Microsoft Official Course
®
Module 3
Securing AD DS
Module Overview
• Securing Domain Controllers
• Implementing Password and Lockout Policies
• Implementing Audit Authentication
Lesson 1: Securing Domain Controllers
• Domain Controller Security Risks
• Modifying the Security Settings of Domain Controllers
• Minimizing the Attack Surface of Domain Controllers
• Implementing Secure Authentication
• Securing Physical Access to Domain Controllers
• What are RODCs?
• Deploying an RODC
• Planning and Configuring RODC Credential Caching
• Demonstration: Configure a Password Replication Policy
• Administrator Role Separation
Domain Controller Security Risks
Domain controllers are a prime target for attacks
and the most important resource to secure
• Security risks include:
• Network security
• Authentication attacks
• Elevation of privilege
• Denial of Service
• Operating system, service, or application attacks
• Operational risks
• Physical security threats
Modifying the Security Settings of Domain
Controllers
• Use a GPO to apply the same security settings to all domain
controllers
• Consider custom GPOs linked to the Domain Controllers OU
• Security settings include:
• Account policies, such as passwords and account lockout
• Local policies, such as auditing, user rights, and security options
• Event log configuration
• Secure system services
• Windows Firewall with Advanced Security
• Public key policies
• Advanced auditing
Minimizing the Attack Surface of Domain Controllers
To minimize the attack surface on domain
controllers, you should:
• Establish update management processes
• Increase the security of communication protocols:
• Secure LDAP
• IPsec
• SMB signing
• Secure the operating system by using:
• Baseline security by using SCW
• Server Core installation
• BitLocker Drive Encryption
Implementing Secure Authentication
Consider the following factors when implementing
secure authentication:
• Secure user accounts and passwords
• Secure groups with elevated permissions
• Audit critical object changes
• Deploy secure authentication, such as smart cards
• Secure network activity
• Establish deprovisioning and cleanup processes
• Secure client computers
Securing Physical Access to Domain Controllers
When securing physical access to your domain
controllers, consider the following:
• RODCs
• BitLocker
• Hot-swap disk systems can lead to domain controller
theft
• Protect virtual disks: virtual machine admins must be
highly trusted
• Store backups in secure locations
What are RODCs?
Data center
• Writable Windows Server 2008
domain controller
• Password replication policy:
Branch office
• RODC:
• All objects
• Subset of attributes
• No secrets
• Specifies which user and computer
passwords can be cached by the
• Not writable
RODC
• Users sign on:
• RODC forwards authentication
• Password is cached:
• If password replication policy allows
• Has a local administrators group
AD DS
AD DS
Deploying an RODC
Deploying an RODC:
• Prerequisites:
•
Adprep /rodcprep
•
Sufficient Windows Server 2008 or newer replication partners for the RODCs
• One-step deployment:
Server Manager with Add Roles and Features, then Active Directory
Domain Services Configuration Wizard
• Windows PowerShell: Install-ADDSDomainController –
ReadOnlyReplica
•
• Two-step deployment: pre-staging and delegated
promotion:
•
Create the account: Active Directory Administrative Center or
Add-ADDSReadOnlyDomainControllerAccount
•
Join the RODC as delegated admin: Server Manager or
Install-ADDSDomainController -ReadOnlyReplica
Planning and Configuring RODC Credential Caching
A password replication policy determines which
users’ credentials are cached on a specific RODC
• You can configure these credentials by using:
• Domain-wide password replication policy
• RODC-specific password replication policy
• RODC filtered attribute set
Demonstration: Configure a Password
Replication Policy
• In this demonstration, you will see how to:
• Stage a delegated installation of an RODC
• View an RODC’s password replication policy
• Configure an RODC-specific password replication policy
• Verify the resultant password policy
Administrator Role Separation
• Allows performance of local administrative tasks
on the RODC for non-domain administrators
• Each RODC maintains a local Security Accounts
Manager database of groups for specific
administrative purposes
• Configure the local administrator by:
• Adding the user or group when pre-creating or
installing the RODC
• Adding a user or group on the Managed By tab on the
RODC account properties
Lesson 2: Implementing Password and Lockout
Policies
• Password Policies
• Account Lockout Policies
• Demonstration: Configure Domain Account
Policies
• Fine-Grained Password and Lockout Policies
• Understanding PSOs
• Demonstration: Configuring a Fine-Grained
Password Policy
• PSO Precedence and Resultant PSO
Password Policies
• Set password requirements by using the following
settings:
•
Enforce password history
•
Maximum password age
•
Minimum password age
•
Minimum password length
•
Password complexity requirements:
•
Does not contain name or user name
•
Must have at least six characters
•
Contains characters from three different groups– uppercase,
lowercase, numeric, and special characters
Account Lockout Policies
• Account lockout policies define whether accounts
should be locked automatically after several failed
attempts to log on
• To configure these policy settings, you must
consider:
•
Account lockout duration
•
Account lockout threshold
•
Reset account lockout counter after
• Account lockout policies provide a level of security
but also provide an opportunity for DoS attacks
Demonstration: Configure Domain Account Policies
• In this demonstration, you will see how to
configure:
A domain-based password policy
• An account lockout policy
•
Fine-Grained Password and Lockout Policies
• You can use fine-grained password policies to
specify multiple password policies within a single
domain
• Fine-grained password policies:
Apply only to user objects, InetOrgPerson objects, or
global security groups
• Cannot be applied directly to an OU
• Do not interfere with custom password filters that you
might use in the same domain
•
Understanding PSOs
Windows Server 2012 provides two tools for
configuring PSOs:
• Windows PowerShell cmdlets:
•
New-ADFineGrainedPasswordPolicy
•
Add-FineGrainedPasswordPolicySubject
• Active Directory Administrative Center
Demonstration: Configuring a Fine-Grained
Password Policy
• In this demonstration, you will see how to
configure and apply a fine-grained password
policy
PSO Precedence and Resultant PSO
If multiple PSOs apply to a user:
• The directly applied PSOs are considered, rather than the PSOs that are
applied via group memberships
• The PSO with the lowest precedence wins
• If two PSOs have the same precedence, the smallest objectGUID wins
To evaluate a user object to see which PSO has
been applied, you can use:
• msDS-ResultantPSO Active Directory attribute
• Active Directory Administrative Center
• Extensions
• Attribute Editor
• Filter: Show constructed attributes
Lesson 3: Implementing Audit Authentication
• Account Logon and Logon Events
• Demonstration: Configuring Authentication-
Related Audit Policies
• Scope Audit Policies
• Demonstration: Viewing Logon Events
Account Logon and Logon Events
Advanced audit policies
provide 53 auditable
events:
AD DS
Account Logon
Event
• Account logon events:
•
Registered by the system
that authenticates the account
•
For domain accounts–domain
controllers
•
For local accounts–local computer
Logon
Event
• Logon events:
•
Registered by the machine at or to
which (or to which) a user logged on
•
Interactive logon–user's system
•
Network logon–server
Logon
Event
Demonstration: Configuring AuthenticationRelated Audit Policies
• In this demonstration, you will see where the
authentication-related audit policies are
configured
Scope Audit Policies
Default Domain
Controllers
Policy
Custom
GPO
Logon
Events
Account
Logon
Events
Domain
Controllers
Remote
Desktop
Servers
HR Clients
Demonstration: Viewing Logon Events
• In this demonstration, you will see how to view
logon events
Lab: Securing AD DS
• Exercise 1: Implementing Security Policies for
Accounts, Passwords, and Administrative Groups
• Exercise 2: Deploying and Configuring an RODC
Logon Information:
Virtual machines:
User name:
Password:
10969A-LON-DC1
10969A-LON-DC2
10969A-LON-SVR1
Adatum\Administrator
Pa$$w0rd
Estimated Time: 45 minutes
Lab Scenario
The security team at A. Datum Corporation has been examining
the organization for possible security issues. It has been focusing on
AD DS and is particularly concerned with AD DS authentication and
branch-office domain controller security.
You have been asked to help improve the security and monitoring
of authentication against the enterprise’s AD DS domain. You must
enforce a specified password policy for all user accounts, and you
must develop a more stringent password policy for security-sensitive
administrative accounts. It also is important that you implement an
appropriate audit trail to help monitor authentication attempts within
AD DS.
The second part of your assignment includes the deployment and
configuration of RODCs s to support AD DS authentication within a
branch office
Lab Review
• In the lab, we configured the password settings for
all users within the Default Domain Policy, and we
configured the password settings for
Administrators within a PSO. What other options
were available to accomplish the solution?
• In the lab, we were using precedence for the
administrative PSO with a value of 10. What is the
reason for this?
Module Review and Takeaways
• Review Questions
• Tools