Wprowadzenie do bezpieczeństwa w Active Directory

Name: Wprowadzenie do bezpieczeństwa w Active Directory
Uploaded: 2023-10-31T12:25:17.000Z
Duration: 4 h 16 min 39 s
Description: W obecnych czasach skupienie uwagi na chmurze sprawa, żę często zapominamy o podstawach czyli o domenie Active Directory. Podczas szkolenia pokażemy od strony praktycznej jak łatwo oraz bezkosztowo polepszyć poziom bezpieczeństwa w firmie w oparciu o przykłady z wielu projektów, które realizowałem do tej pory. Szkolenie poprowadzi Robert Przybylski - Microsoft MVP.

Introduction to Active Directory Security

Welcome and Introduction

Michał Sajdak opens the session, introducing himself and the main trainer, Robert Przybylski.

Tomk Turba is also introduced as a support for transmission security during the training.

Michał expresses gratitude for attendees' participation and wishes everyone a fruitful training session.

Trainer Background

Robert Przybylski introduces himself, mentioning his role as a Security Architect and Cloud Architect.

He shares his experience with Active Directory (AD), starting 12 years ago, emphasizing automation in repetitive tasks.

Robert discusses his journey into cloud technologies, particularly Microsoft Azure, focusing on identity infrastructure.

Experience and Expertise

He highlights his expertise in security measures related to AD and cloud environments, including Network Security and Identity Security.

Robert mentions being part of Poland's representation in cybersecurity exercises, where he was responsible for identity protection.

He notes his credentials as a certified Microsoft trainer specializing in security.

Training Agenda Overview

Key Topics to be Covered

The session will cover foundational concepts of Active Directory within a 30-minute overview.

Discussion on baseline settings recommended by Microsoft technology will follow the introduction.

Practical Applications

A segment will focus on creating an Active Directory dump for configuration analysis and future planning improvements.

Q&A Session

A Q&A segment is planned towards the end of the training to address participant questions.

Break times are scheduled throughout the session to allow participants to refresh.

Authentication vs. Authorization

Understanding Authentication

Robert begins discussing authentication (the process of confirming identity), using an analogy involving office access control.

Authentication and Authorization Processes

Understanding User Authentication

The receptionist must verify the user's identity before allowing access, highlighting the importance of authentication in security protocols.

Two options for authentication are presented: bribery (not feasible) or providing identification documents to gain entry.

Distinction Between Authentication and Authorization

After successful authentication, users undergo an authorization process to access specific resources, emphasizing the sequential nature of these processes.

Clarification is made regarding common misconceptions between "authentication" and "autoryzacja," with a note on avoiding incorrect terminology.

Historical Context of Domain Management

A brief history is provided about user accounts prior to domain implementation, illustrating how domains emerged around 2000 with Windows Server 2000.

Domains serve as a central management system for identities and resources, contrasting them with workgroups where permissions are stored locally.

Structure of Domains

The concept of a domain triangle is introduced, representing various objects like computers and users within a centralized database for information exchange.

Users can log into multiple computers within the same domain using one account, facilitating resource access across networks.

Trust Relationships Among Domains

Explanation of root domains and child domains illustrates hierarchical relationships in DNS structures; not all domains require subdomains.

Trust relationships between parent and child domains are essential for maintaining security and functionality across different levels.

Centralized Management Benefits

Centralized databases in domains allow for streamlined management of policies (GPO), reducing redundancy compared to local policy installations in workgroups.

Emphasis on the advantages of centralized logging and auditing capabilities that enhance security monitoring across environments.

Conclusion on Domain vs. Workgroup Dynamics

The key difference between domains and workgroups lies in centralized versus local storage of permissions, impacting overall network management efficiency.

Centralized control allows for easier application of settings across multiple objects without limitations inherent in workgroup configurations.

What Are Domain Controllers and Their Roles?

Understanding Objects in Active Directory

The discussion begins with the definition of objects within a network, emphasizing users, computers, groups, contacts, printers, and shared folders.

It is highlighted that there is no distinct "server object"; instead, all servers are treated as computer objects.

Key Components of Windows Server

A Windows server must have Active Directory Domain Services (AD DS) installed to function properly; DNS role installation is recommended but optional.

Some organizations prefer to host DNS on separate devices from different manufacturers for various reasons.

FSMO Roles Explained

The speaker introduces Flexible Single Master Operations (FSMO) roles: unique roles for the forest include Schema Master and Domain Naming Master.

The Schema Master ensures consistency across the forest by preventing conflicts during updates to directory schema.

Importance of Domain Controllers

The first domain controller created in a lab environment will automatically install all necessary FSMO roles.

Subsequent domain controllers added later will not take over these roles unless explicitly transferred.

Unique Domain Roles

There are three unique domain roles: PDC Emulator (for password synchronization), RID Master (manages pools of RIDs), and Infrastructure Master (resolves names and GUID issues).

