ADVANCED WINDOWS SECURITY

Similar documents
In the Active Directory Domain Services Window, click Active Directory Domain Services.

Basic principles of infrastracture security Impersonation, delegation and code injection

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Installation of MicroSoft Active Directory

WINDOWS 2000 Training Division, NIC

Active Directory & SQL Server

ACTIVE DIRECTORY OVERVIEW

Active Directory integration with CloudByte ElastiStor

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Setting up Active Directory Domain Services

Introduction. Versions Used Windows Server 2003

CERTIFICATES AND CRYPTOGRAPHY

MS 6421 Configuring and Troubleshooting a Windows Server 2008 Infrastructure

Searching for accepting?

Designing and Implementing a Server Infrastructure

Securing Active Directory Presented by Michael Ivy

Administering Windows Server 2012

Windows Server. Introduction to Windows Server 2008 and Windows Server 2008 R2

Network System Management. Creating an Active Directory Domain

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services (5 days)

PineApp Surf-SeCure Quick

Administering Windows Server 2012

Designing and Implementing a Server Infrastructure MOC 20413

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure (6421B)

SRT210 Lab 01 Active Directory

Configuring Windows Server 2008 Active Directory

Administering Windows Server 2012

6421B - Windows Server 2008 R2 Network Infrastructure

Lab 3-3 Installing Active Directory

Modeling your infrastructure with SCOM

Administering Windows Server 2012

TopEase Single Sign On Windows AD

Administering Windows Server 2012

Web Application Proxy

Configuring a Windows 2003 Server for IAS

This module explains how to configure and troubleshoot DNS, including DNS replication and caching.

NE-20411D Administering Windows Server 2012

VNLINFOTECH JOIN US & MAKE YOUR FUTURE BRIGHT. mcsa (70-413) Microsoft certified system administrator. (designing & implementing server infrasturcure)

Active Directory 2008 Implementation. Version 6.410

Preliminary Course Syllabus

AD RMS Step-by-Step Guide

Administering Windows Server 2012

Administering Windows Server 2012

411-Administering Windows Server 2012

COURSE 20411D: ADMINISTERING WINDOWS SERVER 2012

Build Your Knowledge!

Websense Support Webinar: Questions and Answers

Course Administering Windows Server About this Course. Level: 200 Technology: Windows Server 2012

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

CONFIGURING ACTIVE DIRECTORY IN LIFELINE

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Windows Server 2012 R2 Certification

Designing and Implementing a Server Infrastructure

Intel Entry Storage System SS4200-E Active Directory Implementation and Troubleshooting

Course 20411D: Administering Windows Server 2012

COURSE 20413C: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Designing and Implementing a Server Infrastructure

R4: Configuring Windows Server 2008 Active Directory

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Administering Windows Server 2012

Designing and Implementing a Server Infrastructure 20413C; 5 days, Instructor-led

Administering Windows Server 2012

Course 20413: Designing and Implementing a Server Infrastructure

AV-006: Installing, Administering and Configuring Windows Server 2012

Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Course Outline. Course 6421B : Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

Installing Active Directory on Windows Server 2008 by Daniel Petri - January 8, 2009 Printer Friendly Version

Windows Assessment. Vulnerability Assessment Course

Agency Pre Migration Tasks

Windows Server 2003 Active Directory MST 887. Course Outline

"Charting the Course... MOC D Administering Windows Server Course Summary

Course 20411B: Administering Windows Server 2012

Configuring & Troubleshooting Windows 2008 Server 2008 Network Infrastructure

Build Your Knowledge!

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

User-ID Configuration

COURSE OUTLINE MOC 20413: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Chapter 3: Building Your Active Directory Structure Objectives

SharePoint Server for Business Intelligence

Administering Windows Server 2012

Enabling single sign-on for Cognos 8/10 with Active Directory

Administering Windows Server 2012 Course M Day(s) 30:00 Hours

Administering Windows Server 2012

Active Directory 2008 Implementation Guide Version 6.3

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

Presenter s name here Date of presentation (optional) Windows Security and Domains for Experion

