) ForestA DomainB DC ForestA DomainA DC1 ForestA DomainA DC2 DPM Backup SQL Share Point Farm Intranet SRV Exchange SQL Share Point Farm Intranet Share Point Farm Intranet DPM Backup SQL Share Point Farm Extranet RDP farm AD FS NPS RADIUS RDP Gateway SRV FS

7. Kurzy Počítačové školy Gopas na www.gopas.cz GOC169 - Auditing ISO/IEC 2700x GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník. Počítačová škola Gopas – Vaše IT škola života