Instruction manuals

Best Practices for Securing Active Directory

Description
Best Practices for Securing Active Directory
Published
of 314
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
    Best Practices for Securing Active Directory Microsoft IT Information Security and Risk Management   Published: April, 2013 For the latest information, please see http://aka.ms/bpsad     2 Best Practices for Securing Active Directory   Contents Foreword ............................................................................................................................................... 5   Acknowledgements .............................................................................................................................. 6   Executive Summary .............................................................................................................................. 7   Introduction ........................................................................................................................................ 14    Account and Group Naming Conventions ....................................................................................................................... 15    About this Document ....................................................................................................................................................... 16   Microsoft IT and ISRM................................................................................................................................................. 16   Active Directory Security Assessments ....................................................................................................................... 16   Content Origin and Organization ................................................................................................................................ 16   Avenues to Compromise ................................................................................................................... 21   Initial Breach Targets ...................................................................................................................................................... 23   Gaps in Antivirus and Antimalware Deployments ...................................................................................................... 23   Incomplete Patching ................................................................................................................................................... 24   Outdated Applications and Operating Systems .......................................................................................................... 25   Misconfiguration ......................................................................................................................................................... 26   Lack of Secure Application Development Practices .................................................................................................... 30    Attractive Accounts for Credential Theft ......................................................................................................................... 33   Activities that Increase the Likelihood of Compromise .............................................................................................. 34   Privilege Elevation and Propagation ........................................................................................................................... 37   Reducing the Active Directory Attack Surface ................................................................................ 39   Privileged Accounts and Groups in Active Directory ........................................................................................................ 40   Built-in Privileged Accounts and Groups ..................................................................................................................... 40   Implementing Least-Privilege Administrative Models ..................................................................................................... 45   The Privilege Problem ................................................................................................................................................. 46   Reducing Privilege ....................................................................................................................................................... 48   Implementing Secure Administrative Hosts .................................................................................................................... 66   Principles for Creating Secure Administrative Hosts .................................................................................................. 66   Sample Approaches to Implementing Secure Administrative Hosts .......................................................................... 70   Securing Domain Controllers Against Attack .................................................................................................................. 75   Physical Security for Domain Controllers .................................................................................................................... 75   Domain Controller Operating Systems ....................................................................................................................... 77   Secure Configuration of Domain Controllers .............................................................................................................. 77   Monitoring Active Directory for Signs of Compromise ................................................................. 80      3 Best Practices for Securing Active Directory   Windows Audit Policy ...................................................................................................................................................... 81   Windows Audit Categories.......................................................................................................................................... 81   Auditing Subcategories Descriptions .......................................................................................................................... 85   Configuring Windows Audit Policy .............................................................................................................................. 92   Enforcing Traditional Auditing or Advanced Auditing ................................................................................................. 96    Audit Policy Recommendations ....................................................................................................................................... 98   Recommended Audit Policies by Operating System ................................................................................................... 99   Events to Monitor ..................................................................................................................................................... 109   Active Directory Objects and Attributes to Monitor ................................................................................................. 110   Additional Information for Monitoring Active Directory Domain Services ............................................................... 111   General List of Security Event ID Recommendation Criticalities .............................................................................. 111   Planning For Compromise ............................................................................................................... 113   Rethinking the Approach ............................................................................................................................................... 115   Identifying Principles for Segregating and Securing Critical Assets .......................................................................... 117   Defining a Limited, Risk-Based Migration Plan ......................................................................................................... 118   Leveraging “Nonmigratory” Migrations  .................................................................................................................... 118   Implementing Creative Destruction .......................................................................................................................... 120   Isolating Legacy Systems and Applications ............................................................................................................... 120   Simplifying Security for End Users ............................................................................................................................ 121   Maintaining a More Secure Environment ..................................................................................................................... 123   Creating Business-Centric Security Practices for Active Directory ............................................................................ 123   Summary of Best Practices .............................................................................................................. 127   Appendices........................................................................................................................................ 130    Appendix A: Patch and Vulnerability Management Software ....................................................................................... 132    Appendix B: Privileged Accounts and Groups in Active Directory .................................................................................. 133   Rights, Privileges, and Permissions in Active Directory ............................................................................................ 133   Built-in Privileged Accounts and Groups ................................................................................................................... 137    Appendix C: Protected Accounts and Groups in Active Directory .................................................................................. 160   Protected Groups ...................................................................................................................................................... 160    Appendix D: Securing Built-In Administrator Accounts in Active Directory ................................................................... 170    Appendix E: Securing Enterprise Admins Groups in Active Directory ............................................................................ 185    Appendix F: Securing Domain Admins Groups in Active Directory ................................................................................ 197     Appendix G: Securing Administrators Groups in Active Directory ................................................................................. 208    Appendix H: Securing Local Administrator Accounts and Groups ................................................................................. 220    Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory ......................... 229   Creating Management Accounts for Protected Accounts and Groups in Active Directory ...................................... 229    Appendix J: Third-Party RBAC Vendors .......................................................................................................................... 260   The Dot Net Factory .................................................................................................................................................. 260   IBM ............................................................................................................................................................................ 261   Oracle ........................................................................................................................................................................ 262   Centrify ..................................................................................................................................................................... 263      4 Best Practices for Securing Active Directory    Appendix K: Third-Party PIM Vendors ........................................................................................................................... 264   Cyber-Ark .................................................................................................................................................................. 264   Quest ......................................................................................................................................................................... 266   Lieberman Software .................................................................................................................................................. 266   Novell ........................................................................................................................................................................ 268   CA .............................................................................................................................................................................. 269    Appendix L: Events to Monitor ...................................................................................................................................... 271    Appendix M: Document Links and Recommended Reading .......................................................................................... 301   Document Links ........................................................................................................................................................ 301   Recommended Reading ............................................................................................................................................ 312  

Traumatic App

Jul 23, 2017

DSSC Presentation

Jul 23, 2017
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks