07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 1/90
Module10:ImprovingtheSecurityofAuthenticationinanADDSDomain
Contents:
Lesson1: ConfigurePasswordandLockoutPolicies
LabA: ConfigurePasswordandAccountLockoutPolicies
Lesson2: AuditAuthentication
LabB: AuditAuthentication
Lesson3: ConfigureReadOnlyDomainControllers
LabC: ConfigureReadOnlyDomainControllers
Module Overview
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 2/90
WhenuserslogontoanActiveDirectory domain,theyentertheirusernameandpassword.Then,theclientcomputerusesthosecredentialstoauthenticatetheusersidentitiesagainsttheirActiveDirectoryaccounts.InModule3,youlearnedhowtocreateandmanageuseraccountsandtheirproperties,includingpasswords.Inthismodule,youwillexplorethedomainsidecomponentsofauthentication,includingthepoliciesthatspecifypasswordrequirementsandtheauditingofauthenticationrelatedactivities.YouwillalsodiscovertwofeaturesintroducedbyWindowsServer 2008thatcansignificantlyimprovethesecurityofauthenticationinanActiveDirectoryDomainServices(ADDS)domain,passwordsettingsobjects(betterknownasfinegrainedpasswordpolicy)andreadonlydomaincontrollers(RODCs).
Objectives
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 3/90
Aftercompletingthismodule,youwillbeableto:
Configurepasswordandaccountlockoutpolicies.
Configureauditingofauthenticationrelatedactivity.
ConfigureRODCs.
Lesson 1: Configure Password and Lockout Policies
Bydefault,inaWindowsServer2008orWindowsServer2008R2domain,users
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 4/90
needtochangetheirpasswordevery42days,andapasswordmustbeatleastsevencharacterslongandmeetcomplexrequirements,includingtheuseofthreeoffourcharactertypes:uppercase,lowercase,numeric,andnonalphanumeric.Typically,inanActiveDirectorydomain,administratorsandusersfirstencounterthreepasswordpoliciesmaximumpasswordage,passwordlength,andpasswordcomplexity.Rarelydothesedefaultsettingsalignpreciselywithanorganizationspasswordsecurityrequirements.Yourorganizationmightrequirepasswordstobechangedmoreorlessfrequently,ortobelonger.Inthislesson,youwilllearntoimplementyourenterprisespasswordandlockoutpoliciesbymodifyingtheDefaultDomainPolicyGroupPolicyobject(GPO).
Asyouknow,thereareexceptionstoeveryrule,andyoumayrequireexceptionstoyourpasswordpolicies.Toenhanceyourdomainssecurity,youcanplacemorerestrictivepasswordrequirementsforaccountsassignedtoadministrators,foraccountsusedbyservicessuchasMicrosoftSQLServer,orforabackuputility.InearlierversionsofWindows,thiswasnotpossibleasinglepasswordpolicyappliedtoallaccountsinthedomain.Inthislesson,youwilllearntoconfigurefinegrainedpasswordpolicies.ThisisanewfeatureinWindowsServer2008thatallowsyoutoassigndifferentpasswordpoliciestousersandgroupsinyourdomain.
Objectives
Aftercompletingthislesson,youwillbeableto:
Understandpasswordandaccountlockoutpolicies.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 5/90
Implementyourdomainpasswordandaccountlockoutpolicy.
Configureandassignfinegrainedpasswordpolicies.
Understand Password Policies
YourdomainspasswordpolicyisconfiguredbyaGPOscopedtothedomain.WithintheGPO,intheGroupPolicyconsoletree,expandComputerConfiguration,Policies,WindowsSettings,SecuritySettings,andthenAccountPolicies.IntheAccountPoliciesnode,accessthePasswordPolicynodetoconfigurethepolicysettingsthatdeterminepasswordrequirements.ThePasswordPolicynodeisshowninthe
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 6/90
followingscreenshot.
Youcanunderstandtheeffectofthepoliciesbyconsideringthelifecycleofauserpassword.AuserneedstochangethepasswordwithinthenumberofdaysspecifiedbytheMaximumPasswordAgepolicysetting.Whentheuserentersanewpassword,thelengthofthenewpasswordwillbecomparedwiththenumberofcharactersintheMinimumPasswordLengthpolicy.
IfthePasswordandMustMeetComplexityRequirementspolicyisenabled,thepasswordmustcontainatleastthreeofthefollowingfourcharactertypes:
Uppercase:AtoZ
Lowercase:atoz
Numeric:0to9
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 7/90
Nonalphanumericsymbols:!,#,%,or&
Ifthenewpasswordmeetsrequirements,ActiveDirectoryputsthepasswordthroughamathematicalalgorithmthatproducesarepresentationofthepasswordcalledthehashcode.Thehashcodeisuniquenotwodifferentpasswordscancreatethesamehashcode.Thealgorithmusedtocreatethehashcodeiscalledaonewayfunction.Youcannotputthehashcodethroughareversefunctiontoderivethepassword.ThefactthatitisahashcodeandnotthepassworditselfthatisstoredinActiveDirectoryhelpsincreasetheuseraccountssecurity.
Occasionally,someapplicationsrequiretheabilitytoreadauser'spassword.Thisisnotpossiblebecause,bydefault,onlythehashcodeisstoredinActiveDirectory.Tosupportsuchapplications,youcanenabletheStorePasswordsUsingReversibleEncryptionpolicysetting.Thispolicysettingisnotenabledbydefault.Ifyouenablethepolicy,userpasswordsarestoredinanencryptedformthatcanbedecryptedbytheapplication.Reversibleencryptionsignificantlyreducesadomainssecurity,soitisdisabledbydefault,andyoushouldstrivetoeliminateapplicationsthatrequiredirectaccesstopasswords.
Additionally,ActiveDirectorycancheckthecacheoftheusersprevioushashcodestoensurethatthenewpasswordisnotthesameastheuserspreviouspasswords.ThenumberofpreviouspasswordsagainstwhichanewpasswordisevaluatedisdeterminedbytheEnforcePasswordHistorypolicy.Bydefault,Windowsmaintains
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 8/90
theprevious24hashcodes,whichmeansthatausercannotusethelast24passwordswhenenteringanewone.
Ifauserisdeterminedtoreusethesamepasswordwhenthepasswordexpirationperiodoccurs,theusercouldsimplychangethepassword25timestoworkaroundthepasswordhistory.Topreventthatfromhappening,theMinimumPasswordAgepolicyspecifiesanamountoftimethatmustpassbetweenpasswordchanges.Bydefault,itisoneday.Therefore,thedetermineduserwouldhavetochangethepasswordonceperdayfor25daystoreuseapassword.Thisservesasaneffectivedeterrentofsuchbehavior.
Thesepolicysettingshistory,minimumage,andmaximumageaffectonlyauserwhochangesthepassword.ThesettingsdonotaffectanadministratorwhousestheResetPasswordcommandtochangeanotheruser'spassword.
Understand Account Lockout Policies
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 9/90
Anintrudercangainaccesstotheresourcesinyourdomainbydeterminingavalidusernameandpassword.Usernamesarerelativelyeasytoidentify,becausemostorganizationscreateusernamesfromanemployee'semailaddress,initials,combinationsoffirstandlastnames,oremployeeIDs.Afterausernameisknown,theintrudermustdeterminethecorrectpassword.Thiscanbedonebyguessing,orbyrepeatedlyloggingonwithcombinationsofcharactersorwordsuntilthelogonissuccessful.
Thistypeofattack,calledbruteforce,canbethwartedbylimitingthenumberofincorrectlogonsthatareallowed.Thatiswhataccountlockoutpoliciesachieve.AccountlockoutpoliciesarelocatedinthenodeoftheGPOdirectlybelowthePasswordPolicy.TheAccountLockoutPolicynodeisshowninthefollowingscreen
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 10/90
shot.
Therearethreesettingsrelatedtoaccountlockout.TheAccountLockoutThresholdsettingdeterminesthenumberofinvalidlogonattemptspermittedwithinatimespecifiedbytheResetaccountlockoutcounterafterpolicy.Ifanattackresultsinmoreunsuccessfullogonswithinthattimeframe,theuseraccountislockedout.Whenanaccountislockedout,ActiveDirectorydenieslogontothataccount,evenifthecorrectpasswordisspecified.TheaccountwillremainlockedoutfortheperiodoftimespecifiedintheAccountlockoutdurationsetting.Ifyousetthistoavalueof0,onlytheadministratorcanmanuallyunlockalockeduseraccountbyusingtheActiveDirectoryUsersandComputersconsole.
NoteAlthoughaccountlockoutpoliciescanbeusefulinpreventingbruteforceattacks,someorganizationschoosenottodefineaccountlockoutpolicies,becausetheycanactuallycreatedenialofservicescenarios.Ifahackerperformsabruteforceattackagainstan
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 11/90
accountusedbyaserviceaccountyourSQLservers,forexampleandtheaccountis
locked,eventuallytheservicewillfail.Manyorganizationschoosetouseauditing,intrusiondetection,andothermonitoringapproachestomitigatebruteforceattacks.
Configure the Domain Password and Lockout Policy
ActiveDirectorysupportsonesetofpasswordandlockoutpoliciesforadomain.ThesepoliciesareconfiguredinaGPOthatisscopedtothedomain.AnewdomaincontainsaGPOcalledtheDefaultDomainPolicythatislinkedtothedomainandthatincludesthedefaultpolicysettingsforpassword,accountlockout,andKerberos
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 12/90
policies.YoucanchangethesettingsbyeditingtheDefaultDomainPolicyGPO.
