Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security ondrej@sevecek.com www.sevecek.com ADVANCED WINDOWS SECURITY Outline Recap of basic security principles Local and Active Directory user accounts Authentication, NTLM and Kerberos Forests and trusts Group scopes and group types NTFS, registry, share and LDAP permissions Windows Firewall Security hardening with Group Policy BitLocker and EFS IPSec, 802.1x and TLS/SSL
Prerequisites Good Windows Server 2008 and Windows 7 administration Good Active Directory administration Good knowledge of TCP/IPv4 and DNS Basic understanding of all technologies that will be discussed this is an advanced course Organization 5 days 9:00 16:00 Lunch 12:00-13:00 No smoking Refreshments
Advanced Windows Security SCENARIO Scenario Traning provider GOPAS a.s. Company devided into two separate branches Gopas and Elearning separate employees, shared resources in Gopas domain The company later merges with another company which provides adrenalin sports training and events sharp-bikes.com We are building a brand new infrastructure based on Windows Server 20xy and Windows z with security in mind!
Scenario GPS-DC DATA WFE CA VPN (GPS) NPS Kamil Judit GPS- WKS Scenario DC-GPS Kamil WFE CA DATA VPN WKS (GPS) NPS Judit ELRN-DC elearning.local (ELEARNING) Jan
Scenario BIKES- DC ad.sharpbikes.com (BIKES) Tana ad.sharp-bikes.com WFE CA DATA VPN WKS (GPS) NPS Kamil Judit Jan elearning.local (ELEARNING) Scenario ad.sharpbikes.com (BIKES) BIKES- DC DNS GPS- DC ad.sharp-bikes.com DNS (GPS) elearning.local (ELEARNING) ELRN- DC DNS
Domain and Forest Functionality Levels Functionality DFL/FFL Level Universal Groups FFL 2000 Native Kerberos Constrained Delegation DFL 2003 lastlogontimestamp DFL 2003 Redirect default Computer and User containers DFL 2003 Selective Authentication FFL 2003 Forest trusts FFL 2003 Kerberos uses AES instead of RC4/DES DFL 2008 Granular Password Policies DFL 2008 Kerberos claims DFL 2012 Advanced Windows Security BUILDING BASIC DOMAIN ENVIRONMENT
Lab: Gopas Root Domain... Install a new domain on GPS-DC select advanced mode DCPROMO installation domain name FQDN: domain name NetBIOS: GPS domain/forest functional level: 2008 R2 Lab:... Gopas Root Domain... Create basic OU structure in domain OU=Company OU=People OU=Service OU=Computers OU=Groups In OU=Service create group Admin Accounts In OU=Groups create the following groups Employees Contractors
Lab:... Gopas Root Domain In OU=Service create user account name: domain-admin member of: Admin Accounts, Domain Admins, Enterprise Admins options: Password never expires Disable built-in Administrator account Create user accounts in OU=People users: Kamil, Helena, Jan member of: Domain Users, Employees user: Jitka member of: Domain Users, Contractors Lab Result: OU=Service
Lab Result: OU=People Lab: Elearning Domain... Install a new domain into the same forest on ELRN-DC select advanced mode DCPROMO installation forest: domain name FQDN: elearning.local domain name NetBIOS: elearning install DNS server on ELRN-DC: yes install Global Catalog (GC): no
Lab:... Elearning Domain... Configure DNS on ELRN-DC to forward to GPS-DC Conditional forwarder: Forwarder IP address: 10.10.0.11 Store in AD: yes Configure DNS on GPS-DC to forward to ELRN-DC Conditional forwarder: elearning.local Forwarder IP address: 10.10.0.12 Store in AD: yes Restart GPS-DC first, wait until it starts Then restart ELRN-DC Lab:... Elearning Domain Create basic OU structure in elearning.local domain OU=Learning Create a user and a group in OU=Employees group: Employees users: Jan members of: Domain Users, Employees Rename builtin-admin to learning-admin
