Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active...
Transcript of Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active...
![Page 1: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/1.jpg)
1
Active Directory Security Best Practices
![Page 2: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/2.jpg)
22
Agenda
o
o
o
![Page 3: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/3.jpg)
3
o
o
o
o
o
o
o
o
Who We Are
![Page 4: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/4.jpg)
4
Intro
o
o
o
o
![Page 5: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/5.jpg)
5
Mistake No. 1: Lack of AD Governance
![Page 6: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/6.jpg)
6
The Problem: Lack of AD
Governance
o
o
o
o
o
ohttps://www.microsoft.com/mspress/books/sampchap/3173.aspx
![Page 7: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/7.jpg)
7
The Solution: Dedicated AD
Governance
o
o
o
![Page 8: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/8.jpg)
8
The Solution: Dedicated AD
Governance
o
o
o
o
o
o
o
o
![Page 9: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/9.jpg)
9
Mistake No. 2: Admins (and Service
Accounts) Logging on Everywhere
![Page 10: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/10.jpg)
10
The Problem: Admins Logging on Everywhere…
Org.
Prov2 Prov1Prov2
Org.
Prov1
Prov3
Prov2 Org.
Prov1 Prov3
Prov1
Prov1
Org.
Prov2
Prov1
Prov1Prov2
Prov2Org.
![Page 11: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/11.jpg)
11
Result of Mistake 2…
Access: Users and Workstations
Power: Domain Controllers
Data: Servers and Applications
This slide is from: Mark Simos, Nicholas DiCola; “TWC: Pass-the-
Hash and Credential Theft Mitigation Architectures“
![Page 12: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/12.jpg)
12
The Solution: Implement Administrative Tiers
Standard Users
Domain Controllers,Domain Admin
Workstations, Special Tier 0 Systems (Patch, AV, Mgmt)
Enterprise & Domain Admins
BUILTIN\AdministratorsGeneral: Tier 0 Admins
Application ServersServer/App Admin
Workstations, Tier 1 MgmtSystems
Server Admins, Server Services
Application AdminsGeneral: Tier 1 Admins
Internet Connected
Workstations of Standard Users
Workstation Admins (Tier 2
Admins)
Tier 0
Tier 1
Tier 2
Tier 3
![Page 13: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/13.jpg)
13
Tier Model Principles
Classify: Every single security principal, system, or application has to be classified as belonging only to
one tier
Restrict Logons: Security principals of a higher tier must never log on to a resource on a lower tier (
Implement logon restrictions)
Restrict Control: Security principals of a lower tier must never control resources of a higher tier (
Implement control restrictions)
![Page 14: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/14.jpg)
14
Control Restrictions vs. Logon Restrictions
![Page 15: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/15.jpg)
15
Implementation Guidelines
o
o
o
o
o
o
![Page 16: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/16.jpg)
16
Summary
o
o
o
o
o
o
o
![Page 17: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/17.jpg)
17
Mistake No. 3: Using “Dirty Sources”
![Page 18: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/18.jpg)
18
The Problem: Security Dependencies
o
OS or Application Install
Compromise Vector
Infect Media
Installation Media
Infect Workstation
User Workstation
Administration Task
Compromise Vector
![Page 19: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/19.jpg)
19
The Solution: Clean Source Principle
o
o
o
o
o
o
o
o
Subject
Object
Control
Relationship
![Page 20: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/20.jpg)
20
o
o
o
o
o
o
o
o
o
Clean Source Principle: Installation
![Page 21: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/21.jpg)
21
o
o
o
o
o
o
Clean Source Principle: Administration
![Page 22: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/22.jpg)
22
Clean Source Principle: PAWs
o
o
o
o
o
o
o
PAW
PAW
User VM
![Page 23: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/23.jpg)
23
Clean Source Principle:
ESAE/PRIV Forest
o
o
o
o
o
ESAE Forest
PRIV Forest
Tier 0
Tier 1
Tier 2
Standard Users
Production Forest
![Page 24: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/24.jpg)
24
Exemplary Secure Administration
Environment Models
o
o
o
o
o
o
o
GlobalResource
Forest
Tier 0 managed via PAWs
Trust for identities of Shared Services
PAWs
Account Forest(s)
Global Resource
Forest
Tier 0 managed via Local ESAE Forest
Trust for identities of Shared Services
Account Forest(s)
Local ESAE Forest
Global Resource
Forest
Tier 0 managed via Global ESAE Forest
Trust for identities of Shared Services
Account Forest(s)
Global ESAE Forest
![Page 25: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/25.jpg)
25
Exemplary ESAE Forest Implementation
AD
OS
HW Management
Switches Firewall
Content
ManagementExchange PKI
Identity &
Access
Management
Web Apps DBs
Virtual ClientsHardware
Clients
PAWs
Physically in Tier 2
Logically in Tier 0
Firewall Switches VPN
AD PKI
WSUS
Hyper-V
AV/ Monitor/
Vulnerability
PAM Shares
OS (DCs/Member) Jump Vault Storage
Hardware Management Hypervisor
OS
HW
NW
App
ESAE FORESTAD(s)
TIER
1
TIER
2
Firewall
DNS
TIER
0
![Page 26: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/26.jpg)
26
Mistake No. 4: (AD) Borders Not Under
Control
![Page 27: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/27.jpg)
27
The Problem: AD Borders Neither Well-defined
Nor Controlled: Trusts
o
o
o
o
o
![Page 28: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/28.jpg)
28
Too many trusts…
![Page 29: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/29.jpg)
29
o
o
o
Trusts are too
open…
Authentication Requests
(with Domain- and
Forest-wide
Authentication)
Trusted Forest Trusting Forest
Authenti-
cated Users
All requests coming
over the trust are
authenticated and
routed by DC1
DC
1
![Page 30: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/30.jpg)
30
The Problem: AD Borders Neither Well-defined
Nor Controlled: DMZ
o
o
o
o
o
![Page 31: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/31.jpg)