ThebestpracticeistoedittheDefaultDomainPolicyGPOtospecifythepasswordpolicysettingsforyourorganization.YoushouldalsousetheDefaultDomainPolicyGPOtospecifyaccountlockoutpoliciesandKerberospolicies.DonotusetheDefaultDomainPolicyGPOtodeployanyothercustompolicysettings.Inotherwords,theDefaultDomainPolicyGPOonlydefinesthepassword,accountlockout,andKerberospoliciesforthedomain.Additionally,donotdefinepassword,accountlockout,orKerberospoliciesforthedomaininanyotherGPO.
ThepasswordsettingsconfiguredintheDefaultDomainPolicyaffectalluseraccountsinthedomain.Thesettingscanbeoverridden,however,bythepasswordrelatedpropertiesoftheindividualuseraccounts.OntheAccounttabofauser'sPropertiesdialogbox,youcanspecifysettingssuchasPasswordNeverExpiresorStorePasswordsUsingReversibleEncryption.Forexample,iffiveusershaveanapplicationthatrequiresdirectaccesstotheirpasswords,youcanconfiguretheaccountsforthoseuserstostoretheirpasswordsbyusingreversibleencryption.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 13/90
Demonstration: Configure Domain Account Policies
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 14/90
Inthisdemonstration,youseehowtoconfigurethedomainaccountpoliciestomeetthefollowingrequirementsforpasswords:
Aminimumofeightcharacterslong.
ComplywithWindowsdefaultcomplexityrequirements.
Usersmustchangetheirpasswordevery90days.
Userscannotchangetheirownpasswordmorethanonceaweek.
Ausercannotreuseapasswordwithinayear.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 15/90
Demonstration Steps
1. IntheGroupPolicyManagementconsole,intheconsoletree,expandForest:contoso.com,Domains,andcontoso.com.
2. RightclickDefaultDomainPolicyunderneaththedomain,contoso.com,andthenclickEdit.
3. IntheGroupPolicyManagementEditorconsoletree,expandComputerConfiguration,Policies,WindowsSettings,SecuritySettings,andAccountPolicies,andthenclickPasswordPolicy.
4. Doubleclickthefollowingpolicysettingsintheconsoledetailspaneandconfigurethesettingsasindicated:
Enforcepasswordhistory:53passwordsremembered
Maximumpasswordage:90days
Minimumpasswordage:7days
Minimumpasswordlength:8characters
Passwordmustmeetcomplexityrequirements:Enabled
5. ClosetheGroupPolicyManagementEditorwindow.
6. ClosetheGroupPolicyManagementwindow.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 16/90
Fine-Grained Password and Lockout Policy
IntheWindowsServer2003ActiveDirectoryenvironment,itwasnotpossibletohavemorethanonepasswordandaccountlockoutpolicyperdomain.BecauseofthislimitationintheearlierWindowsServerversions,youhadtocreatemorethanonedomainintheActiveDirectoryforestfordifferentpasswordrequirementsinasingleorganization.Forexample,considerascenariowhereyouwantyouradministratorstohavepasswordswithaminimumlengthof14charactersandotheruserstohaveatleast7ormorecharacters.Theonlywaytoaccomplishthisistomoveadministrators(orusers)toanotherdomain.Insuchscenarios,administratorsusuallycreatetwodomainssuchascontoso.comandusers.contoso.com.However,itcancauseadditionalmaintenanceandadministrativecosttosupporttwodomainstructures.You
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 17/90
cansolvethisproblembyusingWindowsServer2008.YoucanoverridethedomainpasswordandlockoutpolicybyusinganewfeatureofWindowsServer2008calledfinegrainedpasswordandlockoutpolicy,oftenshortenedtosimplyfinegrainedpasswordpolicy.Afinegrainedpasswordpolicyallowsyoutoconfigureapolicythatappliestooneormoregroupsorusersinyourdomain.However,youcannotapplythisfunctionalitybyusingGroupPolicy.Youcanapplyitonlybydefininganewtypeofobjectandsomeadditionalattributestouserandgroupobjects.
AfinegrainedpasswordpolicyisahighlyanticipatedadditiontoActiveDirectory.Thereareseveralscenariosforwhichafinegrainedpasswordpolicycanbeusedtoincreaseyourdomainsecurity.
AccountsusedbyadministratorsaredelegatedprivilegestomodifyobjectsinActiveDirectory.Therefore,ifanintrudercompromisesanadministrator'saccount,moredamagecanbedonetothedomainthancouldbedonewiththeaccountofastandarduser.Therefore,considerimplementingstricterpasswordrequirementsforadministrativeaccounts.Forexample,youmightrequireagreaterpasswordlengthandmorefrequentpasswordchanges.
AnothertypeofaccountthatrequiresspecialtreatmentinadomainisanaccountusedbyservicessuchasSQLServer.Aserviceperformsitstaskswithcredentialsthatmustbeauthenticatedwithausernameandpasswordjustlikethoseofahumanuser.However,mostservicesarenotcapableofchangingtheirownpassword,soadministratorsconfigureserviceaccountswiththePasswordNeverExpiresoption
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 18/90
enabled.Whenanaccountspasswordwillnotbechanged,youshouldensurethatthepasswordisdifficulttocompromise.Youcanusefinegrainedpasswordpoliciestospecifyanextremelylongminimumpasswordlength.
Understand Password Settings Objects
ThesettingsmanagedbyfinegrainedpasswordpolicyareidenticaltothoseinthePasswordPolicyandAccountsPolicynodesofaGPO.However,finegrainedpasswordpoliciesareneitherimplementedaspartofGroupPolicynoraretheyappliedaspartofaGPO.Instead,thereisaseparateclassofobjectinActiveDirectorythatmaintainsthesettingsforfinegrainedpasswordpolicythePasswordSettingsObject(PSO).
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 19/90
MostActiveDirectoryobjectscanbemanagedwithuserfriendlygraphicaluserinterface(GUI)tools,suchastheActiveDirectoryUsersandComputerssnapin.YoumanagePSOs,however,withlowleveltools,includingActiveDirectoryServiceInterfaceEditor(ADSIEdit).
YoucancreateoneormorePSOsinyourdomain.EachPSOcontainsacompletesetofpasswordandlockoutpolicysettings.APSOisappliedbylinkingthePSOtooneormoreglobalsecuritygroupsorusers.Actually,bylinkingaPSOtoauseroragroup,youremodifyinganattributecalledmsDSPSOApplied,whichisemptybydefault.Thisapproachnowtreatspasswordandaccountlockoutsettingsnotasdomainwiderequirements,butasattributestoaspecificuseroragroup.Forexample,toconfigureastrictpasswordpolicyforadministrativeaccounts,createaglobalsecuritygroup,addtheserviceuseraccountsasmembers,andlinkaPSOtothegroup.Applyingfinegrainedpasswordpoliciestoagroupinthismannerismoremanageablethanapplyingthepoliciestoeachindividualuseraccount.Ifyoucreateanewserviceaccount,yousimplyaddittothegroup,andtheaccountbecomesmanagedbythePSO.
Touseafinegrainedpasswordpolicy,yourdomainmustbeattheWindowsServer2008domainfunctionallevel,whichmeansthatallofyourdomaincontrollersinthedomainarerunningWindowsServer2008,andthedomainfunctionallevelhasbeenraisedtoWindowsServer2008.
Toconfirmandmodifythedomainfunctionallevel:
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 20/90
1. OpenActiveDirectoryDomainsandTrusts.
2. Intheconsoletree,expandActiveDirectoryDomainsandTrusts,andthenexpandthetreeuntilyoucanseethedomain.
3. Rightclickthedomain,andthenclickRaisedomainfunctionallevel.
Demonstration: Configure Fine-Grained Password Policy
Inthisdemonstration,youwillseehowtoconfigureafinegrainedpasswordpolicytoenhancethesecurityofaccountsintheDomainAdminsgroup.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 21/90
Demonstration Steps
1. VerifythatthedomainfunctionallevelisWindowsServer2008.
2. RuntheADSIEditutilityonadomaincontroller.
3. CreateanewPSO,namedMyDomainAdminsPSOinDC=Contoso>DC=com>CN=System>CN=PasswordSettingsContainer,withfollowingsettings:
Passwordstoredwithreversibleencryption:False
Passwordhistory:Enabled
Passwordcomplexityrequirement:Enabled
Minimumpasswordage:1day
Maximumpasswordage:45days
Accountlockoutthreshold:5
Accountlockoutduration:1day
Accountlockoutcounterreset:1hour
4. AssignanewPSOtoDomainAdminsgroup.
PSO Precedence and Resultant PSO
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 22/90
APSOcanbelinkedtomorethanonegrouporuser,anindividualgrouporusercanhavemorethanonePSOlinkedtoit,andausercanbelongtomultiplegroups.So,whichfinegrainedpasswordandlockoutpolicysettingsapplytoauser?OneandonlyonePSOdeterminesthepasswordandlockoutsettingsforauser,whichiscalledtheresultantPSO.EachPSOhasanattributethatdeterminesthePSOsprecedence.Theprecedencevalueisanynumbergreaterthan0,wherethenumber1indicatesthehighestprecedence.IfmultiplePSOsapplytoauser,thePSOwiththehighestprecedencetakeseffect.Therulesthatdetermineprecedenceareasfollows:
IfmultiplePSOsapplytogroupstowhichtheuserbelongs,thePSOwiththehighestprecedencewins.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 23/90
IfoneormorePSOsarelinkeddirectlytotheuser,PSOslinkedtogroupsareignored,regardlessoftheirprecedence.TheuserlinkedPSOwiththehighestprecedencewins.
