ADVANCED WINDOWS SECURITY

ADVANCED WINDOWS SECURITY

Ondřej Ševeček | GOPAS a.s. |

MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com |

Outline



Recap of basic security principles



Local and Active Directory user accounts



Authentication, NTLM and Kerberos



Forests and trusts



Group scopes and group types



NTFS, registry, share and LDAP permissions



Windows Firewall



Security hardening with Group Policy



BitLocker and EFS

Prerequisites



Good Windows Server 2008 and Windows 7

administration



Good Active Directory administration



Good knowledge of TCP/IPv4 and DNS



Basic understanding of all technologies that

will be discussed

 this is an advanced course

Organization



5 days



9:00 – 16:00



Lunch 12:00-13:00



No smoking



Refreshments

SCENARIO

Advanced Windows Security

Scenario



Traning provider GOPAS a.s.



Company devided into two separate branches

 Gopas and Elearning

 separate employees, shared resources in Gopas domain



The company later merges with another

company which provides adrenalin sports

training and events

 sharp-bikes.com



We are building a brand new infrastructure based

on Windows Server 20xy and Windows z

Scenario

gopas.virtual gopas.virtual (GPS) Kamil DATA Judit WFE CA VPN NPS GPS-WKS GPS-DC

Scenario

gopas.virtual gopas.virtual (GPS) elearning.local (ELEARNING) Kamil DATA Judit Jan WFE CA VPN NPS DC-GPS ELRN-DC WKS

Scenario

gopas.virtual gopas.virtual (GPS) elearning.local (ELEARNING) ad.sharp-bikes.com ad.sharp-bikes.com (BIKES) Kamil DATA _Judit Jan WFE CA VPN NPS Tana BIKES-DC WKS

Scenario

gopas.virtual gopas.virtual (GPS) elearning.local (ELEARNING) ad.sharp-bikes.com ad.sharp-bikes.com (BIKES) DNS GPS-DC BIKES-DC DNS DNS ELRN-DC

Domain and Forest Functionality

Levels

Functionality DFL/FFL Level

Universal Groups FFL 2000 Native

Kerberos Constrained Delegation DFL 2003

lastLogonTimestamp DFL 2003

Redirect default Computer and User containers DFL 2003

Selective Authentication FFL 2003

Forest trusts FFL 2003

Kerberos uses AES instead of RC4/DES DFL 2008

Granular Password Policies DFL 2008

Kerberos claims DFL 2012

BUILDING BASIC DOMAIN

ENVIRONMENT

Lab

: Gopas Root Domain ...



Install a new domain on GPS-DC

 select advanced mode DCPROMO installation

 domain name FQDN: gopas.virtual

 domain name NetBIOS: GPS

 domain/forest functional level: 2008 R2

Lab

: ... Gopas Root Domain ...



Create basic OU structure in gopas.virtual

domain

 OU=Company  OU=People  OU=Service  OU=Computers  OU=Groups



In OU=Service create group

 Admin Accounts



In OU=Groups create the following groups

 Employees

Lab

: ... Gopas Root Domain



In OU=Service create user account

 name: domain-admin

 member of: Admin Accounts, Domain Admins, Enterprise Admins

 options: Password never expires



Disable built-in Administrator account



Create user accounts in OU=People

 users: Kamil, Helena, Jan

 member of: Domain Users, Employees

 user: Jitka

 member of: Domain Users, Contractors

Lab Result

: OU=People

Lab

: Elearning Domain ...



Install a new domain into the same forest on

ELRN-DC

 select advanced mode DCPROMO installation

 forest: gopas.virtual

 domain name FQDN: elearning.local

 domain name NetBIOS: elearning

 install DNS server on ELRN-DC: yes

Lab

: ... Elearning Domain ...

