Microsoft® Official Course

Module 3

Securing AD DS

Module Overview

Securing Domain Controllers

Implementing Password and Lockout Policies• Implementing Audit Authentication

Lesson 1: Securing Domain Controllers

Domain Controller Security Risks

Modifying the Security Settings of Domain Controllers

Minimizing the Attack Surface of Domain Controllers

Implementing Secure Authentication

Securing Physical Access to Domain Controllers

What are RODCs?

Deploying an RODC

Planning and Configuring RODC Credential Caching

Demonstration: Configure a Password Replication Policy• Administrator Role Separation

Domain Controller Security Risks

Domain controllers are a prime target for attacks and the most important resource to secure• Security risks include:

•Network security

• Authentication attacks

• Elevation of privilege

•Denial of Service

•Operating system, service, or application attacks

•Operational risks

• Physical security threats

Modifying the Security Settings of Domain Controllers

• Use a GPO to apply the same security settings to all domain controllers

• Consider custom GPOs linked to the Domain Controllers OU

• Security settings include:• Account policies, such as passwords and account lockout

• Local policies, such as auditing, user rights, and security options

• Event log configuration

• Secure system services

• Windows Firewall with Advanced Security

• Public key policies

• Advanced auditing

Minimizing the Attack Surface of Domain Controllers

To minimize the attack surface on domain controllers, you should:• Establish update management processes

• Increase the security of communication protocols:• Secure LDAP

• IPsec

• SMB signing

• Secure the operating system by using:• Baseline security by using SCW

• Server Core installation

• BitLocker Drive Encryption

Implementing Secure Authentication

Consider the following factors when implementing secure authentication: • Secure user accounts and passwords

• Secure groups with elevated permissions

• Audit critical object changes

• Deploy secure authentication, such as smart cards

• Secure network activity

• Establish deprovisioning and cleanup processes

• Secure client computers

Securing Physical Access to Domain Controllers

When securing physical access to your domain controllers, consider the following:• RODCs• BitLocker• Hot-swap disk systems can lead to domain controller theft• Protect virtual disks: virtual machine admins must be highly trusted• Store backups in secure locations

What are RODCs?

Data center Branch office

• Writable Windows Server 2008 domain controller

• Password replication policy:• Specifies which user and

computer passwords can be cached by the RODC

• RODC:• All objects

• Subset of attributes

• No secrets

• Not writable

• Users sign on:• RODC forwards authentication

• Password is cached:• If password replication policy

allows

• Has a local administrators group

AD DS AD DS

Deploying an RODC

Deploying an RODC:• Prerequisites:

• Adprep /rodcprep• Sufficient Windows Server 2008 or newer replication partners for the

RODCs

• One-step deployment:• Server Manager with Add Roles and Features, then Active

Directory Domain Services Configuration Wizard• Windows PowerShell: Install-ADDSDomainController –

ReadOnlyReplica

• Two-step deployment: pre-staging and delegated promotion:• Create the account: Active Directory Administrative Center or

Add-ADDSReadOnlyDomainControllerAccount• Join the RODC as delegated admin: Server Manager or

Install-ADDSDomainController -ReadOnlyReplica

Planning and Configuring RODC Credential Caching

A password replication policy determines which users’ credentials are cached on a specific RODC• You can configure these credentials by using:

•Domain-wide password replication policy

• RODC-specific password replication policy

• RODC filtered attribute set

Demonstration: Configure a Password Replication Policy

• In this demonstration, you will see how to:• Stage a delegated installation of an RODC• View an RODC’s password replication policy• Configure an RODC-specific password replication policy• Verify the resultant password policy

Administrator Role Separation

•Allows performance of local administrative tasks on the RODC for non-domain administrators•Each RODC maintains a local Security Accounts Manager database of groups for specific administrative purposes•Configure the local administrator by:• Adding the user or group when pre-creating or installing the RODC

• Adding a user or group on the Managed By tab on the RODC account properties

Lesson 2: Implementing Password and Lockout Policies

Password Policies

Account Lockout Policies

Demonstration: Configure Domain Account Policies

Fine-Grained Password and Lockout Policies

Understanding PSOs

Demonstration: Configuring a Fine-Grained Password Policy•PSO Precedence and Resultant PSO