IfoneormorePSOshavethesameprecedencevalue,ActiveDirectorymustchoose.ItpicksthePSOwiththelowestgloballyuniqueidentifier(GUID).GUIDsarelikeserialnumbersforActiveDirectoryobjectsnotwoobjectshavethesameGUID.GUIDshavenoparticularmeaningtheyarejustidentifierssopickingthePSOwiththelowestGUIDis,ineffect,anarbitrarydecision.YoushouldconfigurePSOswithunique,specificprecedencevaluessothatyouavoidthisscenario.
TheserulesdeterminetheresultantPSO.ActiveDirectoryexposestheresultantPSOinauserobjectattribute,msDSResultantPSO,soyoucanreadilyidentifythePSOthatwillaffectauser.PSOscontainallpasswordandlockoutsettings,sothereisnoinheritanceormergingofsettings.TheresultantPSOistheauthoritativePSO.
ToviewthemsDSResultantPSOattributeofauser:
1. EnsurethatAdvancedFeaturesisenabledontheViewmenu.
2. Openthepropertiesoftheuseraccount.
3. ClicktheAttributeEditortab.
4. ClickFilterandensurethatConstructedisselected.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 24/90
5. LocatethemsDSResultantPSOattribute.
PSOs, OUs, and Shadow Groups
PSOscanbelinkedtoglobalsecuritygroupsorusers.PSOscannotbelinkedtoorganizationalunits(OUs).IfyouwanttoapplypasswordandlockoutpoliciestousersinanOU,youmustcreateaglobalsecuritygroupthatincludesalloftheusersintheOU.Thistypeofgroupiscalledashadowgroupitsmembershipshadows,ormimics,themembershipofanOU.
NoteThereisnographicaltoolinWindowsServer2008tocreateshadowgroups.However,youcancreateandmanagethembyusingaverysimplescriptthatwillrunperiodically.ThisscriptshouldenumerateuserobjectsinthedesiredOUandputtheminagroup.
Lab A: Configure Password and Account LockoutPolicies
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 25/90
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 26/90
4. Logonbyusingthefollowingcredentials:
Username:Pat.Coleman
Password:Pa$$w0rd
Domain:Contoso
Lab Scenario
ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youmustenforceaspecifiedpasswordpolicyforalluseraccounts,andamorestringentpasswordpolicyforsecuritysensitive,administrativeaccounts.
Exercise 1: Configure the Domains Password and Lockout Policies
Inthisexercise,youwillmodifytheDefaultDomainPolicyGPOtoimplementapasswordandlockoutpolicyforusersinthecontoso.comdomain.
Themaintasksforthisexerciseareasfollows:
1. Configurethedomainaccountpolicies.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 27/90
Task: Configure the domain account policies.
1. RunGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. EdittheDefaultDomainPolicyGPO.
3. Configurethefollowingpasswordpolicysettings.Leaveothersettingsattheirdefaultvalues.
Maximumpasswordage:90days
Minimumpasswordlength:10characters
4. Configurethefollowingaccountlockoutpolicysetting.Leaveothersettingsattheirdefaultvalues.
Accountlockoutthreshold:5invalidlogonattempts.
5. CloseGroupPolicyManagementEditorandGroupPolicyManagement.
Results:Inthisexercise,youconfigurednewsettingsforthedomainaccountpolicies.
Exercise 2: Configure Fine-Grained Password Policy
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 28/90
Inthisexercise,youwillcreateaPSOthatappliesarestrictive,finegrainedpasswordpolicytouseraccountsintheDomainAdminsgroup.YouwillidentifythePSOthatcontrolsthepasswordandlockoutpoliciesforanindividualuser.Finally,youwilldeletethePSOthatyoucreated.
Themaintasksforthisexerciseareasfollows:
1. CreateaPSO.
2. LinkaPSOtoagroup.
3. IdentifytheResultantPSOforauser.
4. DeleteaPSO.
Task 1: Create a PSO.
1. ClickStart,pointtoAdministrativeTools,rightclickADSIEdit,andclickRunasadministrator.
2. ClickUseanotheraccount.
3. IntheUsernamebox,typePat.Coleman_Admin.
4. InthePasswordbox,typePa$$w0rd,andthenpressEnter.TheADSIEditconsoleopens.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 29/90
5. RightclickADSIEditandclickConnectTo.
6. Acceptalldefaults.ClickOK.
7. ClickDefaultNamingContextintheconsoletree.
8. ExpandDefaultNamingContextandclickDC=contoso,DC=com.
9. ExpandDC=contoso,DC=comandclickCN=System.
10. ExpandCN=SystemandclickCN=PasswordSettingsContainer.
AllPSOsarecreatedandstoredinthePasswordSettingsContainer(PSC).
11. RightclickCN=PasswordSettingsContainerandchooseNew,Object.TheCreateObjectdialogboxappears.
Itpromptsyoutoselectthetypeofobjecttocreate.Thereisonlyonechoice:msDSPasswordSettingsthetechnicalnamefortheobjectclassreferredtoasaPSO.
12. ClickNext.YouarethenpromptedforthevalueforeachattributeofaPSO.Theattributesaresimilartothosefoundinthedomainaccountpolicies.
13. Configureeachattributeasindicatedbelow.ClickNextaftereachattribute.
cn:MyDomainAdminsPSO.ThisisthefriendlynameofthePSO.
msDSPasswordSettingsPrecedence:1.ThisPSOhasthehighestpossibleprecedence.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 30/90
msDSPasswordReversibleEncryptionEnabled:False.Thepasswordisnotstoredbyusingreversibleencryption.
msDSPasswordHistoryLength:30.Theusercannotreuseanyofthelast30passwords.
msDSPasswordComplexityEnabled:True.Passwordcomplexityrulesareenforced.
msDSMinimumPasswordLength:15.Passwordsmustbeatleast15characterslong.
msDSMinimumPasswordAge:1:00:00:00.Ausercannotchangethepasswordwithinonedayofapreviouschange.Theformatisd:hh:mm:ss(days,hours,minutes,seconds).
msDSMaximumPasswordAge:45:00:00:00.Thepasswordmustbechangedevery45days.
msDSLockoutThreshold:5.FiveinvalidlogonswithinthetimeframespecifiedbyXXX(thenextattribute)willresultinaccountlockout.
msDSLockoutObservationWindow:0:01:00:00.Fiveinvalidlogons(specifiedbythepreviousattribute)withinonehourwillresultinaccountlockout.
msDSLockoutDuration:1:00:00:00.Anaccount,iflockedout,willremainlockedforoneday,oruntilitisunlockedmanually.Avalueofzerowillresult
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 31/90
intheaccountremaininglockedoutuntilanadministratorunlocksit.
14. ClickFinish.
15. CloseADSIEdit.
Task 2: Link a PSO to a group.
1. RunActiveDirectoryUsersandComputerswithadministrativecredentials.UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2. Intheconsoletree,expandtheSystemcontainer.
IfyoudonotseetheSystemcontainer,clicktheViewmenuoftheMMCconsole,andensurethatAdvancedFeaturesisselected.
3. Intheconsoletree,clickthePasswordSettingsContainer.
4. RightclickMyDomainAdminsPSO,andthenclickAttributeEditor.
5. IntheAttributeslist,clickmsDSPSOAppliesTo,andthenclickEdit.
TheMultivaluedDistinguishedNameWithSecurityPrincipalEditordialogboxappears.
6. ClickAddWindowsAccount.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 32/90
TheSelectUsers,Computers,orGroupsdialogboxappears.
7. TypeDomainAdmins,andthenpressEnter.
8. ClickOKtwotimestoclosetheopendialogboxes.
Task 3: Identify the Resultant PSO for a user.
1. RunActiveDirectoryUsersandComputersasanadministratorwiththeusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. OpenAttributeEditorinthePropertiesdialogboxfortheaccountPat.Coleman_Admin.
3. ClickFilterandensurethatConstructedisselected.
Theattributeyouwilllocateinthenextstepisaconstructedattribute,meaningthattheresultantPSOisnotahardcodedattributeofauserratheritiscalculatedbyexaminingthePSOslinkedtoauserinrealtime.
Question:WhatistheresultantPSOforPatColeman(Administrator)?
Task 4: Delete a PSO.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 33/90
1. WithAdvancedFeaturesenabledontheViewmenuofActiveDirectoryUsersandComputers,opentheSystemcontainerandthePasswordSettingsContainer.
2. DeletetheMyDomainAdminsPSO,whichyoucreated.
Results:Inthisexercise,youcreatedaPSO,appliedittoDomainAdminsandconfirmeditsapplication,andthendeletedthePSO.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinsubsequentlabsinthismodule
Lab Review Questions
Question:WhatarethebestpracticesformanagingPSOsinadomain?
Question:Howcanyoudefineauniquepasswordpolicyforalltheserviceaccountsinthe
ServiceAccountsOU?
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 34/90
Lesson 2: Audit Authentication
WindowsServer2008allowsyoutoauditthelogonactivityofusersinadomain.Byauditingsuccessfullogons,youcanlookforinstancesinwhichanaccountisusedatunusualtimesorinunexpectedlocations,whichmayindicatethatanintruderisloggingontotheaccount.Auditingfailedlogonscanrevealattemptsbyintruderstocompromiseanaccount.Inthislesson,youwilllearntoconfigureauditinglogonauthentication.
