Microsoft Official Course ® Module 3 Securing AD DS Module Overview • Securing Domain Controllers • Implementing Password and Lockout Policies • Implementing Audit Authentication Lesson 1: Securing Domain Controllers • Domain Controller Security Risks • Modifying the Security Settings of Domain Controllers • Minimizing the Attack Surface of Domain Controllers • Implementing Secure Authentication • Securing Physical Access to Domain Controllers • What are RODCs? • Deploying an RODC • Planning and Configuring RODC Credential Caching • Demonstration: Configure a Password Replication Policy • Administrator Role Separation Domain Controller Security Risks Domain controllers are a prime target for attacks and the most important resource to secure • Security risks include: • Network security • Authentication attacks • Elevation of privilege • Denial of Service • Operating system, service, or application attacks • Operational risks • Physical security threats Modifying the Security Settings of Domain Controllers • Use a GPO to apply the same security settings to all domain controllers • Consider custom GPOs linked to the Domain Controllers OU • Security settings include: • Account policies, such as passwords and account lockout • Local policies, such as auditing, user rights, and security options • Event log configuration • Secure system services • Windows Firewall with Advanced Security • Public key policies • Advanced auditing Minimizing the Attack Surface of Domain Controllers To minimize the attack surface on domain controllers, you should: • Establish update management processes • Increase the security of communication protocols: • Secure LDAP • IPsec • SMB signing • Secure the operating system by using: • Baseline security by using SCW • Server Core installation • BitLocker Drive Encryption Implementing Secure Authentication Consider the following factors when implementing secure authentication: • Secure user accounts and passwords • Secure groups with elevated permissions • Audit critical object changes • Deploy secure authentication, such as smart cards • Secure network activity • Establish deprovisioning and cleanup processes • Secure client computers Securing Physical Access to Domain Controllers When securing physical access to your domain controllers, consider the following: • RODCs • BitLocker • Hot-swap disk systems can lead to domain controller theft • Protect virtual disks: virtual machine admins must be highly trusted • Store backups in secure locations What are RODCs? Data center • Writable Windows Server 2008 domain controller • Password replication policy: Branch office • RODC: • All objects • Subset of attributes • No secrets • Specifies which user and computer passwords can be cached by the • Not writable RODC • Users sign on: • RODC forwards authentication • Password is cached: • If password replication policy allows • Has a local administrators group AD DS AD DS Deploying an RODC Deploying an RODC: • Prerequisites: • Adprep /rodcprep • Sufficient Windows Server 2008 or newer replication partners for the RODCs • One-step deployment: Server Manager with Add Roles and Features, then Active Directory Domain Services Configuration Wizard • Windows PowerShell: Install-ADDSDomainController – ReadOnlyReplica • • Two-step deployment: pre-staging and delegated promotion: • Create the account: Active Directory Administrative Center or Add-ADDSReadOnlyDomainControllerAccount • Join the RODC as delegated admin: Server Manager or Install-ADDSDomainController -ReadOnlyReplica Planning and Configuring RODC Credential Caching A password replication policy determines which users’ credentials are cached on a specific RODC • You can configure these credentials by using: • Domain-wide password replication policy • RODC-specific password replication policy • RODC filtered attribute set Demonstration: Configure a Password Replication Policy • In this demonstration, you will see how to: • Stage a delegated installation of an RODC • View an RODC’s password replication policy • Configure an RODC-specific password replication policy • Verify the resultant password policy Administrator Role Separation • Allows performance of local administrative tasks on the RODC for non-domain administrators • Each RODC maintains a local Security Accounts Manager database of groups for specific administrative purposes • Configure the local administrator by: • Adding the user or group when pre-creating or installing the RODC • Adding a user or group on the Managed By tab on the RODC account properties Lesson 2: Implementing Password and Lockout Policies • Password Policies • Account Lockout Policies • Demonstration: Configure Domain Account Policies • Fine-Grained Password and Lockout Policies • Understanding PSOs • Demonstration: Configuring a Fine-Grained Password