Password Policies

•Set password requirements by using the following settings:• Enforce password history• Maximum password age • Minimum password age• Minimum password length• Password complexity requirements:• Does not contain name or user name

• Must have at least six characters

• Contains characters from three different groups– uppercase, lowercase, numeric, and special characters

Account Lockout Policies

•Account lockout policies define whether accounts should be locked automatically after several failed attempts to log on•To configure these policy settings, you must consider:• Account lockout duration• Account lockout threshold• Reset account lockout counter after

•Account lockout policies provide a level of security but also provide an opportunity for DoS attacks

Demonstration: Configure Domain Account Policies

• In this demonstration, you will see how to configure:• A domain-based password policy• An account lockout policy

Fine-Grained Password and Lockout Policies

•You can use fine-grained password policies to specify multiple password policies within a single domain• Fine-grained password policies:• Apply only to user objects, InetOrgPerson objects, or global security groups• Cannot be applied directly to an OU • Do not interfere with custom password filters that you might use in the same domain

Understanding PSOs

Windows Server 2012 provides two tools for configuring PSOs:•Windows PowerShell cmdlets:• New-ADFineGrainedPasswordPolicy• Add-FineGrainedPasswordPolicySubject

•Active Directory Administrative Center

Demonstration: Configuring a Fine-Grained Password Policy

• In this demonstration, you will see how to configure and apply a fine-grained password policy

PSO Precedence and Resultant PSO

If multiple PSOs apply to a user:• The directly applied PSOs are considered, rather than the PSOs that

are applied via group memberships

• The PSO with the lowest precedence wins

• If two PSOs have the same precedence, the smallest objectGUID wins

To evaluate a user object to see which PSO has been applied, you can use:• msDS-ResultantPSO Active Directory attribute

• Active Directory Administrative Center

• Extensions

• Attribute Editor

• Filter: Show constructed attributes

Lesson 3: Implementing Audit Authentication

Account Logon and Logon Events

Demonstration: Configuring Authentication-Related Audit Policies

Scope Audit Policies•Demonstration: Viewing Logon Events

Account Logon and Logon Events

Advanced audit policies provide 53 auditable events:• Account logon events:

• Registered by the system that authenticates the account

• For domain accounts–domain controllers

• For local accounts–local computer

• Logon events:• Registered by the machine at or

to which (or to which) a user logged on

• Interactive logon–user's system• Network logon–server

Logon Event

Account Logon Event

Logon Event

AD DS

Demonstration: Configuring Authentication-Related Audit Policies

• In this demonstration, you will see where the authentication-related audit policies are configured

Scope Audit Policies

DomainControllers

RemoteDesktopServers

HR Clients

CustomGPO

LogonEvents

Default Domain

Controllers Policy

AccountLogonEvents

Demonstration: Viewing Logon Events

• In this demonstration, you will see how to view logon events

Lab: Securing AD DS

Exercise 1: Implementing Security Policies for Accounts, Passwords, and Administrative Groups•Exercise 2: Deploying and Configuring an RODCLogon Information:

Virtual machines: 10969A-LON-DC110969A-LON-DC210969A-LON-SVR1

User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 45 minutes

Lab Scenario

The security team at A. Datum Corporation has been examining the organization for possible security issues. It has been focusing on AD DS and is particularly concerned with AD DS authentication and branch-office domain controller security.

You have been asked to help improve the security and monitoring of authentication against the enterprise’s AD DS domain. You must enforce a specified password policy for all user accounts, and you must develop a more stringent password policy for security-sensitive administrative accounts. It also is important that you implement an appropriate audit trail to help monitor authentication attempts within AD DS.

The second part of your assignment includes the deployment and configuration of RODCs s to support AD DS authentication within a branch office

Lab Review

In the lab, we configured the password settings for all users within the Default Domain Policy, and we configured the password settings for Administrators within a PSO. What other options were available to accomplish the solution?• In the lab, we were using precedence for the administrative PSO with a value of 10. What is the reason for this?

Module Review and Takeaways

Review Questions•Tools