Professional Documents
Culture Documents
Agenda
Active Directory design issues Trust Relationships Schema Protection Firewall Considerations Protecting Service Management Group Policy Architecture System Hardening
Security Boundaries
Forest security boundary Domain boundaries for administration Why is the forest the security boundary?
1. Forest-level service management 2. Implicit transitive trusts between all domains in a forest.
Design Implications
You cant delete trusts between domains in a forest You cant implement SID Filtering between domains in a forest Well You can, but it will break stuff So a domain cant be considered a security boundary All Domain Admins must be trusted
DMZ Considerations
Preferred > no AD systems in DMZ Extranet considerations
Separate forest to provide isolation Administrators that span forests should have separate accounts for each
Trust Relationships
Soft Controls
Protecting the AD Schema is more about following sound security practices than technical solutions Policy Guidelines Configuration Management Roles / responsibilities
Schema Policy
Ownership
Management of schema naming prefix Delegating OIDs Configuration Management
Define evaluation criteria for proposed schema extensions Provide final approval/disapproval
Soft Controls
Guidelines
Configuration management evaluation criteria OID Maintenance Documentation Splitting application deployment Schema testing guidelines
Access Control
Most important protect Schema Admins group!
Firewall Considerations
Firewall Considerations
Firewall the Root domain?
No real security gained, just added complexity
Firewall Considerations
When a firewall exists between Active Directory systems
Use IPSEC tunnels
Controlled OU Security
Type Name Access Applies To
Allow Allow
Enterprise Admins
Full Control
This object and all child objects This object and all child objects This object and all child objects This object and all child objects This object and all child objects This object and all child objects
Service Management Owners - <domain- Full Control name> SYSTEM <domain-name>\Domain Admins Full Control List Contents Read All Properties Read Permissions List Contents Read All Properties Read Permissions List Contents Read All Properties Read Permissions
Allow Allow
Allow
Allow
Success
Everyone
Write All Properties Delete Delete Subtree Modify Permissions Modify Owner All Validated Writes All Extended Rights Create All Child Objects Delete All Child Objects
Gotchas
Several issues with using separate domain for service management accounts model
Custom Domain Admin type group requires Domain Admin-level permissions
Cant add directly to Domain Admins group
Best Practices
Restrict membership to within forest Separate accounts Cached credentials Default service management accounts
Dont use Account Operators, Server Operators
The Basics
The Problem
How do I enforce enterprise-wide security policies? Problem
Domains are boundaries for Group Policy
Possible solutions
Site-level GPOs Non-technical solutions
Site-Level GPOs
Disadvantages
UGLY!!!
Replication issues Performance issues Issues with placement of ROOT DCs Does not apply to Password policies
Explore capabilities
Extend group policy
System Hardening
Adopt a Baseline/Guideline
BASELINE !! BASELINE !! BASELINE !! BASELINE !!
2. Manual hardening procedures 2. Verify functionality and security 3. Back out procedures 4. Known vulnerabilities register
Questions
Juan Martinez juan.martinezjr@ins.com www.ins.com