IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management...
Transcript of IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management...
![Page 1: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/1.jpg)
IT Management, Simplified Real-time IT management solutions for the new speed of business
![Page 3: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/3.jpg)
About Your Speaker
![Page 4: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/4.jpg)
• www.manageengine.com resources
• ManageEngine “Active Directory” Blog
• Security Hardening Website
• Other useful resources
• Twitter: @derekmelber
• www.windowsecurity.com
• www.derekmelber.com
• Group Policy Resource Kit – MSPress
Derek Melber, MCSE & MVP (Active Directory and GP)
![Page 5: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/5.jpg)
• Password Policy
• Authentication Protocols
• Anonymous Authentication
Agenda
![Page 6: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/6.jpg)
Password Policy
![Page 7: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/7.jpg)
• Default Domain Policy contains default Password Policy
• Password Policy
• Account Lockout Policy
• Kerberos Policy
• Password Policy for domain users must be in GPO linked to domain
• Can only be one Password Policy per domain using GP
• Password Policy in GPO linked to OU only effects local users
Password Policy Defined
![Page 8: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/8.jpg)
• GPO reports fail to give current Password Policy
• Tools to report on current Password Policy
• Secpol.msc
• GPMC – Group Policy Results
• Dumpsec (portion)
• Net accounts (portion)
• ADManager Plus
Reporting on Current Password Policy
![Page 9: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/9.jpg)
• Need to defend against attacks
• Dictionary
• Brute force
• Rainbow table
• Length is most important factor for secure password!
• Ideally password length should be over 20 characters
• Use passphrases to help generate long passwords
Configuring Appropriate Password Policy
![Page 10: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/10.jpg)
• Fine Grained Password Policies
• Windows Server 2008 and greater
• Configure using ADSIEdit
• Still limited to options contained in GP
More Than One Password Policy For the Domain?
![Page 11: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/11.jpg)
• Tools
• Manually using ADSIEdit
• PowerShell
Reporting Fine Grained Password Policy
![Page 12: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/12.jpg)
• ADMP
• Report
• Advanced GPO Reports – Password Policy Changes
• Alert
• GPO Alert
• Specify associated GPOs from current Password Policy GPOs
Monitoring Password Policy Changes
![Page 13: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/13.jpg)
• ADMP
• Report
• Profile Based Reports – Advanced AD Object Audit – Password Settings
Object Changes
• Alert
• Password Settings Object Changes Report
Monitoring Fine Grained Password Policy Changes
![Page 14: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/14.jpg)
Authentication Protocols
![Page 15: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/15.jpg)
• Kerberos • Mutual authentication
• Domain controllers authenticate using Kerberos Distribution Centers
• No portion of the password is ever transmitted over the network
• Attackers are prevented from capturing and replaying packets
• NTLMv2
• Mutual authentication
• No portion of the password is even transmitted over the network
• Allowed 128 character length passwords
Available Authentication Protocols
![Page 16: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/16.jpg)
• NTLM • Introduced with Windows 3.1
• Same as LM
• LM • First introduced in Windows 3.11
• Only upper case alphas supported
• Character set is limited to 142 characters
• Maximum length of password is 14 characters
• Algorithm breaks password into two 7 character chunks
• Algorithm uses a cryptographic one-way function
Available Authentication Protocols
![Page 17: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/17.jpg)
• Allow LM Authentications
• Configured using Group Policy
• Registry modification
• LMCompatibilityLevel
• Only “Refuse LM” options are secure
LANManager Authentication Protocols
![Page 18: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/18.jpg)
• Storage of LM Hashes
• Configured using Group Policy
LANManager Authentication Protocols
![Page 19: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/19.jpg)
• Updated for Windows 7/Windows Server 2008 R2
NTLM Authentication Protocol Controls
![Page 20: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/20.jpg)
• Deny 100% with Group Policy
• Causes issues with user accounts that require LM/NTLM
• Typically include legacy services
• Deny all but services and service accounts
• Enforce minimum password length for domain users to above
14 characters
• Allow service accounts to use password less than 14
characters
Restricting LM Authentication Protocol
![Page 21: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/21.jpg)
• Tools
• Regedit (manually on each and every computer)
• Secpol.msc
Reporting LM Authentication Protocol
![Page 22: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/22.jpg)
• Tools
• Group Policy w/ Event Viewer (NTLM Log)
• ADAP (Report and Alert)
• Event Log Analyzer
Monitoring Use of LM Authentication Protocol
![Page 23: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/23.jpg)
Anonymous Authentication
![Page 24: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/24.jpg)
• Designed to allow computer to computer communication
• IPC$ share on each computer is communication gateway
• Net use \\computername\ipc$ “” /user:””
• Anonymous connections allow for “null user” access
• Object properties
• List shares
Anonymous Authentication Basics
![Page 25: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/25.jpg)
• Anonymous access is controlled using Group Policy
Anonymous Authentication Controls
![Page 26: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/26.jpg)
• Tools
• Manually using Regedit
• Secpol.msc
Reporting on Anonymous Authentication
![Page 27: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/27.jpg)
Summary
![Page 28: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/28.jpg)
• Password Policy
• Authentication Protocols
• Anonymous Authentication
Summary
![Page 29: IT Management, Simplified - ManageEngine...IT Management, Simplified Real-time IT management solutions for the new speed of business . ... •Kerberos Policy •Password Policy for](https://reader036.fdocuments.us/reader036/viewer/2022062317/5e8d95ca4bd2997d051d1f9c/html5/thumbnails/29.jpg)
Thank you!