31
The Solution: AD Border & Trust Management
http://www.domainer.com.au/a-
question-of-trust-2/
![Page 32: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/32.jpg)
32
Trusts
o
o
o
o
o
o
o
o
![Page 33: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/33.jpg)
33
DMZ AD
o
o
![Page 34: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/34.jpg)
34
Mistake No. 5: Best Practices Lost in
Time
![Page 35: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/35.jpg)
35
The Problem: Basics Are
Overlooked
o
o
o
o
o
o
o
o
![Page 36: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/36.jpg)
36
o
o
o
o
o
o
o
o
The Solution: Do the Basics
![Page 37: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/37.jpg)
37
AdminSDHolder Object
o
o
o
o
o
![Page 38: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/38.jpg)
38
o
o
o
o
o
o
o
o
o
The Solution: Do the Basics
![Page 39: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/39.jpg)
39
Mistake No. 6: Too Many and Too
Privileged Service Accounts
![Page 40: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/40.jpg)
40
The Problem: Overabundance of
Service Accounts
o
o
o
o
o
o
o
![Page 41: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/41.jpg)
41
The Solution: Service Account
House Keeping
o
o
o
o
o
o
o
![Page 42: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/42.jpg)
42
Mistake No. 7: Too Many Admins
![Page 43: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/43.jpg)
43
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
The Problem: Over-privileged Accounts
![Page 44: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/44.jpg)
44
The Solution: Remove Privileges
o
o
o
o
o
o
o
![Page 45: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/45.jpg)
45
Mistake No. 8: Using Bad Passwords
![Page 46: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/46.jpg)
46
The Problem: Bad Policies & User
Awareness
o
o
o
o
o
o
o
![Page 47: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/47.jpg)
47
o
o
o
Example I
Really?
![Page 48: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/48.jpg)
48
o
o
o
o
o
Example II
Better?
![Page 49: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/49.jpg)
49
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
The Solution: Update Password Policies
![Page 50: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/50.jpg)
50
Recommended Password RequirementsType Min Age Max Age Min Length History Complexity
Requirements
Lockout
Threshold
![Page 51: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/51.jpg)
51
Mistake No. 9: Running Outdated
Operating Systems
![Page 52: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/52.jpg)
52
The Problem: Outdated Operating
Systems
o
o
o
o
o
o
o
![Page 53: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/53.jpg)
53
The Solution: Use Modern
Operating System Versions
o
o
o
o
o
o
o
o
![Page 54: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/54.jpg)
54
The Solution: Use Modern
Operating System Features
o
o
o
o
o
o
o
o
o
o
o
![Page 55: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/55.jpg)
55
Mistake No. 10: Vulnerable Systems and
Applications Everywhere
![Page 56: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/56.jpg)
56
o
o
o
o
The Problem: Insufficient Patch Management
![Page 57: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/57.jpg)
57
The Solution: Patch and
Vulnerability Management
o
o
o
o
![Page 58: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/58.jpg)
58
The Solution: Patch and
Vulnerability Management
o
o
o
o
o
o
o
o
o
![Page 59: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/59.jpg)
59
Mistake No. 11: No Active Directory-
Specific Security Logging & Monitoring
![Page 60: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/60.jpg)
60
The Problem: No AD-Specific Security
Logging & Monitoring
o
o
o
o
![Page 61: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/61.jpg)
61
The Solution: AD-Specific
Security Logging & Monitoring
o
o
o
o
![Page 62: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/62.jpg)
62
The Solution: AD-Specific Security Logging &
Monitoring
o
o
o
o
o
o
o
o
o
o
o
o
![Page 63: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/63.jpg)
63
Thank you for your time!
![Page 65: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/65.jpg)
65
Additional Material & Information
![Page 66: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/66.jpg)
66
Control/Logon Restrictions Example 1
for Admin Tiers
Tier 0
Tier 1
Tier 1
Admin
Tier 0
File
Share
Tier 1 admin must
access a Tier 0 file
share to store
certain files
As required by his
role, the Tier 1
admin can logon
to a higher-tier
resource to
access a share
and store files
(well-defined and
strictly monitored)
As the user is a tier
1 admin, he cannot
control the file
share system /the
resource (he can
only access a
share with limited
NTFS permissions)
Note: A similar
scenario is the
access to the
Netlogon share
![Page 67: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/67.jpg)
67
Control/Logon Restrictions Example 2
for Admin Tiers
#67
Tier 0
Tier 1
Tier 0
Admin
Tier 0
DC
Therefore, the Tier 0 admin
must access dsa.msc and
gpmc.msc on a DC (where
he logs on).
Thus, as required
by his role, the
Tier 0 admin can
control lower-tier
resources, but he
never logs on to a
lower-tier system.
Tier 0 admin manages the
identity store (Active
Directory database). He
can define group
membership of Tier 0, Tier
1 (and Tier 2) accounts
and he can define security
settings for Tier 0 und Tier
1 servers (and even Tier 2
computers) in GPOs.
!
![Page 68: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/68.jpg)
68
The Problem: AD Borders Neither Well-defined
Nor Controlled: AD Extension Into the Cloud
o
o
o
o
![Page 69: Active Directory Security Best Practices - TROOPERS18 · PDF fileMistake No. 11: No Active Directory-Specific Security Logging & Monitoring. 60 The Problem: No AD-Specific Security](https://reader031.fdocuments.us/reader031/viewer/2022022420/5a7b62ff7f8b9a49588bdf18/html5/thumbnails/69.jpg)
69
Azure (Cloud)
o
o