Taha RajaSenior Systems Engineer

Windows 2000 & Active Directory Security Best Practices & Using Tools

to Help Audit

Agenda

• Overview• Windows System Hardening

Suggestions• Active Directory Security

Suggestions• Security Best Practices

Guidelines• Reminders• References

Role of Corporate Culture

Paramount to the success of an enterprise security

program are the relationships among risk

analysis, the organization’s culture, and security policy.

Security is Everyone’s Responsibility

A security policy should communicate to everyone in your organization the simple principle that information is a valuable asset and everyone is responsible for protecting it.

Things To Remember

Policies are cross-platform • Implementations are not

Policies must be designed to be implemented• Nirvana security polices are not effective

Implementation should include• Ongoing auditing• Enforcement• Non-IT remedies

Leverage solutions to speed process

BindView Corporation

Windows NT/2000 System

Hardening Suggestions

System Hardening Intent

• Process should result in a server with virtually everything locked down and disabled.

• This should provide a secure base upon which to build.

• After this procedure is completed, the services this machine is to offer can be selectively enabled.

Recommendations

• Updated Patches• Service Packs• Hotfixes• High Encryption Pack

• Enable Auditing• Set Password policy• Account Lockout• User Rights• Event Log• Services• Other Settings

Windows 2000 AuditingRAZOR Recommendations

Enable Auditing:

Account logon Success FailureAccount Management Success FailureDirectory Service Access

FailureLogon Events Success FailureObject Access FailurePolicy Change Success FailurePrivilege Use FailureProcess Tracking FailureSystem Event Success Failure

Password PolicyRAZOR Recommendations

• Enforce Password History: 7 (or higher)• Maximum Password Age: 42

(default)• Minimum Password Age: 0 (default)• Minimum Password Length: 7• Password Must Meet Complexity

Requirements: Enable

Account Lockout PolicyRAZOR Recommendations

• Account Lockout Duration: 10 minutes (or more)

• Account Lockout Threshold: 5

• Reset account lockout counter after: 10 min

User RightsRAZOR Recommendations

Never assign the following user rights to any user or group:

• Act as part of the OS• Create a token object• Create permanent shared objects• Debug programs• Generate security audits• Lock pages in memory• Manage auditing and security log*• Modify firmware environment variables• Replace a process level token• Synchronize directory service data

User RightsRAZOR Recommendations

• Access from the network:• Remove Everyone, User, Power Users, and Backup

Operators (if possible)

• Bypass traverse checking:• Change Everyone to Authenticated Users

• Change system time:• Remove Power Users

• Deny access to this computer from network:

• Add ANONYMOUS LOGON

• Deny logon as a batch job:• Add ANONYMOUS LOGON

User Rights (cont’d.)RAZOR Recommendations• Deny logon as a service:

• Add ANONYMOUS LOGON• Deny logon locally:

• Add ANONYMOUS LOGON• Log on locally:

• Remove Users• Remove Power Users• Remove Guest• Remove TsInternetUser

• “EVERYONE” should not be listed in any right at this point

Event Log SettingsRAZOR Recommendations

• Set each log to a minimum of 10MB in size

• If exporting to a central repository, set to NOT overwrite

• Otherwise, overwrite as needed

Securing the Security Event Log

Security Event Log• Records unauthorized access to

system• Control should be limited

Create an “Auditors” group• Give Full Control• Remove all administrators• Grant User Right – “Manage auditing

and security log”

Best Practices

Patches, patches, patches• The first line of defense is up-to-date patches. Most widely exploited

problems have patches.

Minimal Services• Many widely exploited flaws exist in services that are installed by default

but rarely used. Disable all unused services.

Anti-Virus Software• Up-to-date AV software will prevent problems from spreading out of

control.

Strong Passwords• Password crackers are fast and getting faster. Exploit tools automate

logging in to a variety of services use blank or default passwords. Use a one-time password pad whenever possible and strong passwords the rest of the time. Users must be educated to understand the risks.

Egress Filtering• Trojans like to “phone home,” as do lots of malicious programs. Use a web

proxy and limit outbound connections strictly.

BindView Corporation

Active DirectorySecurity Suggestions

Security Features in Active Directory

•Granular Delegation

•Group Policy Objects (GPOs)

•ACLs

Opposite of NT

The granularity of authorizations has been greatly extended in Win2K to cover not only an object but also the attributes of an object.

• As a result, you can allow a group of administrators to do nothing but reset user passwords.

This granularity works because each attribute of an AD object can have its own ACL; there isn’t just a single ACL for the entire object.

Delegation

• A preferred way to delegate administrative control over Active Directory objects is to create OUs within a domain and use the Delegation of Control Wizard to assign granular permissions for administrators.

• When you’re designing the OU structure for each of your domains, consider only creating OUs when you want to delegate administration.

Group Policy Objects

Group Policy will allow you to uniformly enforce defined security policies

throughout your computing infrastructure by creating domain-level

GPOs that define the most critical security related settings. These settings will then be enforced on each and every computer in the domain. No longer will

security settings have to be managed on individual computers.

Group Policy Object Initialization

• Computer-related policy settings are applied when the OS initializes.

• User-related policy settings are applied when users log on to their computers.

NOTE: If computer settings and user settings come into conflict, the computer configuration settings override the user configuration settings.

Take-away Note

The most important thing to remember when you’re

setting up access control in your Win2K environment is to give people the minimum number of rights they need

to do their jobs.

BindView Corporation

Security BestPractices Guidelines

Best Practice Overview

•Secondary Authentication

•General Recommendations

•Physical Security

•Other Considerations

Using Secondary Authentication

No system administrators in your environment should ever again read their mail

and compose simple documents while running as

a member of the Domain Administrators group!

Best Practices - General

•Use legal notice captions on all machines

•Use legal notice text on all machines

•Do not display last logon name

Physical Security Best Practices

• Keep servers in a locked room

• Disable the removable media based boot option if available

• Remove or restrict access to the removable media drives

• The CPU case should be secured by a key stored safely away from the computer

• Implement a system bios password

BindView Corporation

Reminders

Reminder

Security is Everyone’s responsibility

•Management•IT Staff•Users

Reminder

•Technical support staff should be reminded never to reveal or reset passwords for anyone over the phone

•User community education•Password use and “storage”•Social engineering techniques

Importance Of A Strong Password

Estimated time to brute force password crack at 100,000 per second

BindView Corporation

References

Links

razor.bindview.com

www.gartner.com

www.bindview.com/ebook

www.microsoft.com/security

www.nipc.gov

www.sans.org

nsa1.www.conxion.com

BindView Products

Microsoft Active Directory

Microsoft Windows (NT/2000)

Microsoft Exchange

Microsoft SQL Server

Internet Security

UNIX

Novell Netware

Novell NDS eDirectory

OS/400

SAP

NETinventory

Security Advisor

Microsoft Windows (NT, 2000 and

Active Directory)

Microsoft Exchange

Novell Netware

Migrate for Windows 2000

Migrate for Novell NDS

Mobile

Password Self Service

bv-Admin Product Suitebv-Control Product Suite

Traja@bindview.comCopy of Presentation at:

www.isaca-la.org

Taha RajaSenior Systems Engineer

Windows 2000 & Active Directory Security Best

Practices & Using Tools to Help Audit