taha raja senior systems engineer
DESCRIPTION
Windows 2000 & Active Directory Security Best Practices & Using Tools to Help Audit. Taha Raja Senior Systems Engineer. Agenda. Overview Windows System Hardening Suggestions Active Directory Security Suggestions Security Best Practices Guidelines Reminders References. - PowerPoint PPT PresentationTRANSCRIPT
Taha RajaSenior Systems Engineer
Windows 2000 & Active Directory Security Best Practices & Using Tools
to Help Audit
Agenda
• Overview• Windows System Hardening
Suggestions• Active Directory Security
Suggestions• Security Best Practices
Guidelines• Reminders• References
Role of Corporate Culture
Paramount to the success of an enterprise security
program are the relationships among risk
analysis, the organization’s culture, and security policy.
Security is Everyone’s Responsibility
A security policy should communicate to everyone in your organization the simple principle that information is a valuable asset and everyone is responsible for protecting it.
Things To Remember
Policies are cross-platform • Implementations are not
Policies must be designed to be implemented• Nirvana security polices are not effective
Implementation should include• Ongoing auditing• Enforcement• Non-IT remedies
Leverage solutions to speed process
BindView Corporation
Windows NT/2000 System
Hardening Suggestions
System Hardening Intent
• Process should result in a server with virtually everything locked down and disabled.
• This should provide a secure base upon which to build.
• After this procedure is completed, the services this machine is to offer can be selectively enabled.
Recommendations
• Updated Patches• Service Packs• Hotfixes• High Encryption Pack
• Enable Auditing• Set Password policy• Account Lockout• User Rights• Event Log• Services• Other Settings
Windows 2000 AuditingRAZOR Recommendations
Enable Auditing:
Account logon Success FailureAccount Management Success FailureDirectory Service Access
FailureLogon Events Success FailureObject Access FailurePolicy Change Success FailurePrivilege Use FailureProcess Tracking FailureSystem Event Success Failure
Password PolicyRAZOR Recommendations
• Enforce Password History: 7 (or higher)• Maximum Password Age: 42
(default)• Minimum Password Age: 0 (default)• Minimum Password Length: 7• Password Must Meet Complexity
Requirements: Enable
Account Lockout PolicyRAZOR Recommendations
• Account Lockout Duration: 10 minutes (or more)
• Account Lockout Threshold: 5
• Reset account lockout counter after: 10 min
User RightsRAZOR Recommendations
Never assign the following user rights to any user or group:
• Act as part of the OS• Create a token object• Create permanent shared objects• Debug programs• Generate security audits• Lock pages in memory• Manage auditing and security log*• Modify firmware environment variables• Replace a process level token• Synchronize directory service data
User RightsRAZOR Recommendations
• Access from the network:• Remove Everyone, User, Power Users, and Backup
Operators (if possible)
• Bypass traverse checking:• Change Everyone to Authenticated Users
• Change system time:• Remove Power Users
• Deny access to this computer from network:
• Add ANONYMOUS LOGON
• Deny logon as a batch job:• Add ANONYMOUS LOGON
User Rights (cont’d.)RAZOR Recommendations• Deny logon as a service:
• Add ANONYMOUS LOGON• Deny logon locally:
• Add ANONYMOUS LOGON• Log on locally:
• Remove Users• Remove Power Users• Remove Guest• Remove TsInternetUser
• “EVERYONE” should not be listed in any right at this point
Event Log SettingsRAZOR Recommendations
• Set each log to a minimum of 10MB in size
• If exporting to a central repository, set to NOT overwrite
• Otherwise, overwrite as needed
Securing the Security Event Log
Security Event Log• Records unauthorized access to
system• Control should be limited
Create an “Auditors” group• Give Full Control• Remove all administrators• Grant User Right – “Manage auditing
and security log”
Best Practices
Patches, patches, patches• The first line of defense is up-to-date patches. Most widely exploited
problems have patches.
Minimal Services• Many widely exploited flaws exist in services that are installed by default
but rarely used. Disable all unused services.
Anti-Virus Software• Up-to-date AV software will prevent problems from spreading out of
control.
Strong Passwords• Password crackers are fast and getting faster. Exploit tools automate
logging in to a variety of services use blank or default passwords. Use a one-time password pad whenever possible and strong passwords the rest of the time. Users must be educated to understand the risks.
Egress Filtering• Trojans like to “phone home,” as do lots of malicious programs. Use a web
proxy and limit outbound connections strictly.
BindView Corporation
Active DirectorySecurity Suggestions
Security Features in Active Directory
•Granular Delegation
•Group Policy Objects (GPOs)
•ACLs
Opposite of NT
The granularity of authorizations has been greatly extended in Win2K to cover not only an object but also the attributes of an object.
• As a result, you can allow a group of administrators to do nothing but reset user passwords.
This granularity works because each attribute of an AD object can have its own ACL; there isn’t just a single ACL for the entire object.
Delegation
• A preferred way to delegate administrative control over Active Directory objects is to create OUs within a domain and use the Delegation of Control Wizard to assign granular permissions for administrators.
• When you’re designing the OU structure for each of your domains, consider only creating OUs when you want to delegate administration.
Group Policy Objects
Group Policy will allow you to uniformly enforce defined security policies
throughout your computing infrastructure by creating domain-level
GPOs that define the most critical security related settings. These settings will then be enforced on each and every computer in the domain. No longer will
security settings have to be managed on individual computers.
Group Policy Object Initialization
• Computer-related policy settings are applied when the OS initializes.
• User-related policy settings are applied when users log on to their computers.
NOTE: If computer settings and user settings come into conflict, the computer configuration settings override the user configuration settings.
Take-away Note
The most important thing to remember when you’re
setting up access control in your Win2K environment is to give people the minimum number of rights they need
to do their jobs.
BindView Corporation
Security BestPractices Guidelines
Best Practice Overview
•Secondary Authentication
•General Recommendations
•Physical Security
•Other Considerations
Using Secondary Authentication
No system administrators in your environment should ever again read their mail
and compose simple documents while running as
a member of the Domain Administrators group!
Best Practices - General
•Use legal notice captions on all machines
•Use legal notice text on all machines
•Do not display last logon name
Physical Security Best Practices
• Keep servers in a locked room
• Disable the removable media based boot option if available
• Remove or restrict access to the removable media drives
• The CPU case should be secured by a key stored safely away from the computer
• Implement a system bios password
BindView Corporation
Reminders
Reminder
Security is Everyone’s responsibility
•Management•IT Staff•Users
Reminder
•Technical support staff should be reminded never to reveal or reset passwords for anyone over the phone
•User community education•Password use and “storage”•Social engineering techniques
Importance Of A Strong Password
Estimated time to brute force password crack at 100,000 per second
BindView Corporation
References
Links
razor.bindview.com
www.gartner.com
www.bindview.com/ebook
www.microsoft.com/security
www.nipc.gov
www.sans.org
nsa1.www.conxion.com
BindView Products
Microsoft Active Directory
Microsoft Windows (NT/2000)
Microsoft Exchange
Microsoft SQL Server
Internet Security
UNIX
Novell Netware
Novell NDS eDirectory
OS/400
SAP
NETinventory
Security Advisor
Microsoft Windows (NT, 2000 and
Active Directory)
Microsoft Exchange
Novell Netware
Migrate for Windows 2000
Migrate for Novell NDS
Mobile
Password Self Service
bv-Admin Product Suitebv-Control Product Suite
[email protected] of Presentation at:
www.isaca-la.org
Taha RajaSenior Systems Engineer
Windows 2000 & Active Directory Security Best
Practices & Using Tools to Help Audit