Title of Presentation

Download Report

Transcript Title of Presentation

Efi Bregman Principal Consultant Microsoft Consulting Services Israel

Session Objectives and Takeaways

Session Objectives: Identify the key new AD DS features in WS08 Explain the value of deploying these features Demonstrate these features in real life scenarios Key Takeaways: Understand when and how to deploy the key new AD DS features

Key Investments areas

Branch Office Security Manageability

Key Investments areas

Branch Office Security Manageability

Windows 2008 Branch Office Benefits

Security

BitLocker Server Core

Read-Only Domain Controller Admin Role Separation Optimization SysVol Replication DFS Replication

Protocols

Administration

Print Management Console PowerShell, WinRS, WinRM Virtualization

Restartable Active Directory Hub Site Branch Office

Branch Office Dilemma

HQ Data Center Hub Network

Branch Office

    Small Number of Employees WAN: Congested, Unreliable Security: Not Sure Admin Proficiency: Generalist

Branch Office Dilemma

HQ Data Center Hub Network

Branch Office

Branch authentication & authorization fails when WAN goes down Branch DC being compromised jeopardizes security of corporate AD!!!

So how can we deploy a Domain Controller in this environment?!

Read-Only Domain Controller

Admin Role Separation RODC Server Admin does NOT need to be a Domain Admin Prevents Branch Admin from accidentally causing harm to the AD Delegated promotion 1-Way Replication No replication from RODC to Full-DC Attack on RODC does not propagate to the AD Passwords not cached by-default Policy to configure caching branch specific passwords (secrets) on RODC Policy to filter schema attributes from replicating to RODC

RODC – Attacker “experience”

Let’s tamper data Damn!

I have a Read-Only With Admin role

enterprise replicates log-in to me.

Attacker RODC

7 4

HUB

Full DC

5 7

Read-Only Domain Controller

How it works?

6 3

Branch

RODC

6 2 1 1. Logon request sent to RODC 2. RODC: Looks in DB "I don't have the users secrets" 3. Forwards Request to Full DC 4. Full DC authenticates user 5. Returns authentication response and TGT back to the RODC 6. RODC gives TGT to User and Queues a replication request for the secrets 7. Hub DC checks Password Replication Policy to see if Password can be replicated

Read-Only Domain Controller

Recommended Deployment Models

No accounts cached (default)

Pro: Most secure, still provides fast authentication and policy processing Con: No offline access for anyone

Most accounts cached

Pro: Ease of password management. Manageability improvements of RODC and not security. Con: More passwords potentially exposed to RODC

Few accounts (branch-specific accounts) cached

Pro: Enables offline access for those that need it, and maximizes security for other Con: Fine grained administration is new task

Read-Only Domain Controller

Upgrade path from Windows 2003 Domain Deployment steps: 1. ADPREP /ForestPrep 2. ADPREP /DomainPrep

Not RODC specific

3. Promote a Windows Server 2008 DC 4. Verify Forest Functional Mode is Windows 2003 5. ADPREP /RodcPrep 6. Promote RODC

RODC Specific task

Test RODCs for application compatibility in your environment

Read-Only Domain Controller

Delegated Administrator (“Local Roles”) Delegated RODC Promotion Pre-create RODC account Specify RODC parameters Attach machine to RODC slot

Read-Only Domain Controller

Install-from-media Promotion NTDSUtil > IFM During creation of RODC IFM: “Secrets” are removed DIT is defragged to remove free space

Branch Office & Replication Optimization

DFS-R replication provides more robust and detailed replication of SYSVOL contents Requires

Windows Server 2008 Domain Mode

Key Investments areas

Branch Office Security Manageability

Directory Service Auditing

New Directory Service Changes Events Event logs tell you exactly: Who made a change When the change was made What object/attribute was changed The beginning & end

values

Auditing controlled by

Event ID Event type Event description

5136 Modify This event is logged when a successful modification is made to an attribute in the directory.

Global audit policy SACL Schema 5137 5138 Create Undelete This event is logged when a new object is created in the directory.

This event is logged when an object is undeleted in the directory.

5139 Move This event is logged when an object is moved within the domain.

Fine-Grained Password Policies

Overview Granular administration of password and lockout policies within a domain Usage Examples:

Administrators

Strict setting (passwords expire every 14 days)

Service accounts

Moderate settings (passwords expire every 31 days, minimum password length 32 characters)

Average User

“light” setting (passwords expire every 90 days)

Fine-Grained Password Policies

At a glance Policies can be applied to: Users Global security groups Does NOT apply to: Computer objects Organizational Units Multiple policies can be associated with the user, but only one applies

Fine-Grained Password Policies

Example Precedence = 10 Password Settings Object PSO 1 Applies To Resultant PSO = PSO1 Resultant PSO = PSO1 Precedence = 20 Password Settings Object PSO 2 Applies To

Fine-Grained Password Policies

Design Step-by-Step Requires

Windows Server 2008 Domain Functional Mode

Create mirror groups for different sets of users Create PSOs for different password policies Apply PSOs to users/groups Delegate administration of mirror groups

Fine-Grained Password Policies

Administration Feature itself can be delegated By default, only Domain Admins can: Create and read PSOs Apply a PSO to a group or user

Operation to be delegated Associated Permissions

Create and delete PSOs On the PSC, Create all child objects Delete all child objects Applying PSOs to users/groups On the PSO, Write

Key Investments areas

Branch Office Security Manageability

Restartable AD DS

Without a reboot you can now perform offline defragmentation DS stopped similar to member server: NTDS.dit is offline Can log on locally with DSRM password Restartable AD DS Server Core Fewer reboots for servicing

Database Mounting Tool

Backup/Recovery Allows administrator to choose best backup

NTDSUTIL.EXE

Takes VSS snapshots of Directory Service

DSAMAIN.EXE

Exposes snapshots as LDAP servers

LDP.EXE or Active Directory Users & Computers

Views read-only Directory Service data Best Practice: Schedule NTDSUtil.exe to take regular snapshots of AD DS Note: Tool is not used for restoring objects

Group Policy Enhancements

Over 700 new settings Power options, Removable media, Windows Firewall configuration, Printer management … Transition to ADMX files Additional management features Add comments to individual GPOs and settings Search and filter on settings and comments Create Starter GPOs for easier reuse

Summary – Key features in Active Directory Directory Services 2008

Read Only Domain Controller Fine Grained Password Policies Enhanced Auditing Capabilities Restartable AD DS AD DS Database Mounting Tool DFS-R Sysvol Replication

Resources

Read Only Domain Controller http://technet2.microsoft.com/windowsserver2008/en/libra ry/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx

Fine Grained Password Policies http://technet2.microsoft.com/windowsserver2008/en/libra ry/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

Restartable AD DS http://technet2.microsoft.com/windowsserver2008/en/libra ry/caa05f49-210f-4f4c-b33f-c8ad50a687101033.mspx

Resources

Enhanced Auditing Capabilities http://technet2.microsoft.com/windowsserver2008/en/libra ry/ad35ab51-2e85-41e9-91f7-ccedf2fc98241033.mspx

http://technet2.microsoft.com/windowsserver2008/en/libra ry/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx

AD DS Database Mounting Tool (“SnapView”) http://technet2.microsoft.com/windowsserver2008/en/libra ry/4503d762-0adf-494f-a08b cf502ecb76021033.mspx?mfr=true

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.