On 6/8/05, Howard Sheen <flee74 (at) gmail (dot) com [email concealed]> wrote:
>
> Hi!
> First post to the list. :)
>
> Now, I'm trying to find some solutions to beef up my Active Directory
> environment.
[...]
> But, I think there is something in need, like controlling peripheral
> devices such as removable storage, NIC, and CD-RW.
Go to www.bink.nu, and search for a new GPO ADM file that was just
released, or download it directly: http://bink.nu/files/drmadm.zip
> In addition, as you know, Domain Administrators' rights are so strong
> and I think those accounts should be managed carefully
> with some powerful authenticating method like OTP, Smartcard, Dongle
> Key..whatever.
RunAs is a powerful tool for elminiating administrator account over usage.
> I found some, commercial, solutions for above requirements and in the
> progress of testing
>
> Device Lock from SmartLine : http://www.protect-me.com/dl/
> Advanced authentication from Protocom :
> http://www.protocom.com/html/securelogin_advanced_authentication.html
>
> What I wnat to know is
> 1. Any other solutions for these requirements???
> 2. Any BP(Best Practice) for beefing up AD ??
> 3. Anything I need to consider more ???
From an MS AD security Chat:
Proactive Measure #1 Establish Secure Boundaries
In Active Directory, the forest is the security boundary
To establish secure boundaries carefully design your Active Directory
logical structure:
Identify all Active Directory deployment participants (business units
/ entities)
Assess organizational, operational & legal requirements of all participants
For each requirement, determine autonomy and isolation needs
Assess level of trust that you can bestow in your service
administrators (forest owners and domain owners). Use "Designing the
Active Directory Logical Structure" document to design your Active
Directory logical structure
Document location: http://go.microsoft.com/fwlink/?LinkId=4723
Establish secure collaboration with other forests
Create a forest trust relationship only when all forest and all domain
administrators are trusted individuals
Do not include users from other forests in any group that:
1) is responsible for service management
2) can manage membership of service administrator groups
3) has admin control over computers that store protected data or
4) has access to protected data / is responsible for management of
users/groups that have acce
Establish secure collaboration with external domains
Consider risk of using SID History & impact of enabling SID filtering
and remember, SID History is only meant to be an interim state of a
user object to preserve access during migration
Proactive Measure #3 Deploy DCs Securely
Establish secure DC build practices and as far as possible, automate
the build process
Build your DCs in a secure environment, limit physical access to DCs
to trusted personnel only, Promote and operate new DCs in a restricted
access area.
Ensure predictable, repeatable & secure DC deployments by Installing
Windows Server 2003 with latest service packs & hot-fixes, creating
strong password for the Administrator account on DCs, running
virus-scanning software on the server
|Virus scanning recommendations on DCs: MS KB Article ID 822158
Proactive Measure:4
Physically secure every Domain Controller in your organization
Secure DCs against physical access
Prevent DCs from booting into alternate OS
Protect DCs on restart by using SYSKEY
Secure all backup media against physical access
Enhance network infrastructure security
Secure the remote restart of domain controllers
#5 Strengthen Policy Settings:
Increase domain security by establishing: Password policy, Account
lockout policy and Kerberos policy settings
#6 Establish Secure Administrative Practices
Make only the most highly trustworthy personnel Service Admins,
Perform rigorous background checks and require high security
clearance, Minimize total number of Service Admins to a bare minimum,
Delegate data administration to data admins
Establish & enforce an admin code of ethics & policies that clearly
state consequences of abuse of admin power
#7 Secure Service Administrator Accounts and Workstations
Secure Service Administrator accounts: Limit exposure of Service Admin
accounts, Hide Service Admin group memberships, Only assign
trustworthy personnel from within the forest, Control administrative
logons by requiring smart cards and sharing logons for
Secure Service Administrator workstations: Restrict service admin
logon to admin workstations, Prohibit use of cached credentials in
unlocking administrative workstations, Avoid running applications in
Service Admin contexts, Run antivirus software on adm
#8 Delegate Administrative Authority Securely
Delegate administrative authority based on principle of least
privilege Use administrative roles to delegate admin authority
Additionally, Restrict Group Policy mgmt to highly trusted individuals
Delegate group creation ability to trusted individuals
Understand ramifications of creator-owner concept Ensure that Service
Administrators own partition roots
Read "Best Practices Guide to Delegating Administration in Active
Directory" whitepaper .
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-4
8fa-9730-dae7c0a1d6d3&DisplayLang=en
#9 Secure your DNS Infrastructure
Using Active Directory?integrated DNS is highly recommended Implements
secure dynamic update Integrated Windows Security protection In
Windows Server 2003, offers quotas to limit number of DNS resource
records that can be registered
#10 Restrict Anonymous Access
Ability to restrict anonymous access is dependent on existing need to
allow anonymous access Some traditional services & programs rely on
Anonymous access to DCs Applications and services running on machines
in System security context on NT 4.0 machines,
Determine whether any applications require anonymous access to Active
Directory data If possible, eliminate requirement for anonymous Active
Directory Access Proceed to restrict anonymous access to Active
Directory data only after eliminating all requirements
>
> Hi!