Objectives
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 35/90
Aftercompletingthislesson,youwillbeableto:
Configureauditingofauthenticationrelatedactivity.
Distinguishbetweenaccountlogonandlogonevents.
IdentifyauthenticationrelatedeventsintheSecuritylog.
Account Logon and Logon Events
Thislessonexaminestwospecificpolicysettings,AuditAccountLogonEventsandAuditLogonEvents.Youneedtounderstandthedifferencebetweenthesetwo
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 36/90
similarlynamedpolicysettings.
Whenauserlogsontoanycomputerinthedomainbyusingadomainuseraccount,adomaincontrollerauthenticatestheattempttologontothedomainaccount.Thisgeneratesanaccountlogoneventonthedomaincontroller.
Thecomputertowhichtheuserlogsonforexample,theuserslaptopgeneratesalogonevent.Thecomputerdidnotauthenticatetheuseragainsttheaccountitpassedtheaccounttoadomaincontrollerforvalidation.Thecomputerdid,however,allowtheusertologoninteractivelytothecomputer.
Therefore,theeventisalogonevent.
Whentheuserconnectstoafolderonaserverinthedomain,thatserverauthorizestheuserforatypeoflogoncalledanetworklogon.Again,theserverdoesnotauthenticatetheuseritreliesontheticketgiventotheuserbythedomaincontroller.But,theconnectionbytheusergeneratesalogoneventontheserver.
NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008R2.
Advanced Audit Policies
InWindowsServer2008R2,theAdvancedAuditPolicyconfigurationincludesnew
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 37/90
categoriesinGroupPolicyforauditinglogonandaccountlogonevents.YoulearnedabouttheseadvancedauditpoliciesinModule9.Thisprovidesadministratorswiththeabilitytohavemuchmoregranularandmoredetailedcontroloverthelogonprocessandobtaininformationaboutveryspecificeventsthathappenduringthelogonorlogoffprocess.
Foranaccountlogonevent,youcannowdefinefourdifferentsettingsforaudit:
CredentialValidation.Auditeventsgeneratedbyvalidationtestsonuseraccountlogoncredentials.
KerberosServiceTicketOperations.AuditeventsgeneratedbyKerberosserviceticketrequests.
OtherAccountLogonEvents.AuditeventsgeneratedbyresponsestocredentialrequestssubmittedforauseraccountlogonthatarenotcredentialvalidationorKerberostickets.
KerberosAuthenticationService.AuditeventsgeneratedbyKerberosauthenticationticketgrantingticket(TGT)requests.
Youcanauditthefollowinglogonandlogoffevents:
Logon.Auditeventsgeneratedbyuseraccountlogonattemptsonacomputer.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 38/90
Logoff.Auditeventsgeneratedbyclosingalogonsession.Theseeventsoccuronthecomputerthatwasaccessed.Foraninteractivelogon,thesecurityauditeventisgeneratedonthecomputerthattheuseraccountloggedonto.
AccountLockout.Auditeventsgeneratedbyafailedattempttologontoanaccountthatislockedout.
IPsecMainMode.AuditeventsgeneratedbyInternetKeyExchangeprotocol(IKE)andAuthenticatedInternetProtocol(AuthIP)duringMainModenegotiations.
IPsecQuickMode.AuditeventsgeneratedbyIKEandAuthIPduringQuickModenegotiations.
IPsecExtendedMode.AuditeventsgeneratedbyIKEandAuthIPduringExtendedModenegotiations.
SpecialLogon.Auditeventsgeneratedbyspeciallogons.
OtherLogon/LogoffEvents.AuditothereventsrelatedtologonandlogoffthatarenotincludedintheLogon/Logoffcategory.
NetworkPolicyServer.AuditeventsgeneratedbyRADIUS(IAS)andNetworkAccessProtection(NAP)useraccessrequests.TheserequestscanbeGrant,Deny,Discard,Quarantine,Lock,andUnlock.
Configure Authentication-Related Audit Policies
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 39/90
AccountlogonandlogoneventscanbeauditedbyWindowsServer2008.ThesesettingsthatmanageauditingarelocatedinaGPOintheComputerConfiguration>Policies>WindowsSettings>SecuritySettings>LocalPolicies>AuditPolicynode.TheAuditPolicynodeandthetwosettingsareshowninthefollowingscreenshot.
InWindowsServer2008R2,youcanconfigureadditionalauditpoliciesinthe
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 40/90
AdvancedAuditPolicyConfigurationnode,asshowninthefollowingscreenshot:
Toconfigureanauditpolicy,bothbasicandadvanced,doubleclickthepolicy.Then,itspropertiesdialogboxappears.TheAuditAccountLogonEventsPropertiesdialogboxisshowninthefollowingscreenshot.Thepolicysettingcanbeconfiguredtooneofthefollowingfourstates:
NotDefined:IftheDefineThesePolicySettingscheckboxiscleared,thepolicysettingisnotdefined.Inthiscase,theserverwillaudittheeventbasedonitsdefaultsettingsoronthesettingsspecifiedinanotherGPO.
Definedfornoauditing:IftheDefineThesePolicySettingscheckboxisselected,buttheSuccessandFailurecheckboxesarecleared,theserverwillnotaudittheevent.
Auditsuccessfulevents:IftheDefineThesePolicySettingscheckboxisselected,andtheSuccesscheckboxisselected,theserverwilllogsuccessfuleventsinitsSecuritylog.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 41/90
Auditfailedevents:IftheDefineThesePolicySettingscheckboxisselected,andtheFailurecheckboxesselected,theserverwilllogunsuccessfuleventsinitsSecuritylog.
Aserversauditbehaviorisdeterminedbytheoneofthesefoursettingsthatisappliedastheresultantsetofpolicy(RSoP).
InWindowsServer2008,thedefaultsettingistoauditsuccessfulaccountlogoneventsandsuccessfullogonevents.So,bothtypesofeventsare,ifsuccessful,enteredintheserversSecuritylog.Ifyouwanttoauditfailuresortoturnoffauditing,youwillneedtodefinetheappropriatesettingintheauditpolicy.
Scope Audit Policies
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 42/90
Aswithallpolicysettings,youshouldbecarefultoscopesettingssothattheyaffectthecorrectsystems.Forexample,ifyouwanttoauditattemptsbyuserstoconnecttoremotedesktopserversinyourenterprise,youcanconfigurelogonevent,auditinginaGPOlinkedtotheOUthatcontainsyourremotedesktopservers.If,ontheotherhand,youwanttoauditlogonsbyuserstodesktopsinyourhumanresourcesdepartment,youcanconfigurelogoneventauditinginaGPOlinkedtotheOUcontaininghumanresourcescomputerobjects.Rememberthatdomainusersloggingontoaclientcomputerorconnectingtoaserverwillgeneratealogoneventnotanaccountlogoneventonthatsystem.
Onlydomaincontrollersgenerateaccountlogoneventsfordomainusers.Rememberthatanaccountlogoneventoccursonthedomaincontrollerthatauthenticatesa
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 43/90
domainuser,regardlessofwherethatuserlogson.Ifyouwanttoauditlogonstodomainaccounts,youshouldscopeaccountlogoneventauditingtoaffectonlydomaincontrollers.Infact,theDefaultDomainControllersGPOthatiscreatedwhenyouinstallyourfirstdomaincontrollerisanidealGPOinwhichtoconfigureaccountlogonauditpolicies.
View Logon Events
Accountlogonandlogonevents,ifaudited,appearintheSecuritylogofthesystemthatgeneratedtheevent.Anexampleisshowninthefollowingscreenshot.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 44/90
So,ifyouareauditinglogonstocomputersinthehumanresourcesdepartment,theeventsareenteredineachcomputersSecuritylog.Similarly,ifyouareauditingunsuccessfulaccountlogonstoidentifypotentialintrusionattempts,theeventsareenteredineachdomaincontrollersSecuritylog.Thismeans,bydefault,youwillneedtoexaminetheSecuritylogsofalldomaincontrollerstogetacompletepictureofaccountlogoneventsinyourdomain.
Asyoucanimagine,inacomplexenvironmentwithmultipledomaincontrollersandmanyusers,auditingaccountlogonsorlogonscangenerateatremendousnumberofevents.Iftherearetoomanyevents,itcanbedifficulttoidentifyproblematiceventsworthyofcloserinvestigation.Youshouldbalancetheamountofloggingyouperformwiththesecurityrequirementsofyourbusinessandtheresourcesyouhaveavailabletoanalyzeloggedevents.
Lab B: Audit Authentication
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 45/90
ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA.However,iftheyarenot,youshouldcompleteLabAbeforecontinuing.YouwillbeunabletocompleteLabBsuccessfullyunlessyouhavecompletedLabA.
1. Start6425CNYCDC1.
2. LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd.
3. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10b.
4. RunLab10b_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 46/90
5. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.
6. ClosetheWindowsExplorerwindow,Lab10b.
Lab Scenario
ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youneedtocreateanaudittrailoflogons.
Exercise: Audit Authentication
Inthisexercise,youwilluseGroupPolicytoenableauditingofbothsuccessfulandunsuccessfullogonactivitybyusersinthecontoso.comdomain.Youwillthengeneratelogoneventsandviewtheresultingentriesintheeventlogs.
Themaintasksforthisexerciseareasfollows:
1. Configureauditingofaccountlogonevents.
2. Configureauditingoflogonevents.
3. ForcearefreshGroupPolicy.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 47/90
4. Generateaccountlogonevents.
5. Examineaccountlogonevents.
6. Examinelogonevents.
Task 1: Configure auditing of account logon events.
1. RunGroupPolicyManagementasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. ModifytheDefaultDomainControllersPolicyGPOtoenableauditingeventsforbothsuccessfulandfailedaccountlogonevents.
3. CloseGroupPolicyManagementEditor.
Task 2: Configure auditing of logon events.
1. CreateaGroupPolicyObject(GPO)linkedtotheServers\ImportantProjectOU.NametheGPOServerLockdownPolicy.
2. ModifytheServerLockdownPolicytoenableauditingeventsforbothsuccessfulandfailedlogonevents.
3. CloseGroupPolicyManagementEditorandGroupPolicyManagement.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 48/90
Task 3: Force a refresh Group Policy.
1. Start6425CNYCSVR1.Asthecomputerstarts,itwillapplythechangesyoumadetoGroupPolicy.
2. OnNYCDC1,runtheCommandPromptasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd,andthenrunthecommandgpupdate.exe/force.Closethecommandprompt.
Task 4: Generate account logon events.
1. LogontoNYCSVR1asPat.Coleman,butenteranincorrectpassword.Thefollowingmessageappears:Theusernameorpasswordisincorrect.
2. Afteryouhavebeendeniedlogon,logonagainwiththecorrectpassword,Pa$$w0rd.
Task 5: Examine account logon events.
1. OnNYCDC1,runEventViewerasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 49/90
2. IdentifythefailedandsuccessfuleventsintheSecuritylog.
Question:WhichEventIDisassociatedwiththeaccountlogonfailureevents?(Hint:Lookfor
theearliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)
Question:WhichEventIDisassociatedwiththesuccessfulaccountlogon?(Hint:Lookfor
theearliestofaseriesofeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)
Task 6: Examine logon events
1. OnNYCSVR1,runEventViewerasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. IdentifythefailedandsuccessfuleventsintheSecuritylog.
Question:WhichEventIDisassociatedwiththelogonfailureevents?(Hint:Lookforthe
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 50/90
earliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)
Question:WhichEventIDisassociatedwiththesuccessfullogon?(Hint:Lookfortheearliest
ofaseriesofeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)
Results:Inthisexercise,youestablishedandreviewedauditingforsuccessfulandfailedlogonstothedomainandtoserversintheImportantProjectOU.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecausethesettings
youhaveconfiguredherewillbeusedinsubsequentlabsinthismodule.
Lab Review Questions
Question:YouhavebeenaskedtoauditattemptstologontodesktopsandlaptopsintheFinancedivisionbyusinglocalaccountssuchasAdministrator.Whattypeofauditpolicydo
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 51/90
youset,andinwhatGPO(s)?
Lesson 3: Configure Read-Only Domain Controllers
Branchofficespresentauniquechallengetoanenterprisesinformationtechnology(IT)staff:Ifabranchofficeisseparatedfromthehubsitebyawideareanetwork(WAN)link,shouldyouplaceadomaincontrollerinthebranchoffice?InthepreviousversionsofWindows,theanswertothisquestionwasnotsimple.WindowsServer2008,however,introducesanewtypeofdomaincontrollertheRODCthatmakesthequestioneasiertoanswer.Inthislesson,youwillexploretheissues
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 52/90
relatedtobranchofficeauthenticationanddomaincontrollerplacement,andyouwilllearnhowtoimplementandsupportabranchofficeRODC.
Objectives
Aftercompletingthislesson,youwillbeableto:
IdentifythebusinessrequirementsforRODCs.
InstallanRODC.
Configurepasswordreplicationpolicy.
ConfigurepasswordRODCcredentialscaching.
MonitorthecachingofcredentialsonanRODC.
Authentication and Domain Controller Placement in aBranch Office
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 53/90
Considerascenarioinwhichanenterpriseischaracterizedbyahubsiteandseveralbranchoffices.ThebranchofficesconnecttothehubsiteoverWANlinksthatmaybecongested,expensive,slow,orunreliable.UsersinthebranchofficemustbeauthenticatedbyActiveDirectorytoaccessresourcesinthedomain.Shouldadomaincontrollerbeplacedinthebranchoffice?
Inbranchofficescenarios,manyoftheITservicesarecentralizedinthehubsite,whichiscarefullymaintainedbytheITstaff.Inlargerorganizations,thehubsitemayincludearobustdatacenter.Branchoffices,however,areoftensmallersitesinwhichnodatacenterexists.Infact,manybranchofficeshavenosignificantITpresenceotherthanahandfulofservers.Theremaybenophysicallysecurefacilitytohousebranchofficeservers.Theremaybefew,ifany,localITstafftosupporttheservers.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 54/90
Ifadomaincontrollerisnotplacedinthebranchoffice,authenticationandserviceticketactivitieswillbedirectedtothehubsiteovertheWANlink.Authenticationoccurswhenusersfirstlogontotheircomputersinthemorning.ServiceticketsareacomponentoftheKerberosauthenticationmechanismusedbytheWindowsServer2008domains.Youcanthinkofaserviceticketasakeyissuedbythedomaincontrollertoauser.Thekeyallowstheusertoconnecttoaservice,suchastheFileandPrintservice,onafileserver.Whenauserfirsttriestoaccessaspecificservice,theusersclientrequestswhatiscalledaserviceticketfromthedomaincontroller.Becauseuserstypicallyconnecttomultipleservicesduringaworkday,serviceticketactivityhappensregularly.AuthenticationandserviceticketactivityovertheWANlinkbetweenabranchofficeandahubsitecanresultinsloworunreliableperformance.
Ifadomaincontrollerisplacedinthebranchoffice,authenticationismuchmoreefficientbutthereareseveralpotentiallysignificantrisks.Adomaincontrollermaintainsacopyofallattributesofallobjectsinitsdomain,includingsecretssuchasinformationrelatedtouserpasswords.Ifadomaincontrollerisaccessedorstolen,itbecomespossibleforadeterminedexperttoidentifyvalidusernamesandpasswords,atwhichpointtheentiredomainiscompromised.Youmustatleastresetthepasswordsofeveryuseraccountinthedomain.Becausethesecurityofserversatbranchofficesisoftenlessthanideal,abranchofficedomaincontrollerposesaconsiderablesecurityrisk.
AsecondconcernisthatchangestotheActiveDirectorydatabaseonabranchofficedomaincontrollerreplicatetothehubsiteandtoallotherDCsintheenvironment.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 55/90
Therefore,corruptiontothebranchofficedomaincontrollerposesarisktotheintegrityoftheenterprisedirectoryservice.Forexample,ifabranchofficeadministratorperformsarestoreofthedomaincontrollerfromanoutdatedbackup,therecanbesignificantrepercussionsfortheentiredomain.
Thethirdconcernrelatestoadministration.Abranchofficedomaincontrollermayrequiremaintenancesuchasanewdevicedriver.Toperformmaintenanceonastandarddomaincontroller,youmustlogonasamemberoftheAdministratorsgrouponthedomaincontroller,whichmeansyouareeffectivelyanadministratorofthedomain.Itmaynotbeappropriatetograntthatlevelofcapabilitytoasupportteamatabranchoffice.
What Are Read-Only Domain Controllers?
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 56/90
Thesecurity,directoryserviceintegrity,andadministrationconcernsleftmanyenterpriseswithadifficultchoicetomake.WindowsServer2008introducestheRODC,whichisdesignedspecificallytoaddressthebranchofficescenario.AnRODCisadomaincontroller,typicallyplacedinthebranchoffice,whichmaintainsacopyofallobjectsinthedomainandallattributesexceptforsecretssuchaspasswordrelatedproperties.Ifyoudonotconfigurecaching,whenauserinthebranchofficelogson,theRODCreceivestherequestandforwardsittoadomaincontrollerinthehubsiteforauthentication.
YoucanconfigureapasswordreplicationpolicyfortheRODCthatspecifiesuseraccountstheRODCisallowedtocache.Iftheuserloggingonisincludedinthepasswordreplicationpolicy,theRODCcachesthatuserscredentials,sothenexttime
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 57/90
authenticationisrequested,theRODCcanperformthetasklocally.Asuserswhoareincludedinthepasswordreplicationpolicylogon,theRODCbuildsitscacheofcredentialssothatitcanperformauthenticationlocallyforthoseusers.Usually,youwilladduserslocatedinthesamephysicalsiteasanRODCtothepasswordreplicationpolicy.
BecausetheRODCmaintainsonlyasubsetofusercredentials,iftheRODCiscompromisedorstolen,theeffectofthesecurityexposureislimited.OnlytheuseraccountsthathadbeencachedontheRODCmusthavetheirpasswordschanged.TheRODCreplicateschangestoActiveDirectoryfromdomaincontrollersinthehubsite.Replicationisoneway.NochangestotheRODCarereplicatedtoanyotherdomaincontroller.Thiseliminatestheexposureofthedirectoryservicetocorruptionduetochangesmadetoacompromisedbranchofficedomaincontroller.Finally,RODCshavetheequivalentofalocalAdministratorsgroup.YoucangiveoneormorelocalsupportpersonneltheabilitytofullymaintainanRODCwithoutgrantingthemtheequivalentrightsofDomainAdmins.
Prerequisites for Deploying an RODC
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 58/90
TodeployanRODC,youfirstmustperformsomepreparationsteps.ThehighlevelstepstoinstallanRODCareasfollows:
1. EnsurethattheforestfunctionallevelisWindowsServer2003orlater.
2. IftheforesthasanydomaincontrollersrunningWindowsServer2003,runadprep/rodcprep.
3. EnsurethereisatleastonewritabledomaincontrollerrunningWindowsServer2008orWindowsServer2008R2.
4. InstalltheRODC.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 59/90
Eachofthesestepsisdetailedinthefollowingsections.