If a domain controller with the Infrastructure Master role fails, group names may appear incorrectly formatted.

Global Catalog Functionality

The Global Catalog should be present on every domain controller except for the Infrastructure Master to facilitate efficient object searches within Active Directory.

Hierarchical Structure of FSMO Roles

A diagram illustrates how FSMO roles are assigned at different levels within a forest; both Schema Master and Domain Naming Master are linked to specific domains.

Child Domains Considerations

In child domains, only three FSMO roles exist: PDC Emulator, RID Master, and Infrastructure Master. This distinction is crucial for understanding their functionality in hierarchical structures.

Questions and Domain Controller Capabilities

Addressing User Queries

The speaker invites questions from the audience, indicating a willingness to engage after the demo.

Acknowledges that a link will be available post-transmission and mentions that the session is being recorded for later access on YouTube.

Domain Controller Limitations

Clarifies that one domain controller can only serve one domain unless configured with trusts to other domains.

Discusses virtualization as a solution, where multiple virtual machines can host different domains on a single physical server.

Active Directory Groups Overview

Types of Groups in Active Directory

Introduces two main types of groups: distribution groups for communication and security groups for user permissions.

Security Group Types

Explains Global groups, which include users from a specific domain, marked in purple for clarity.

Describes Local groups within a domain (marked in orange), which can contain users or other groups for resource permissions.

Universal Groups Functionality

Defines Universal groups used to grant access to resources across different domains, allowing flexibility in resource management.

Special Identity Groups

Mentions Special identity groups like "Authenticated Users," which do not have fixed membership but allow authenticated users access to network resources.

Service Accounts and Backup Strategies

Understanding Service Accounts

Highlights common misconceptions about service accounts being just regular user accounts with long passwords; emphasizes their importance in system operations.

Managed Service Accounts (MSA)

Introduces Managed Service Accounts as specialized accounts designed for running services without needing manual password management.

Backup Considerations

Stresses that snapshots are not backups; proper backup strategies must be implemented using Windows Server backup tools or third-party solutions.

Understanding Managed Service Accounts and Domain Controller Replication

Managed Service Accounts (MSA) and Group Managed Service Accounts (gMSA)

MSA allows administrators to manage services or scheduled tasks in the context of a service account without needing to know the password.

gMSA was introduced for scenarios involving multiple servers, such as SQL Server or SharePoint farms, allowing for better management across clusters.

Configuration of gMSA includes specifying which servers can use the account, with no need to provide passwords as they are managed in the background.

Importance of Data Replication Between Domain Controllers

Data replication is crucial when there are two domain controllers within a single domain; it ensures continuous information exchange every 15 seconds.

Proper network connectivity between domain controllers is essential for effective data replication, enabling real-time updates about user accounts and other changes.

High Availability in Domain Controllers

High availability requires at least two domain controllers to ensure authentication services remain operational even if one fails due to maintenance or issues like rebooting.

Having additional remote locations with their own domain controllers enhances service reliability and ensures local authentication for users in those branches.

Challenges with Domain Controller Replication

It’s important that all domain controllers replicate correctly; failure in replication can lead to inconsistencies where different controllers have outdated information about user accounts.

If a Primary Domain Controller (PDC) becomes unavailable, it can hinder login processes. The first step in troubleshooting should be checking the PDC's status.

Recovery from Connectivity Issues

In case of lost connectivity between sites, local authentication remains possible through available domain controllers while updates will queue until connection is restored.

Once connectivity resumes, any new accounts created during downtime will be replicated back to the main site ensuring all systems are updated accordingly.

Understanding Network Connections and Data Consistency

Importance of Data Consistency

When network connections are restored, all information is refreshed, ensuring data consistency across the environment. This includes additional accounts to maintain high availability.

User Authentication Process

Users from specific locations (e.g., Lublin) should log into the nearest domain controller based on network proximity or site location, enhancing user experience and reducing latency.

Handling Duplicate Accounts

If accounts share the same display name, they will still have unique user principals. It's crucial to manage these distinctions to avoid confusion in account management.

Virtualization vs Physical Machines

Virtualization minimizes costs by eliminating the need for physical hardware maintenance and allows for rapid deployment of resources (e.g., 10 GB RAM in minutes).

Environment Separation in Virtualization

It’s essential to separate environments within virtualization setups to prevent security risks associated with having everything on a single layer.

Challenges with Virtualization Management

Risks of Single Layer Virtualization

Using a single virtualization layer can lead to significant issues if that layer fails; proper separation is necessary for disaster recovery scenarios.

Historical Context of Failures

Past experiences highlight that failures in virtualization management can complicate access to critical services like domain controllers during outages.

Costs and Considerations of Physical Machines

Financial Implications

Physical machines incur higher costs due to service requirements and spare parts needed for maintaining uptime.