> First post to the list. :)
>
> Now, I'm trying to find some solutions to beef up my Active Directory
> environment.
[...]
> But, I think there is something in need, like controlling peripheral
> devices such as removable storage, NIC, and CD-RW.
Go to www.bink.nu, and search for a new GPO ADM file that was just
released, or download it directly: http://bink.nu/files/drmadm.zip
> In addition, as you know, Domain Administrators' rights are so strong
> and I think those accounts should be managed carefully
> with some powerful authenticating method like OTP, Smartcard, Dongle
> Key..whatever.
RunAs is a powerful tool for elminiating administrator account over usage.
> I found some, commercial, solutions for above requirements and in the
> progress of testing
>
> Device Lock from SmartLine : http://www.protect-me.com/dl/
> Advanced authentication from Protocom :
> http://www.protocom.com/html/securelogin_advanced_authentication.html
>
> What I wnat to know is
> 1. Any other solutions for these requirements???
> 2. Any BP(Best Practice) for beefing up AD ??
> 3. Anything I need to consider more ???
From an MS AD security Chat:
Proactive Measure #1 Establish Secure Boundaries
In Active Directory, the forest is the security boundary
To establish secure boundaries carefully design your Active Directory
logical structure:
Identify all Active Directory deployment participants (business units
/ entities)
Assess organizational, operational & legal requirements of all participants
For each requirement, determine autonomy and isolation needs
Assess level of trust that you can bestow in your service
administrators (forest owners and domain owners). Use "Designing the
Active Directory Logical Structure" document to design your Active
Directory logical structure
Document location: http://go.microsoft.com/fwlink/?LinkId=4723
Proactive measure #2 Establish Secure Collaboration
Establish secure collaboration with other forests
Create a forest trust relationship only when all forest and all domain
administrators are trusted individuals
Do not include users from other forests in any group that:
1) is responsible for service management
2) can manage membership of service administrator groups
3) has admin control over computers that store protected data or
4) has access to protected data / is responsible for management of
users/groups that have acce
Establish secure collaboration with external domains
Consider risk of using SID History & impact of enabling SID filtering
and remember, SID History is only meant to be an interim state of a
user object to preserve access during migration
Proactive Measure #3 Deploy DCs Securely
Establish secure DC build practices and as far as possible, automate
the build process
Build your DCs in a secure environment, limit physical access to DCs
to trusted personnel only, Promote and operate new DCs in a restricted
access area.
Ensure predictable, repeatable & secure DC deployments by Installing
Windows Server 2003 with latest service packs & hot-fixes, creating
strong password for the Administrator account on DCs, running
virus-scanning software on the server
|Virus scanning recommendations on DCs: MS KB Article ID 822158
Proactive Measure:4
Physically secure every Domain Controller in your organization
Secure DCs against physical access
Prevent DCs from booting into alternate OS
Protect DCs on restart by using SYSKEY
Secure all backup media against physical access
Enhance network infrastructure security
Secure the remote restart of domain controllers
#5 Strengthen Policy Settings:
Increase domain security by establishing: Password policy, Account
lockout policy and Kerberos policy settings
#6 Establish Secure Administrative Practices
Make only the most highly trustworthy personnel Service Admins,
Perform rigorous background checks and require high security
clearance, Minimize total number of Service Admins to a bare minimum,
Delegate data administration to data admins
Establish & enforce an admin code of ethics & policies that clearly
state consequences of abuse of admin power
#7 Secure Service Administrator Accounts and Workstations
Secure Service Administrator accounts: Limit exposure of Service Admin
accounts, Hide Service Admin group memberships, Only assign
trustworthy personnel from within the forest, Control administrative
logons by requiring smart cards and sharing logons for
Secure Service Administrator workstations: Restrict service admin
logon to admin workstations, Prohibit use of cached credentials in
unlocking administrative workstations, Avoid running applications in
Service Admin contexts, Run antivirus software on adm
#8 Delegate Administrative Authority Securely
Delegate administrative authority based on principle of least
privilege Use administrative roles to delegate admin authority
Additionally, Restrict Group Policy mgmt to highly trusted individuals
Delegate group creation ability to trusted individuals
Understand ramifications of creator-owner concept Ensure that Service
Administrators own partition roots
Read "Best Practices Guide to Delegating Administration in Active
Directory" whitepaper .
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-4
8fa-9730-dae7c0a1d6d3&DisplayLang=en
#9 Secure your DNS Infrastructure
Using Active Directory?integrated DNS is highly recommended Implements
secure dynamic update Integrated Windows Security protection In
Windows Server 2003, offers quotas to limit number of DNS resource
records that can be registered
#10 Restrict Anonymous Access
Ability to restrict anonymous access is dependent on existing need to
allow anonymous access Some traditional services & programs rely on
Anonymous access to DCs Applications and services running on machines
in System security context on NT 4.0 machines,
Determine whether any applications require anonymous access to Active
Directory data If possible, eliminate requirement for anonymous Active
Directory Access Proceed to restrict anonymous access to Active
Directory data only after eliminating all requirements
...D
[ reply ]