 Configure DNS on ELRN-DC to forward to GPS-DC

 Conditional forwarder: gopas.virtual

 Forwarder IP address: 10.10.0.11

 Store in AD: yes

 Configure DNS on GPS-DC to forward to ELRN-DC

 _{Conditional forwarder: elearning.local}  Forwarder IP address: 10.10.0.12

 Store in AD: yes

 Restart GPS-DC first, wait until it starts

 Then restart ELRN-DC

Lab

: ... Elearning Domain



Create basic OU structure in elearning.local

domain

 OU=Learning



Create a user and a group in OU=Employees

 group: Employees

 users: Jan

 members of: Domain Users, Employees

DNS Forwarders Result

Basic domain security



Pre-Windows 2000 Compatible Access group

 can read anything in AD

 should be empty



Add Workstation to Domain user right

 should be revoked

 only administrators should be able to create and connect computers, or authorize other users to do the same

Add Workstations to Domain

Lab

: Basic Domain Security



Empty the Pre-Windows 2000 Compatible

Access group in gopas.virtual domain



Create new GPO for gopas.virtual domain:

 name: Security: Add Workstation to Domain

 link to: gopas.virtual

 enforced: Yes

 setting: empty Add Workstation to Domain user right

Lab

: Connect Computer Securelly

 Create new GPS-WKS computer object in OU=Computers  computer name: GPS-WKS

 who can connect to domain: Kamil

 Log on to GPS-WKS as builtin-admin

 Connect GPS-WKS to domain  domain name: gopas.virtual

 user name: [email protected]

 Make Kamil member of local Administrators group

 Verify that Kamil and Jitka can log on to GPS-WKS

 Verify that Kamil is member of local Administrators group and that Jitka is not

Lab Result

: Local Admins

Lab

: Verify Access



Verify that users can log on to GPS-WKS

workstation

 [email protected] (Employee)  [email protected] (Contractor)  [email protected] (Employee)  [email protected] (Employee)  ELEARNING\jan

Current State

gopas.virtual GPS-DC ELRN-DC gopas.virtual GPS elearning.local ELEARNING domain-admin learning-admin Kamil – Employee Helena – Employee Jan – Employee Jitka – Contractor Jan - Employees GPS-WKS Windows 8.1

Lab

: Partner company

 Install a separate new domain and forest on BIKES-DC  domain/forest name FQDN: ad.sharp-bikes.com

 domain name NetBIOS: bikes

 domain/forest functional level: 2008 R2

 Create basic OU structure in the BIKES domain  OU=Adrenalin

 Create a single user and a group in the OU=Adrenalin  group: Bikers

 user: Tana

 member of: Domain Users, Bikers

Current Stage

gopas.virtual gopas.virtual (GPS) elearning.local (ELEARNING) ad.sharp-bikes.com ad.sharp-bikes.com (BIKES) Kamil DATA _Judit Jan WFE CA VPN NPS Tana BIKES-DC

TRUSTS

What is a Trust



If I trust some domain, I believe that their

users are secure enough to access my

resources

 Bank – if I trust bank, I may store some money at their safes



GOPAS will trust BIKES

 Users from BIKES will be able to access GOPAS servers and workstations

 Not the opposite – users from GOPAS will not be able to access BIKES resources

GOPAS Trusts Bikes

ad.sharp-bikes.com (BIKES) gopas.virtual (GPS) DATA WFE Tana Trusting domain Trusted domain Resource domain Account domain Outgoing trust Incoming trust GPS trusts BIKES

Trust Basics



Both forests must be able to resolve DNS names

of each other



Forest trust

 Kerberos authentication enabled



External trust

 NTLM authentication only

 Kerberos not possible



Selective Authentication

 Users from a trusted domain can authenticate only against specific resources from the trusting domain

Who can Create Trusts



Forest trust

 Domain Admins from forest root domain

 do NOT require Enterprise Admins



External trust

Lab

: Trust



Cross-forward between the DNS servers

 GPS-DC forwards to BIKES-DC

 BIKES-DC forwards to GPS-DC

 Define conditional forwarders only



Verify DNS resolution by using NSLOOKUP

 from both servers

 SET Q=SRV

_LDAP._TCP.DC._MSDCS.gopas.virtual _LDAP._TCP.DC._MSDCS.ad.sharp-bikes.com



Create one-way non-selective forest trust

between the two forests

 GPS trusts BIKES

Lab

: Verify Access



Verify that users can log on to GPS-WKS

workstation

 [email protected] (Employee)

 [email protected] (Contractor)

 [email protected] (Employee)

 ELEARNING\jan

CONCLUSION

Advanced Windows Security

Conclusion

gopas.virtual ad.sharp-bikes.com GPS-DC ELRN-DC BIKES-DC gopas.virtual GPS elearning.local ELEARNING ad.sharp-bikes.com BIKES

domain-admin learning-admin bikes-admin Kamil – Employee

Helena – Employee Jan – Employee Judit – Contractor