Verifying and Configuring Forest Functional Level of Windows Server2003 or Later
FunctionallevelsenablefeaturesuniquetospecificversionsofWindows,andarethereforedependentontheversionsofWindowsrunningondomaincontrollers.IfalldomaincontrollersareWindowsServer2003orlater,thedomainfunctionallevelcanbesettoWindowsServer2003.IfalldomainsareattheWindowsServer2003domainfunctionallevel,theforestfunctionallevelcanbesettoWindowsServer2003.Domainandforestfunctionallevelsarediscussedindetailinanothermodule.
RODCsrequirethattheforestfunctionallevelisWindowsServer2003orlatersothatthelinkedvaluereplication(LVR)isavailable.Thisprovidesahigherlevelofreplicationconsistency.ThedomainfunctionallevelmustbeWindowsServer2003orlatersothatKerberosconstraineddelegationisavailable.ThismeansalldomaincontrollersintheentireforestmustberunningWindowsServer2003orlater.
Constraineddelegationsupportssecuritycallsthatmustbeimpersonatedunderthecontextofthecaller.Delegationmakesitpossibleforapplicationsandservicestoauthenticatetoaremoteresourceonbehalfofauser.Becausedelegationprovidespowerfulcapabilities,typicallyonlydomaincontrollersareenabledforit.ForRODCs,applicationsandservicesmustbeabletodelegate,butonlyconstraineddelegationisallowedbecauseitpreventsthetargetfromimpersonatingagainandmakinganotherhop.TheuserorcomputermustbecacheableattheRODCforconstraineddelegation
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 60/90
towork.ThisrestrictionplaceslimitsonhowarogueRODCmaybeabletoabusecachedcredentials.
Todeterminethefunctionallevelofyourforest:
1. OpenActiveDirectoryDomainsandTrusts.
2. Rightclickthenameoftheforest,andthenclickProperties.
3. Verifytheforestfunctionallevel,asshownbelow.Anyusercanverifytheforestfunctionallevelinthisway.Nospecialadministrativecredentialsarerequiredtoviewtheforestfunctionallevel.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 61/90
IftheforestfunctionallevelisnotatleastWindowsServer2003,examinethepropertiesofeachdomaintoidentifyanydomainsforwhichthedomainfunctionallevelisnotatleastWindowsServer2003.Ifyoufindsuchadomain,ensurethatalldomaincontrollersinthedomainarerunningWindowsServer2003.Then,inActiveDirectoryDomainsandTrusts,rightclickthedomainandclickRaiseDomainFunctionalLevel.AfteryouhaveraisedeachdomainfunctionalleveltoatleastWindowsServer2003,rightclicktherootnodeoftheActiveDirectoryDomainsAndTrustssnapinandclickRaiseForestFunctionalLevel.IntheSelectAnAvailableForestFunctionalLeveldropdownlist,clickWindowsServer2003,andclickRaise.Youmustbeanadministratorofadomaintoraisethedomain'sfunctionallevel.Toraisetheforestfunctionallevel,youmustbeeitheramemberoftheDomainAdminsgroupintheforestrootdomainoramemberoftheEnterpriseAdminsgroup.
Running ADPrep /RODCPrep
IfyouareupgradinganexistingforesttoincludedomaincontrollersrunningWindowsServer2008,youmustrunadprep/rodcprep.ThiscommandconfigurespermissionssothatRODCsareabletoreplicateDNSapplicationdirectorypartitions.DNSapplicationdirectorypartitionsarediscussedinanothermodule.IfyouarecreatinganewActiveDirectoryforest,anditwillhaveonlydomaincontrollersrunningWindowsServer2008,youdonotneedtorunadprep/rodcprep.
Thecommandisfoundinthe\sources\adprepfolderoftheWindowsServer2008installationDVD.Copythefoldertothedomaincontrolleractingastheschema
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 62/90
master.Theschemamasterroleisdiscussedinanothermodule.LogontotheschemamasterasamemberoftheEnterpriseAdminsgroup,openacommandprompt,changedirectoriestotheadprepfolder,andtypeadprep/rodcprep.
Beforerunningadprep/rodcpep,youmustrunadprep/forestprepandadprep/domainprep.SeeModule15formoreinformationaboutpreparingaWindowsServer2003domainandforestforthefirstWindowsServer2008domaincontroller.
Placing a Writable Windows Server 2008 Domain Controller
AnRODCmustreplicatedomainupdatesfromawritabledomaincontrollerrunningWindowsServer2008orWindowsServer2008R2.ItiscriticalthatanRODCisabletoestablishareplicationconnectionwithawritableWindowsServer2008domaincontroller.Ideally,thewritableWindowsServer2008domaincontrollershouldbeintheclosestsitethehubsite.IfyouwanttheRODCtoactasaDNSserver,thewritableWindowsServer2008domaincontrollermustalsohosttheDNSdomainzone.
Installing an RODC
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 63/90
Aftercompletingthepreparatorysteps,youcaninstallanRODC.AnRODCcanbeeitherafullorServerCoreinstallationofWindowsServer2008.WithafullinstallationofWindowsServer2008,youcanusetheActiveDirectoryDomainServicesInstallationWizardtocreateanRODC.SimplyclickReadonlyDomainController(RODC)ontheAdditionalDomainControllerOptionspageofthewizard,asshowninthefollowingscreenshot.
Alternatively,youcanusethedcpromo.execommandwiththe/unattendswitchtocreatetheRODC.OnaServerCoreinstallationofWindowsServer2008,youmustusethedcpromo.exe/unattendcommand.
YoucancompletetheinstallationofanRODCintwostages,eachperformedbya
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 64/90
differentindividual.Thefirststageoftheinstallation,whichrequiresDomainAdmincredentials,createsanaccountfortheRODCinADDS.ThesecondstageoftheinstallationattachestheactualserverthatwillbetheRODCinaremotelocation,suchasabranchoffice,totheaccountthatwaspreviouslycreatedforit.Youcandelegatetheabilitytoattachtheservertoanonadministrativegrouporuser.
Duringthisfirststage,theActiveDirectoryDomainServicesInstallationWizardrecordsalldataabouttheRODCthatwillbestoredinthedistributedActiveDirectorydatabase,suchasitsdomaincontrolleraccountnameandthesiteinwhichitwillbeplaced.ThisstagemustbeperformedbyamemberoftheDomainAdminsgroup.
TheadministratorwhocreatestheRODCaccountcanalsospecifyatthattimewhichusersorgroupscancompletethenextstageoftheinstallation.Thenextstageoftheinstallationcanbeperformedinthebranchofficebyanyuserorgroupwhowasdelegatedtherighttocompletetheinstallationwhentheaccountwascreated.Thisstagedoesnotrequireanymembershipinbuiltingroups,suchastheDomainAdminsgroup.IftheuserwhocreatestheRODCaccountdoesnotspecifyanydelegatetocompletetheinstallationandadministertheRODC,onlyamemberoftheDomainAdminsorEnterpriseAdminsgroupscancompletetheinstallation.
YoucanperformastagedinstallationofanRODCbyusingseveralapproaches.YoucanprecreateanRODCaccountbyusingActiveDirectoryUsersandComputersconsole,whichisappropriateforasmallernumberofaccounts.Youcanalsousethedcpromocommandlineutilitywithappropriateswitches,oryoucanusetheanswer
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 65/90
filetoperformanunattendedinstallationofanRODC.
Demonstration: Configure a Password Replication Policy
ApasswordreplicationpolicydetermineswhichuserscredentialscanbecachedonaspecificRODC.IfapasswordreplicationpolicyallowsanRODCtocacheauser'scredentials,theauthenticationandserviceticketactivitiesofthatusercanbeprocessedbytheRODC.Ifauser'scredentialscannotbecachedonRODC,theauthenticationandserviceticketactivitiesarereferredbytheRODCtoawritabledomaincontroller.Toaccessthepasswordreplicationpolicy,openthepropertiesofthedomaincontrollerintheDomainControllersOUandthenclickthePasswordReplicationPolicytab.ThepasswordreplicationpolicyofanRODCisdeterminedby
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 66/90
twomultivaluedattributesoftheRODC'scomputeraccount.TheseattributesarecommonlyknownastheAllowedListandtheDeniedList.Ifauser'saccountisontheAllowedList,theuser'scredentialsarecached.YoucanincludegroupsontheAllowedList,inwhichcasealluserswhobelongtothegroupcanhavetheircredentialscacheontheRODC.IftheuserisbothontheAllowedListandtheDeniedList,theuser'scredentialswillnotbecachedtheDeniedListtakesprecedence.
Configure Domain-Wide Password Replication Policy
Tofacilitatethemanagementofpasswordreplicationpolicy,WindowsServer2008createstwodomainlocalsecuritygroupsintheUserscontainerofActiveDirectory.Thefirstone,namedAllowedRODCPasswordReplicationGroup,isaddedtotheAllowedListofeachnewRODC.Bydefault,thegrouphasnomembers.Therefore,bydefault,anewRODCwillnotcacheanyuserscredentials.IfthereareuserswhosecredentialsyouwanttobecachedbyalldomainRODCs,addthoseuserstotheAllowedRODCPasswordReplicationGroup.
