von Derek Melber Derek Melber, MCSE, CISM, is one of the leading technical instructors, authors, and consultants in the nation, with an innate understanding of how to decipher, organize, and communicate complex issues. With a master s degree from the University of Kansas, 1. Auflage Auditing Security and Controls of Windows Active Directory Domains Melber schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG The Institute of Internal Auditors Verlag C.H. Beck im Internet: www.beck.de ISBN 978 0 89413 563 7 Inhaltsverzeichnis: Auditing Security and Controls of Windows Active Directory Domains Melber
CHAPTER 1 AUDITING WINDOWS 2000/2003 INTRODUCTION Introduction Most companies run a domain, which controls the lifeblood of the company s network, security, and resources. The domain consists of domain controllers, member servers, and client computers. The domain will also work with other essential devices, such as routers, hubs, switches, and firewalls. It is important to understand that the domain model has changed dramatically from Windows NT 4.0 to Windows 2000 and Server 2003. Windows NT used a domain model that relied on a Security Accounts Manager (SAM). Windows 2000 and Server 2003 rely on Active Directory. In almost every instance, the Active Directory model is much better than the SAM foundation. In this handbook, we will not be focusing on the member servers and client computers. Instead, we will focus on the domain controllers and the domain infrastructure itself. If you have never audited a Windows Active Directory domain, or have only audited one a couple of times, this handbook is ideal for you. I find that many auditors still think about Windows domains the way they did in Windows NT, not like an Active Directory domain. For those of you who have audited numerous Active Directory domains (I have only met about two in a thousand auditors), this handbook is also ideal for you. It will expand your knowledge and push the limits of what your audit program includes, and there will be at least five control points that you don t currently check. We will dive directly into the domain controllers and the domain itself, exposing all of the nooks and crannies that need to be audited. Domain controllers are similar to member servers, but do have different control points due to their function in a domain. So, if you have read any books on member servers, this book will focus on different information. I feel that if the security control points, scope of domain controllers, scope of domains, and target goals are understood, then the audit will go smoother and faster. This book will solve all of those issues for you. We will start by discussing some terminology that can help you gather more information and perform better interviews. Being able to talk the talk with the IT and security administrators can go a long way. The terminology will also help in the evaluation and analysis of the audit data that is provided. Wading through the sea of three- and four-letter acronyms can be a full-time job. Understanding what each term means and how the audit fits into the terminology can help make your audit more efficient.
Next, we pinpoint where each control point resides for a server. Many of the control points for servers overlap those for clients, but the control point configuration and focus might be different than that of a client. The structure of each control is as follows: What is the control point? Why is the control point important? Which computers should be examined to audit the control point? Which control point details should be audited? How will the control point be audited? Example control point report. After the control points, we will discuss how to structure the audit with regard to the aspects of the domain. Scoping which computers should be audited can be highly beneficial. I will illustrate some different tactics for the sampling procedure, which might allow you to streamline the selection and evaluation process. Finally, I will lay out a detailed audit plan that will allow you to take the knowledge you learned and put it into action. With this structure, you will have all of the information required to perform a successful and efficient audit of servers on the network. Essential Windows Network and Security Concepts and Tools You can see something ten times and still not remember what it is. However, when you are taught, you will remember it. My goal is to teach you some quick and easy ways to remember what each technology does for a Windows environment. Windows Terminology Defined We will first start off with some basic Windows terminology. Some of these terms also work for other operating systems, but they are key to Windows. Workgroup A group of computers that are networked where each computer authenticates access to resources stored on the computer by using local SAM user and group accounts. The administration model here is decentralized. Domain A group of computers that are networked where dedicated servers (called domain controllers) authenticate access to resources stored on servers and clients using the Active Directory database. The administration model is centralized. SAM Security Accounts Manager. The SAM is used in two different areas. First, it is the Windows NT database that contains user, group, and computer accounts for the domain.