Policy • PSO Precedence and Resultant PSO Password Policies • Set password requirements by using the following settings: • Enforce password history • Maximum password age • Minimum password age • Minimum password length • Password complexity requirements: • Does not contain name or user name • Must have at least six characters • Contains characters from three different groups– uppercase, lowercase, numeric, and special characters Account Lockout Policies • Account lockout policies define whether accounts should be locked automatically after several failed attempts to log on • To configure these policy settings, you must consider: • Account lockout duration • Account lockout threshold • Reset account lockout counter after • Account lockout policies provide a level of security but also provide an opportunity for DoS attacks Demonstration: Configure Domain Account Policies • In this demonstration, you will see how to configure: A domain-based password policy • An account lockout policy • Fine-Grained Password and Lockout Policies • You can use fine-grained password policies to specify multiple password policies within a single domain • Fine-grained password policies: Apply only to user objects, InetOrgPerson objects, or global security groups • Cannot be applied directly to an OU • Do not interfere with custom password filters that you might use in the same domain • Understanding PSOs Windows Server 2012 provides two tools for configuring PSOs: • Windows PowerShell cmdlets: • New-ADFineGrainedPasswordPolicy • Add-FineGrainedPasswordPolicySubject • Active Directory Administrative Center Demonstration: Configuring a Fine-Grained Password Policy • In this demonstration, you will see how to configure and apply a fine-grained password policy PSO Precedence and Resultant PSO If multiple PSOs apply to a user: • The directly applied PSOs are considered, rather than the PSOs that are applied via group memberships • The PSO with the lowest precedence wins • If two PSOs have the same precedence, the smallest objectGUID wins To evaluate a user object to see which PSO has been applied, you can use: • msDS-ResultantPSO Active Directory attribute • Active Directory Administrative Center • Extensions • Attribute Editor • Filter: Show constructed attributes Lesson 3: Implementing Audit Authentication • Account Logon and Logon Events • Demonstration: Configuring Authentication- Related Audit Policies • Scope Audit Policies • Demonstration: Viewing Logon Events Account Logon and Logon Events Advanced audit policies provide 53 auditable events: AD DS Account Logon Event • Account logon events: • Registered by the system that authenticates the account • For domain accounts–domain controllers • For local accounts–local computer Logon Event • Logon events: • Registered by the machine at or to which (or to which) a user logged on • Interactive logon–user's system • Network logon–server Logon Event Demonstration: Configuring AuthenticationRelated Audit Policies • In this demonstration, you will see where the authentication-related audit policies are configured Scope Audit Policies Default Domain Controllers Policy Custom GPO Logon Events Account Logon Events Domain Controllers Remote Desktop Servers HR Clients Demonstration: Viewing Logon Events • In this demonstration, you will see how to view logon events Lab: Securing AD DS • Exercise 1: Implementing Security Policies for Accounts, Passwords, and Administrative Groups • Exercise 2: Deploying and Configuring an RODC Logon Information: Virtual machines: User name: Password: 10969A-LON-DC1 10969A-LON-DC2 10969A-LON-SVR1 Adatum\Administrator Pa$$w0rd Estimated Time: 45 minutes Lab Scenario The security team at A. Datum Corporation has been examining the organization for possible security issues. It has been focusing on AD DS and is particularly concerned with AD DS authentication and branch-office domain controller security. You have been asked to help improve the security and monitoring of authentication against the enterprise’s AD DS domain. You must enforce a specified password policy for all user accounts, and you must develop a more stringent password policy for security-sensitive administrative accounts. It also is important that you implement an appropriate audit trail to help monitor authentication attempts within AD DS. The second part of your assignment includes the deployment and configuration of RODCs s to support AD DS authentication within a branch office Lab Review • In the lab, we configured the password settings for all users within the Default Domain Policy, and we configured the password settings for Administrators within a PSO. What other options were available to accomplish the solution? • In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this? Module Review and Takeaways • Review Questions • Tools