ThesecondgroupisnamedDeniedRODCPasswordReplicationGroup.ItisaddedtotheDeniedListofeachnewRODC.IfthereareuserswhosecredentialsyouwanttoensurearenevercachedbydomainRODCs,addthoseuserstotheDeniedRODCPasswordReplicationGroup.Bydefault,thisgroupcontainssecuritysensitiveaccountsthataremembersofgroupsincludingDomainAdmins,EnterpriseAdmins,andGroupPolicyCreatorOwners.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 67/90
NoteRememberthatitisnotonlyuserswhogenerateauthenticationandserviceticketactivity.Computersinabranchofficealsorequiresuchactivity.Toimproveperformanceofsystemsinabranchoffice,allowthebranchRODCtocachecomputercredentialsaswell.
Configure RODC-Specific Password Replication Policy
ThetwogroupsdescribedintheprevioussectionprovideamethodtomanagepasswordreplicationpolicyonallRODCs.However,tobestsupportabranchofficescenario,youneedtoallowtheRODCineachbranchofficetocachecredentialsofusersinthatspecificlocation.Therefore,youneedtoconfiguretheAllowedListandtheDeniedListofeachRODC.
ToconfigureanyRODCspasswordreplicationpolicy,openthepropertiesoftheRODCscomputeraccountintheDomainControllersOU.OnthePasswordReplicationPolicytab,showninthefollowingscreenshot,youcanviewthecurrentpasswordreplicationpolicysettingsandaddorremoveusersorgroupsfromthepasswordreplicationpolicy.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 68/90
Demonstration Steps
1. RunActiveDirectoryUsersandComputerswithadministrativecredentials.UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2. IntheDomainControllersOUopenthepropertiesofBRANCHDC01.
3. ClickthePasswordReplicationPolicytabandviewthedefaultpolicy.
4. ClosetheBRANCHDC01properties.
5. IntheActiveDirectoryUsersandComputersconsoletree,clicktheUserscontainer.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 69/90
6. DoubleclickAllowedRODCPasswordReplicationGroup.GototheMemberstabandexaminethedefaultmembershipofAllowedRODCPasswordReplicationGroup.
7. ClickOK.
8. DoubleclickDeniedRODCPasswordReplicationGroupandgototheMemberstab.
9. ClickCanceltoclosetheDeniedRODCPasswordReplicationGroupproperties.
Demonstration: Administer RODC Credentials Caching
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 70/90
Inthisdemonstration,youwillseehowtoadministerRODCcredentialscaching.
WhenyouclicktheAdvancedbuttononthePasswordReplicationPolicytabofanRODC,anAdvancedPasswordReplicationPolicydialogboxappears.Anexampleisshowninthefollowingscreenshot.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 71/90
ThedropdownlistatthetopofthePolicyUsagetaballowsyoutoselectoneoftworeportsfortheRODC:
AccountswhosepasswordsarestoredonthisReadOnlyDomainController:DisplaythelistofuserandcomputercredentialsthatarecurrentlycachedontheRODC.UsethislisttodeterminewhethernotrequiredcredentialsarebeingcachedontheRODC,andmodifythepasswordreplicationpolicyaccordingly.
AccountsthathavebeenauthenticatedtothisReadOnlyDomainController:Displaythelistofuserandcomputercredentialsthathavebeenreferredtoawritabledomaincontrollerfor
authenticationorserviceticketprocessing.UsethislisttoidentifyusersorcomputersthatareattemptingtoauthenticatewiththeRODC.Ifanyoftheseaccountsarenotbeingcached,consideraddingthemtothepasswordreplicationpolicy.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 72/90
Inthesamedialogbox,theResultantPolicytaballowsyoutoevaluatetheeffectivecachingpolicyforanindividualuserorcomputer.ClicktheAddbuttontoselectauserorcomputeraccountforevaluation.
YoucanalsousetheAdvancedPasswordReplicationPolicydialogboxtoprepopulatecredentialsintheRODCcache.IfauserorcomputerisontheAllowlistofanRODC,theaccountcredentialscanbecachedontheRODC,butwillnotbecacheduntiltheauthenticationorserviceticketeventscausestheRODCtoreplicatethecredentialsfromawritabledomaincontroller.ByprepopulatingcredentialsintheRODCcache,forusersandcomputersinthebranchofficeforexample,youcanensurethatauthenticationandserviceticketactivitywillbeprocessedlocallybytheRODCevenwhentheuserorcomputerisauthenticatingforthefirsttime.Toprepopulatecredentials,clickPrepopulatePasswordsandselecttheappropriateusersandcomputers.
DemonstrationSteps:
1. OnNYCDC1,intheActiveDirectoryUsersandComputersconsoletree,clicktheDomainControllersOUandopenthepropertiesofBRANCHDC01.
2. ClickPasswordReplicationPolicy.
3. ClickAdvanced.
TheAdvancedPasswordReplicationPolicyforBRANCHDC01dialogboxappears.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 73/90
ThePolicyUsagetabdisplaysaccountswhosepasswordsarestoredonthisReadOnlyDomainController.
4. Fromthedropdownlist,selectAccountsWhosePasswordsAreStoredOnThisReadOnlyDomainController.
5. Fromthedropdownlist,selectAccountsthathavebeenauthenticatedtothisReadonlyDomainController.
6. ClicktheResultantPolicytab,andthenclickAdd.
TheSelectUsersorComputersdialogboxappears.
7. TypeChris.Gallagher,andthenpressEnter.
8. ClickPolicyUsage.
9. ClickPrepopulatePasswords.
TheSelectUsersorComputersdialogboxappears.
10. Typethenameoftheaccountyouwanttoprepopulate(forexample,typeChris.Gallagher),andthenclickOK.
11. ClickYestoconfirmthatyouwanttosendthecredentialstotheRODC.
Thefollowingmessageappears:Passwordsforallaccountsweresuccessfullyprepopulated.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 74/90
Administrative Role Separation
RODCsinbranchofficesmayrequiremaintenancesuchasanupdateddevicedriver.Additionally,smallbranchofficesmaycombinetheRODCrolledwiththefileserverroleonasinglesystem,inwhichcaseitwillbeimportanttobeabletobackupthesystem.RODCssupportlocaladministrationthroughafeaturecalledadministrativeroleseparation.ThisfeaturespecifiesthatanydomainuserorsecuritygroupcanbedelegatedtobethelocaladministratorofanRODCwithoutgrantingthatuserorgrouprightsforthedomainorotherdomaincontrollers.Therefore,adelegatedadministratorcanlogontoanRODCtoperformmaintenancework,suchasupgradingadriver,ontheserver.Butthedelegatedadministratorcannotlogontoanyotherdomaincontrollerorperformanyotheradministrativetaskinthedomain.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 75/90
EachRODCmaintainsalocaldatabaseofgroupsforspecificadministrativepurposes.YoucanaddadomainuseraccounttotheselocalrolestoallowsupportofaspecificRODC.
Youcanconfigureadministrativeroleseparationbyusingthedsmgmt.execommand.ToaddausertotheAdministratorsroleonanRODC,followthesesteps:
1. OpenacommandpromptontheRODC.
2. Typedsmgmt,andthenpressEnter.
3. Typelocalroles,andthenpressEnter.
Atthelocalrolesprompt,youcantype?andpressEnterforalistofcommands.YoucanalsotypelistrolesandpressEnterforalistoflocalroles.
4. Typeaddusernameadministrators,whereusernameisthepreWindows2000logonnameofadomainuser,andthenpressEnter.
YoucanrepeatthisprocesstoaddotheruserstothevariouslocalrolesonanRODC.
Lab C: Configure Read-Only Domain Controllers
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 76/90
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:
1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.
2. InHyperVManager,click6425CNYCDC1,andintheActionspane,clickStart.
3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 77/90
4. Logonbyusingthefollowingcredentials:
Username:Pat.Coleman
Password:Pa$$w0rd
Domain:Contoso
5. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10c.
6. RunLab10c_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.
7. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.
8. ClosetheWindowsExplorerwindow,Lab10c.
Lab Scenario
ThesecurityteamatContoso,LtdhastaskedyouwithincreasingthesecurityandmonitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,youaretoimprovethesecurityofdomaincontrollersinbranchoffices.
Exercise 1: Install an RODC
Inthisexercise,youwillconfiguretheserverBRANCHDC01asanRODCin
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 78/90
thedistantbranchoffice.Toavoidtravelcosts,youdecidetodotheconversionremotelywiththeassistanceofAaronPainter,thedesktopsupporttechnicianandonlyITstaffmemberatthebranch.AaronPainterhasalreadyinstalledaWindowsServer2008computernamedBRANCHDC01asaserverinaworkgroup.YouwillstageadelegatedinstallationofanRODCsothatAaronPaintercancompletetheinstallation.
Themaintasksforthisexerciseareasfollows:
1. StageadelegatedinstallationofanRODC.
2. RuntheActiveDirectoryDomainServicesInstallationWizardonaworkgroupserver.
Task 1: Stage a delegated installation of an RODC.
1. RunActiveDirectoryUsersandComputersasanadministrator,withtheusernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2. RightclicktheDomainControllersOU,andthenclickPrecreateReadonlyDomainControlleraccount.
3. StepthroughtheActiveDirectoryDomainServicesInstallationWizard,acceptingalldefaults.UsethecomputernameBRANCHDC01andontheDelegationofRODCInstallationandAdministrationpage,delegateinstallationto
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 79/90
Aaron.Painter_Admin.
NoteWhenthewizardiscomplete,theserverappearsintheDomainControllersOUwiththeDCTypecolumnshowingUnoccupiedDCAccount(Readonly,GC).