Second, every Windows NT, 2000, XP, and 2003 computer has a local SAM, which contains local user and group accounts. Active Directory Dynamic database that contains user, group, and computer accounts for the domain. Domain Controller Servers that store the Active Directory database. The primary function of these servers is to authenticate user logons and deploy security using Group Policy. LDAP Lightweight Directory Access Protocol. This protocol is used to communicate, reading and writing, with the Active Directory database. DNS Domain Naming System. This is the locator service for all Active Directory computers and Active Directory-based services. When a computer needs to find another computer on the network, it uses DNS to find the IP of the computer. ACL Access Control List. Term used to reference the list of users and groups that have permission to access a resource. DACL Discretionary Access Control List. The official term used to define the list of users and groups that have permission to access a resource. SACL System Access Control List. Determines the list of users and groups that will be audited when accessing the resource. Privileges This is also known as User Rights. User Rights are unique for each computer and determine which users can perform administrative and privileged tasks on that computer. Shared Folder A folder that is available to other computers on the network. The folder will be shown with a small hand under the folder in the interface. Baselines, Security Templates, and Windows Baseline Tools A security baseline is typically defined as a set of security settings for computers that meet the minimum requirements for the organization. The baseline can be self-made or based on a standard from Microsoft or other vendors that produce baseline configurations. If the baseline is detailed enough, it might become the company security policy. There can be baseline configurations for different types of computers on the network. Typical baselines exist for the following types of computers: Domain Controllers File Servers IAS Servers IIS Servers Infrastructure Servers Member Servers Print Servers Clients
Each type of computer can be broken down into different categories, depending on the security needs of the organization. These baselines are typically documented and deployed using security templates. Security templates are simple documents that interface with the policies that configure the computer s security. These security templates typically have an INF file extension and are very easy to move around since they are so small. The security templates are deployed to computers in several ways: Manually This process is cumbersome and not done very often. This requires that each computer be visited and the security template be applied one computer at a time. Automated Script This is often the solution for environments that don t rely on Active Directory, but still need the Windows computers to meet a minimum baseline. Group Policy Objects This is the most common scenario for deploying security templates, which can be easily imported into a GPO for consistent and targeted application to computers. The tools that are used to deploy security baselines using security templates include the following: Secedit Command This is the scripting method for deploying a security template to a computer. This is a built-in tool. Security Templates Snap-in This tool is used in conjunction with the MMC (see below). It allows easy creation and management of security templates. Security Configuration and Analysis Tool This tool is used in conjunction with the MMC (see below). It is designed to deploy security templates to a single computer. Group Policy Objects GPOs are a function of an Active Directory enterprise and support the importing of security templates and their settings. GPOs provide an efficient method for configuring multiple computers with the same security template. Essential Tools of the Trade There are some tools that are essential for establishing security, performing audits on Windows environments, and keeping up-to-date with other resources. There are also some Web sites that are important to visit often, since they are constantly changing and updating materials. Administrative Tools These tools are the tool belt for the administrator. They include management of Active Directory, DNS, GPOs, Event Viewer, and remote computers. The tools come standard with a domain controller, but servers and clients need to install adminpak.msi to access all of the Active Directory tools and service tools. TIP: If the computer you are auditing is not designed for administrators, it should not have the adminpak.msi or administrator tools installed on it.
Microsoft Management Console (MMC) This is not really a tool in the sense that you can use the MMC to perform a task. Rather, the MMC is a shell to which other snap-ins are added. The snap-ins are the actual tools. Just type MMC at the Start Run textbox and it will launch the MMC. Computer Management This is one of the Administrative Tools and is also a snap-in. The reason for mentioning it separately is because of the power the tool provides for auditors and security administrators alike. The tool can list shares, services, local SAM, and event viewer information for any computer in the domain. Microsoft Baseline Security Analyzer (MBSA) This is a free tool from Microsoft that you can download and use to analyze key security settings on any computer. The tool can be downloaded from www.microsoft.com/mbsa. The tool is designed to analyze and report on the most important aspects of a computer s security. Key configurations such as file system, blank passwords, update levels, and shares are just some of the settings MBSA can analyze. DumpSec When it comes to other tools useful for auditing Windows, one sticks out from the others. The DumpSec tool is one of the best tools for gathering this information. The tool is free and can be downloaded from www.somarsoft.com. It can be used locally or remotely, as long as you have administrative privilege to the computer. The current version is v2.8.2. Resource Kit This is not a default tool, but includes a suite of tools by Microsoft. Documentation also comes along with the kit, but the tools are essential for auditors. To download the tools for free, you can go to this link: http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96eeb18c4790cffd&displaylang=en (Sorry for the lengthy string, but this is the only link where I can find the tools.) TechNet TechNet is not a tool in terms of a typical application, it is the end-all, defacto documentation that Microsoft produces. The tool is worth its weight in gold and maybe diamonds. The tool consists of a new CD/DVD every month that contains the latest knowledge-base articles, Q articles, white papers, and other documentation that is produced from Microsoft. TechNet covers all applications and operating systems all of them! You can get it for $349 a year at www.technet.com. Key Web Sites As a trainer, speaker, author, and consultant, I feel that education is key! Here are some Web sites that are constantly being updated with new articles and information regarding Windows auditing and security.
www.auditingwindows.com www.theiia.org www.itaudit.org www.isaca.org www.microsoft.com/security/guide www.windowsecurity.com Additional Tools I am a huge proponent of free tools. In this book, you will only be introduced to the tools that don t cost anything. I know fully that auditors must work with a small budget, if they are afforded a budget for tools at all. However, I can t discount the amazing tools that are out on the market for auditing Windows. These tools provide reporting, summarizing, and querying that surpass the free tools. If you are working too hard with the free tools and need some help optimizing and making your audit more efficient, check out some of these companies and their tools. GFI LanGuard This is a suite of tools that help track, report, and protect the network. www.gfi.com. NetPro ChangeAuditor This tool tracks when any change occurs to Active Directory or related services. www.netpro.com. BindView Vulnerability Management This tool helps proactively audit the key security settings on the Windows network. www.bindview.com. Symantec Enterprise Security Manager This tool provides integrated auditing and security management for Windows and many other platforms. www.symantec.com. SystemTools Hyena This tool is an excellent reporting tool for users, groups, resources, and much more. www.somarsoft.com. Aelita InTrust This tool provides consolidation, reporting, and analysis of auditing information. http://www.quest.com/.