Skyward LDAP Launch Kit Table of Contents

User Identification (User-ID) Tips and Best Practices

Microsoft Configure and Troubleshoot Windows Server 2008 Network Infrastructure

V Series Rapid Deployment Version 7.5

Administering Windows Server 2012

Course Outline: Course Designing and Implementing a Server Infrastructure

ANNE ARUNDEL COMMUNITY COLLEGE ARNOLD, MARYLAND COURSE OUTLINE CATALOG DESCRIPTION

Configuring Sponsor Authentication

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Getting Started Guide

PriveonLabs Research. Cisco Security Agent Protection Series:

Windows 7, Enterprise Desktop Support Technician

Transcription:

Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security ondrej@sevecek.com www.sevecek.com ADVANCED WINDOWS SECURITY Outline Recap of basic security principles Local and Active Directory user accounts Authentication, NTLM and Kerberos Forests and trusts Group scopes and group types NTFS, registry, share and LDAP permissions Windows Firewall Security hardening with Group Policy BitLocker and EFS IPSec, 802.1x and TLS/SSL

Prerequisites Good Windows Server 2008 and Windows 7 administration Good Active Directory administration Good knowledge of TCP/IPv4 and DNS Basic understanding of all technologies that will be discussed this is an advanced course Organization 5 days 9:00 16:00 Lunch 12:00-13:00 No smoking Refreshments

Advanced Windows Security SCENARIO Scenario Traning provider GOPAS a.s. Company devided into two separate branches Gopas and Elearning separate employees, shared resources in Gopas domain The company later merges with another company which provides adrenalin sports training and events sharp-bikes.com We are building a brand new infrastructure based on Windows Server 20xy and Windows z with security in mind!

Scenario GPS-DC DATA WFE CA VPN (GPS) NPS Kamil Judit GPS- WKS Scenario DC-GPS Kamil WFE CA DATA VPN WKS (GPS) NPS Judit ELRN-DC elearning.local (ELEARNING) Jan

Scenario BIKES- DC ad.sharpbikes.com (BIKES) Tana ad.sharp-bikes.com WFE CA DATA VPN WKS (GPS) NPS Kamil Judit Jan elearning.local (ELEARNING) Scenario ad.sharpbikes.com (BIKES) BIKES- DC DNS GPS- DC ad.sharp-bikes.com DNS (GPS) elearning.local (ELEARNING) ELRN- DC DNS

Domain and Forest Functionality Levels Functionality DFL/FFL Level Universal Groups FFL 2000 Native Kerberos Constrained Delegation DFL 2003 lastlogontimestamp DFL 2003 Redirect default Computer and User containers DFL 2003 Selective Authentication FFL 2003 Forest trusts FFL 2003 Kerberos uses AES instead of RC4/DES DFL 2008 Granular Password Policies DFL 2008 Kerberos claims DFL 2012 Advanced Windows Security BUILDING BASIC DOMAIN ENVIRONMENT

Lab: Gopas Root Domain... Install a new domain on GPS-DC select advanced mode DCPROMO installation domain name FQDN: domain name NetBIOS: GPS domain/forest functional level: 2008 R2 Lab:... Gopas Root Domain... Create basic OU structure in domain OU=Company OU=People OU=Service OU=Computers OU=Groups In OU=Service create group Admin Accounts In OU=Groups create the following groups Employees Contractors

Lab:... Gopas Root Domain In OU=Service create user account name: domain-admin member of: Admin Accounts, Domain Admins, Enterprise Admins options: Password never expires Disable built-in Administrator account Create user accounts in OU=People users: Kamil, Helena, Jan member of: Domain Users, Employees user: Jitka member of: Domain Users, Contractors Lab Result: OU=Service

Lab Result: OU=People Lab: Elearning Domain... Install a new domain into the same forest on ELRN-DC select advanced mode DCPROMO installation forest: domain name FQDN: elearning.local domain name NetBIOS: elearning install DNS server on ELRN-DC: yes install Global Catalog (GC): no

Lab:... Elearning Domain... Configure DNS on ELRN-DC to forward to GPS-DC Conditional forwarder: Forwarder IP address: 10.10.0.11 Store in AD: yes Configure DNS on GPS-DC to forward to ELRN-DC Conditional forwarder: elearning.local Forwarder IP address: 10.10.0.12 Store in AD: yes Restart GPS-DC first, wait until it starts Then restart ELRN-DC Lab:... Elearning Domain Create basic OU structure in elearning.local domain OU=Learning Create a user and a group in OU=Employees group: Employees users: Jan members of: Domain Users, Employees Rename builtin-admin to learning-admin