Task 2: Run the Active Directory Domain Services Installation Wizard on aworkgroup server.
1. Start6425CBRANCHDC01.
2. LogontoBRANCHDC01asAdministratorwiththepasswordPa$$w0rd.
3. ClickStart,andthenclickRun.
4. Typedcpromo,andthenpressEnter.
AwindowappearsthatinformsyouthattheADDSbinariesarebeinginstalled.Wheninstallationiscompleted,theActiveDirectoryDomainServicesInstallationWizardappears.
5. ClickNext.
6. OntheOperatingSystemCompatibilitypage,clickNext.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 80/90
7. OntheChooseADeploymentConfigurationpage,clicktheExistingforestoption,clickAddadomaincontrollertoanexistingdomain,andthenclickNext.
8. OntheNetworkCredentialspage,typecontoso.com.
9. ClicktheSetbutton.
AWindowsSecuritydialogboxappears.
10. IntheUserNamebox,typeAaron.Painter_Admin.
11. InthePasswordbox,typePa$$w0rd,andthenpressEnter.
12. ClickNext.
13. OntheSelectaDomainpage,selectcontoso.com,andthenclickNext.
AmessageappearstoinformyouthatyourcredentialsdonotbelongtotheDomainAdminsorEnterpriseAdminsgroups.BecauseyouhaveprestagedanddelegatedadministrationoftheRODC,youcanproceedwiththedelegatedcredentials.
14. ClickYes.
AmessageappearstoinformyouthattheaccountforBRANCHDC01hasbeenprestagedinActiveDirectoryasanRODC.
15. ClickOK.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 81/90
16. OntheLocationForDatabase,LogFiles,andSYSVOLpage,clickNext.
17. OntheDirectoryServicesRestoreModeAdministratorPasswordpage,typePa$$w0rd12345inthePasswordandConfirmPasswordboxes,andthenclickNext.
Inaproductionenvironment,youshouldassignacomplexandsecurepasswordtotheDirectoryServicesRestoreModeAdministratoraccount.
Also,notethatwemodifiedtheminimumpasswordlengthinLabAandassuchneedtomeetthenewminimumpasswordlengthrequirements.
18. OntheSummarypage,clickNext.
19. Intheprogresswindow,selecttheRebootOnCompletioncheckbox.ActiveDirectoryDomainServicesisinstalledonBRANCHDC01,theserverreboots.
Results:Inthisexercise,youcreatedanewRODCnamedBRANCHDC01inthecontoso.comdomain.
Exercise 2: Configure Password Replication Policy
Inthisexercise,youwillconfigureadomainwidepasswordreplicationpolicyandthepasswordreplicationpolicyspecifictoBRANCHDC01.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 82/90
Themaintasksforthisexerciseareasfollows:
1. Configuredomainwidepasswordreplicationpolicy.
2. CreateagrouptomanagepasswordreplicationtothebranchofficeRODC.
3. ConfigurepasswordreplicationpolicyforthebranchofficeRODC.
4. Evaluateresultantpasswordreplicationpolicy.
Task 1: Configure domain-wide password replication policy.
WhoarethedefaultmembersoftheAllowedRODCPasswordReplicationGroup?
WhoarethedefaultmembersoftheDeniedRODCPasswordReplicationGroup?
AddtheDNSAdminsgroupasamemberoftheDeniedRODCPasswordReplicationGroup.
ExaminethepasswordreplicationpropertyforNYCBRANCHDC01.
WhatarethepasswordreplicationpoliciesfortheAllowedRODCPasswordReplicationGroupandfortheDeniedRODCPasswordReplicationGroup?
Task 2: Create a group to manage password replication to the branch officeRODC.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 83/90
1. IntheGroups\RoleOU,createanewglobalsecuritygroupcalledBranchOfficeUsers.
2. AddthefollowinguserstotheBranchOfficeUsersgroup:
Anav.Silverman
Chris.Gallagher
Christa.Geller
Daniel.Roth
Task 3: Configure password replication policy for the branch office RODC.
ConfigureBRANCHDC01sothatitcachespasswordsforusersintheBranchOfficeUsersgroup.
Task 4: Evaluate resultant password replication policy.
OpentheResultantPolicyforBRANCHDC01'spasswordreplicationpolicy.
Question:WhatistheresultantpolicyforChris.Gallagher?
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 84/90
Results:Inthisexercise,youconfiguredthedomainwidepasswordreplicationpolicytopreventthereplicationofpasswordsofmembersofDNSAdminstoRODCs.YoualsoconfiguredthepasswordreplicationpolicyforBRANCHDC01toallowreplicationofpasswordsofmembersofBranchOfficeUsers.
Exercise 3: Manage Credential Caching
Inthisexercise,youwillmonitorcredentialcaching.
Themaintasksforthisexerciseareasfollows:
1. Monitorcredentialcaching.
2. Prepopulatecredentialcaching.
Task 1: Monitor credential caching.
1. LogontoBRANCHDC01asChris.GallagherwiththepasswordPa$$w0rdandthenlogoff.
2. LogontoBRANCHDC01asMike.DansegliowiththepasswordPa$$w0rd,andthenlogoff.
Thecontoso.comdomainusedinthiscourseincludesaGroupPolicyobject
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 85/90
(named6425C)thatallowsuserstologontodomaincontrollers.Inaproductionenvironment,itisnotrecommendedtogiveuserstherighttologontodomaincontrollers.
3. OnNYCDC1,inActiveDirectoryUsersandComputers,examinethepasswordreplicationpolicyforBRANCHDC01.
Question:Whichusers'passwordsarecurrentlycachedonBRANCHDC01?
Question:WhichusershavebeenauthenticatedbyBRANCHDC01?
Task 2: Prepopulate credential caching.
InthepasswordreplicationpolicyforBRANCHDC01,prepopulatethepasswordforChristaGeller.
Results:Inthisexercise,youidentifiedtheaccountsthathavebeencachedonBRANCHDC01,orhavebeenforwardedtoanotherdomaincontrollerforauthentication.YoualsoprepopulatedthecachedcredentialsforChristaGeller.
Lab Review Questions
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 86/90
Question:Whyshouldyouensurethatthepasswordreplicationpolicyforabranchoffice
RODChas,initsAllowlist,theaccountsforthecomputersinthebranchofficeaswellasthe
users?
Question:Whatwouldbethemostmanageablewaytoensurethatcomputersinabranch
areintheAllowlistoftheRODC'spasswordreplicationpolicy?
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis,completethefollowingsteps:
1. Onthehostcomputer,startHyperVManager.
2. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclickRevert.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 87/90
3. IntheRevertVirtualMachinedialogbox,clickRevert.
4. Repeatthesestepsfor6425CNYCSVR1and6425CBRANCHDC01.
Module Review and Takeaways
Review Questions
Question:Inyourorganization,anumberofusersdealwithconfidentialfilesonaregular
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 88/90
basis.Youneedtoensurethatalltheseusershavestrictaccountpolicesenforced.TheuseraccountsarescatteredacrossmultipleOUs.Howwouldyouaccomplishthiswiththeleastadministrativeeffort?
Question:Whereshouldyoudefinethedefaultpasswordandaccountlockoutpoliciesfor
useraccountsinthedomain?
Question:Whatwouldbethedisadvantageofauditingallsuccessfulandfailedlogonsonallmachinesinyourdomain?
Question:Whataretheadvantagesanddisadvantagesofprepopulatingthecredentialsfor
allusersandcomputersinabranchofficetothatbranch'sRODC?
Common Issues Related to Authentication in Active Directory
Issue Troubleshootingtip
UserisnotforcedtochangethepasswordevenifthatsettingisconfiguredinDefaultDomainPolicy.
Userorgroupdoesnothavethe
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 89/90
rightPSOapplied.
YoucannotdeployanRODC.
Real World Issues and Scenarios
Youmustensurethatalluserschangetheirpasswordevery30days.Companyproceduresspecifythatifauser'spasswordwillexpirewhiletheuserisoutoftheoffice,theusermaychangethepasswordpriortodeparture.Youmustaccountforauserwhoisoutoftheofficeforuptotwoweeks.Additionally,youmustensurethatausercannotreuseapasswordwithinaoneyeartimeperiod.Howwouldyouconfigureaccountpoliciestoaccomplishthis?
Best Practices Related to Authentication in an AD DS Domain
UseDefaultDomainPolicyGPOtospecifygeneralpasswordandaccountlockoutpoliciesthatwillapplyformostusers.
Usefinegrainedpasswordpolicytospecifypasswordandaccountlockoutpoliciesforspecificusersandgroupswithadministrativeprivileges.
Donotenablealloptionsforauditingbecauseyouwillhavemanysecuritylogs,whichwillbehardtosearch.Useadvancedauditloggingtohavemoregranularcontrol.
DeployRODCsinsiteswherephysicalsecurityisanissue.
07/06/13 Module 10: Improving the Security of Authentication in an AD DS Domain
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 90/90
Tools
Tool Usedfor Wheretofindit
GroupPolicyManagementconsole
Editingandmanaginggrouppolicyobjects
AdministrativeTools
ADSIEdit CreatingPasswordSettingObjects
AdministrativeTools
Dcpromo Creatingandmanagingdomaincontrollers
Commandlineutility
Windows Server 2008 R2 Features Introduced in this Module
Feature Description
AdvancedAuditPolicies NewsettingsinGroupPolicyobjectformoredetailedauditingofvarioussystemevents
Top Related