Transcript Best Practice - Southern Oregon University

Best Practice
{
Why reinvent the wheel?







Domain controllers
Member servers
Client computers
User accounts
Group accounts
OUs
GPOs
Quick AD overview

Most security gaps are unintentional


Entry point



Estimated 97% can be fixed or avoided
Only need one
Initial targets
Attractive accounts for credential theft
Commonly Leveraged
Vulnerabilities

In Active Directory


On Domain Controller (DC)


Accounts with elevated privileges
Consider it Critical Infrastructure
Operating systems

Inconsistency
Misconfiguration






High privileged accounts are usually the
targets
Not maintaining separate admin credentials
Logging into unsecure computers
Browsing the internet
Same credentials on all local machines
Improper management
Activities Likely to
Increase Compromise

Principal of least privilege



Users should have least privileges needed to
complete the task.
Privileged accounts are dangerous accounts
Model privilege reduction in every area of the
network
Reduce AD Attack Surface


Larger the organization, the more complex, the more
difficult to secure
Securing local administrator accounts



Securing local privileged accounts in AD





workstations
member servers
Built-in admin accounts
Audit changes to this account
Securing Administrator, Domain Admin and
Enterprise Admin groups
Securing Domain Admins Group
Securing Administrators Groups
Reducing Privileges

Grouping user based on daily tasks and access
needs, ex:





Accounting
Marketing
Controls unnecessary privileges
Simplest implementation -> roles in AD DS
Commercial, off-the-shelf (COTF) available
Role-Based Access
Controls (RBAC)


Design, creation and implementation used to
managed privileged accounts
Manually created or third-party software
Privileged
Identity/Account
Management



Exponential growth in credential theft attacks
due to widely available tools
Identify accounts most likely to be targeted
Do not use single factor authentication
Robust Authentication
Controls




Never administer a trusted system from an
insecure host.
Do not rely on single authentication
Do not ignore physical security
Even if organization does not use smart cards
consider using it for privileged accounts
Secure Administrative
Hosts

Same practices already discussed








Physical security
Limit RDP
Patch
Security configuration wizard
Microsoft Security Compliance Manager
Block Internet access on DC
Perimeter firewall restrictions
DC firewall
Security DC Against
Attack




Windows Audit Policy
Events to monitor
AD objects and attributes to monitor
Classify security events
Signs of Compromise


“It is generally well-accepted that if an attacker
has obtained SYSTEM, Administrator, root, or
equivalent access to a computer, regardless of
operating system, that computer can no longer
be considered trustworthy, no matter how
many efforts are made to “clean” the system.
Active Directory is no different. “
Prevention is better than reaction
Planning for Compromise
Best Practice
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Patch applications.
Patch operating systems.
Deploy and promptly update antivirus and antimalware software across all systems
and monitor for attempts to remove or disable it.
Monitor sensitive Active Directory objects for modification attempts and Windows
for events that may indicate attempted compromise.
Protect and monitor accounts for users who have access to sensitive data
Prevent powerful accounts from being used on unauthorized systems.
Eliminate permanent membership in highly privileged groups.
Implement controls to grant temporary membership in privileged groups when
needed.
Implement secure administrative hosts.
Use application whitelisting on domain controllers, administrative hosts, and other
sensitive systems.
Identify critical assets, and prioritize their security and monitoring.
Implement least-privilege, role-based access controls for administration of the
directory, its supporting infrastructure, and domain-joined systems.
Isolate legacy systems and applications.
Decommission legacy systems and applications.
Implement secure development lifecycle programs for custom applications.
Implement configuration management, review compliance regularly, and evaluate
settings with each new hardware or software version.
Migrate critical assets to pristine forests with stringent security and monitoring
requirements.
Simplify security for end users.
Use host-based firewalls to control and secure communications.
Patch devices.
Implement business-centric lifecycle management for IT assets.
Create or update incident recovery plans.
Tactical or
Strategic
Tactical
Tactical
Tactical
Preventative
or Detective
Preventative
Preventative
Both
Tactical
Detective
Tactical
Tactical
Tactical
Tactical
Both
Preventative
Preventative
Preventative
Tactical
Tactical
Preventative
Preventative
Tactical
Strategic
Both
Preventative
Tactical
Strategic
Strategic
Strategic
Preventative
Preventative
Preventative
Preventative
Strategic
Both
Strategic
Tactical
Tactical
Strategic
Strategic
Preventative
Preventative
Preventative
N/A
N/A


Best Practices for Securing Active Directory.
(2013). 314.
Melber, D. (n.d.). The Administrator Shortcut
Guide to Active Directory Security.
Sources