DNS Forwarders Result Basic domain security Pre-Windows 2000 Compatible Access group can read anything in AD should be empty Add Workstation to Domain user right should be revoked only administrators should be able to create and connect computers, or authorize other users to do the same

Add Workstations to Domain Authorizing Workstations

Lab: Basic Domain Security Empty the Pre-Windows 2000 Compatible Access group in domain Create new GPO for domain: name: Security: Add Workstation to Domain link to: enforced: Yes setting: empty Add Workstation to Domain user right Lab: Connect Computer Securelly Create new GPS-WKS computer object in OU=Computers computer name: GPS-WKS who can connect to domain: Kamil Log on to GPS-WKS as builtin-admin Connect GPS-WKS to domain domain name: user name: kamil@gopas.cz Make Kamil member of local Administrators group Verify that Kamil and Jitka can log on to GPS-WKS Verify that Kamil is member of local Administrators group and that Jitka is not use WHOAMI /ALL tool

Lab Result: Local Admins Lab: Verify Access Verify that users can log on to GPS-WKS workstation kamil@gopas.cz (Employee) jitka@gopas.cz (Contractor) helena@gopas.cz (Employee) jan@gopas.cz (Employee) ELEARNING\jan

Current State GPS-DC GPS ELRN-DC elearning.local ELEARNING domain-admin Kamil Employee Helena Employee Jan Employee Jitka Contractor learning-admin Jan - Employees GPS-WKS Windows 8.1 Lab: Partner company Install a separate new domain and forest on BIKES-DC domain/forest name FQDN: ad.sharp-bikes.com domain name NetBIOS: bikes domain/forest functional level: 2008 R2 Create basic OU structure in the BIKES domain OU=Adrenalin Create a single user and a group in the OU=Adrenalin group: Bikers user: Tana member of: Domain Users, Bikers Rename the builtin-admin to bikes-admin

Current Stage BIKES- DC ad.sharpbikes.com (BIKES) Tana ad.sharp-bikes.com WFE CA DATA VPN (GPS) NPS Kamil Judit Jan elearning.local (ELEARNING) Advanced Windows Security TRUSTS

What is a Trust If I trust some domain, I believe that their users are secure enough to access my resources Bank if I trust bank, I may store some money at their safes GOPAS will trust BIKES Users from BIKES will be able to access GOPAS servers and workstations Not the opposite users from GOPAS will not be able to access BIKES resources GOPAS Trusts Bikes Trusting domain WFE DATA (GPS) Resource domain Outgoing trust GPS trusts BIKES Trusted domain Account domain Incoming trust Tana ad.sharpbikes.com (BIKES)

Trust Basics Both forests must be able to resolve DNS names of each other Forest trust Kerberos authentication enabled External trust NTLM authentication only Kerberos not possible Selective Authentication Users from a trusted domain can authenticate only against specific resources from the trusting domain Who can Create Trusts Forest trust Domain Admins from forest root domain do NOT require Enterprise Admins External trust Domain Admins from the domain in question

Lab: Trust Cross-forward between the DNS servers GPS-DC forwards to BIKES-DC BIKES-DC forwards to GPS-DC Define conditional forwarders only Verify DNS resolution by using NSLOOKUP from both servers SET Q=SRV _LDAP._TCP.DC._MSDCS. _LDAP._TCP.DC._MSDCS.ad.sharp-bikes.com Create one-way non-selective forest trust between the two forests GPS trusts BIKES Lab: Verify Access Verify that users can log on to GPS-WKS workstation kamil@gopas.cz (Employee) judit@gopas.cz (Contractor) helena@gopas.cz (Employee) ELEARNING\jan BIKES\tana (account from BIKES domain)

Advanced Windows Security CONCLUSION Conclusion GPS-DC ELRN-DC BIKES-DC ad.sharp-bikes.com GPS elearning.local ELEARNING ad.sharp-bikes.com BIKES domain-admin learning-admin bikes-admin Kamil Employee Helena Employee Jan Employee Judit Contractor Jan - Employees Tana - Bikers

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information