DNS Forwarders Result Basic domain security Pre-Windows 2000 Compatible Access group can read anything in AD should be empty Add Workstation to Domain user right should be revoked only administrators should be able to create and connect computers, or authorize other users to do the same
Add Workstations to Domain Authorizing Workstations
Lab: Basic Domain Security Empty the Pre-Windows 2000 Compatible Access group in domain Create new GPO for domain: name: Security: Add Workstation to Domain link to: enforced: Yes setting: empty Add Workstation to Domain user right Lab: Connect Computer Securelly Create new GPS-WKS computer object in OU=Computers computer name: GPS-WKS who can connect to domain: Kamil Log on to GPS-WKS as builtin-admin Connect GPS-WKS to domain domain name: user name: kamil@gopas.cz Make Kamil member of local Administrators group Verify that Kamil and Jitka can log on to GPS-WKS Verify that Kamil is member of local Administrators group and that Jitka is not use WHOAMI /ALL tool
Lab Result: Local Admins Lab: Verify Access Verify that users can log on to GPS-WKS workstation kamil@gopas.cz (Employee) jitka@gopas.cz (Contractor) helena@gopas.cz (Employee) jan@gopas.cz (Employee) ELEARNING\jan
Current State GPS-DC GPS ELRN-DC elearning.local ELEARNING domain-admin Kamil Employee Helena Employee Jan Employee Jitka Contractor learning-admin Jan - Employees GPS-WKS Windows 8.1 Lab: Partner company Install a separate new domain and forest on BIKES-DC domain/forest name FQDN: ad.sharp-bikes.com domain name NetBIOS: bikes domain/forest functional level: 2008 R2 Create basic OU structure in the BIKES domain OU=Adrenalin Create a single user and a group in the OU=Adrenalin group: Bikers user: Tana member of: Domain Users, Bikers Rename the builtin-admin to bikes-admin
Current Stage BIKES- DC ad.sharpbikes.com (BIKES) Tana ad.sharp-bikes.com WFE CA DATA VPN (GPS) NPS Kamil Judit Jan elearning.local (ELEARNING) Advanced Windows Security TRUSTS
What is a Trust If I trust some domain, I believe that their users are secure enough to access my resources Bank if I trust bank, I may store some money at their safes GOPAS will trust BIKES Users from BIKES will be able to access GOPAS servers and workstations Not the opposite users from GOPAS will not be able to access BIKES resources GOPAS Trusts Bikes Trusting domain WFE DATA (GPS) Resource domain Outgoing trust GPS trusts BIKES Trusted domain Account domain Incoming trust Tana ad.sharpbikes.com (BIKES)
Trust Basics Both forests must be able to resolve DNS names of each other Forest trust Kerberos authentication enabled External trust NTLM authentication only Kerberos not possible Selective Authentication Users from a trusted domain can authenticate only against specific resources from the trusting domain Who can Create Trusts Forest trust Domain Admins from forest root domain do NOT require Enterprise Admins External trust Domain Admins from the domain in question
Lab: Trust Cross-forward between the DNS servers GPS-DC forwards to BIKES-DC BIKES-DC forwards to GPS-DC Define conditional forwarders only Verify DNS resolution by using NSLOOKUP from both servers SET Q=SRV _LDAP._TCP.DC._MSDCS. _LDAP._TCP.DC._MSDCS.ad.sharp-bikes.com Create one-way non-selective forest trust between the two forests GPS trusts BIKES Lab: Verify Access Verify that users can log on to GPS-WKS workstation kamil@gopas.cz (Employee) judit@gopas.cz (Contractor) helena@gopas.cz (Employee) ELEARNING\jan BIKES\tana (account from BIKES domain)
Advanced Windows Security CONCLUSION Conclusion GPS-DC ELRN-DC BIKES-DC ad.sharp-bikes.com GPS elearning.local ELEARNING ad.sharp-bikes.com BIKES domain-admin learning-admin bikes-admin Kamil Employee Helena Employee Jan Employee Judit Contractor Jan - Employees Tana - Bikers