Disaster Recovery Scenarios

Effective disaster recovery planning is vital when using physical machines, as it directly impacts service availability during emergencies.

Tiered Infrastructure Management

Understanding Tiers in Infrastructure

The infrastructure consists of different tiers: Tier 0 (critical systems), Tier 1 (application servers), and Tier 2 (end-user devices). Each tier has distinct roles and security needs.

Security Measures for Critical Systems

Critical systems should be isolated on separate hypervisors from other tiers to minimize risk exposure during potential failures or attacks.

Application Server Management

Role of Application Servers

Application servers handle multiple users simultaneously, requiring robust configurations tailored for performance and reliability.

End-user Device Considerations

End-user devices such as tablets and printers must be managed carefully within their respective tiers while ensuring they do not compromise overall system integrity.

Understanding Tiered Access Control in IT Infrastructure

Overview of Account Management

Robert Przybylski discusses the necessity of having multiple accounts for different administrative tasks, emphasizing that while it's beneficial to have various accounts, it’s best to limit their number.

He mentions that all application servers should have agents running on tier zero (T0), including antivirus and management systems like WSUS and SCCM.

Physical Infrastructure Security

The importance of securing physical infrastructure such as switches and UPS is highlighted, noting that modern UPS devices also have network management capabilities.

Access to T0 equipment is restricted; anyone with access is considered a T0 user. Recommendations include locking server rooms and separating sensitive equipment.

Group Management Best Practices

Discussion on essential groups within the IT structure, including administrators for PKI, ADFS, and AD Connect. Best practices are shared based on experiences from colleagues.

Emphasis on creating separate instances for each application or service requiring T0 access to ensure security.

Role-Based Access Control

Each account type has specific permissions; not all accounts need equal access. For example, an account may have SQL access but not file server access.

Special groups should be created for applications like SharePoint to manage permissions effectively.

Secure Workstation Practices

Users accessing virtual machines are treated as T1 users. The use of Privileged Access Workstations (PAWs) or Secure Access Workstations is recommended for enhanced security.

These technologies are increasingly adopted by companies in Poland and abroad due to their effectiveness in ensuring security.

Tier Two User Management

T2 users can reset passwords but do not require extensive privileges; they can log into various devices without significant risk.

Clear distinctions between tiers are made: no direct access from higher tiers (e.g., T2 cannot access T0).

Exchange Server Considerations

Specific scenarios allow limited cross-tier interactions, such as promoting Exchange servers where certain permissions must be granted temporarily.

Caution is advised regarding the handling of sensitive accounts like those used for Defender for Identity.

Safe Remote Management Practices

Emphasizes using secure methods when connecting remotely to servers rather than direct console logins.

Discusses the importance of managing connections securely through privileged workstations instead of traditional methods.

This structured overview captures key insights from the transcript while providing timestamps for easy reference back to specific discussions within the video content.

Computer Objects and Domain Controllers

Overview of Computer Objects and Servers

The discussion begins with the inclusion of computer objects and users, emphasizing that servers are also added to provide a shared namespace and central administration.

Key functionalities mentioned include data replication, authentication, login processes, permission assignment, and update management.

Configuration and Security Policies

The speaker suggests using PSUs or TECMA for configuring computers via GPO (Group Policy Object) while implementing security policies.

A brief pause is announced before transitioning to a demo session.

Demo Session Introduction

After the break, the speaker resumes by stating that domain controllers are best utilized as servers.

The environment for the demo is described as simple: one client, one server, and one domain controller.

Active Directory Insights

An explanation follows about service accounts being separate containers within the directory solution.

It’s noted that domain controllers are essentially organizational units (OUs), which by default are not protected against deletion upon installation.

Group Policy Application

The difference between regular folders and containers is highlighted; GPO can be applied at the container level across the entire domain.

A test user named "testowy" is introduced in a Windows 11 environment for demonstration purposes.

User Permissions in Domain Environments

Adding Users to Domains

The process of adding a user to the domain with a secure password is demonstrated.

It's explained that out-of-the-box configurations allow each user to add up to ten objects to the domain without limitations.

Potential Security Risks

Concerns arise regarding users being able to add their own devices to the domain, potentially leading to unauthorized information gathering.

Organizational Units Management

Common practices involve creating OUs for better organization; however, new computers added will still appear under 'computers' unless redirected properly.

Challenges in Active Directory Configurations

Default Settings Issues

Many organizations fail to utilize features like RIR (Redirection), resulting in default objects appearing unnecessarily within directories.

Importance of Proper Configuration

Post-installation configurations often lack robustness; administrators must ensure proper delegation of permissions and avoid common pitfalls related to group policy updates.

System Updates and Security Practices

Importance of System Updates

Users are not forced to update their systems, but it is highly recommended to avoid issues with outdated controllers, as Microsoft updates can sometimes lead to problems.

Password Management in Active Directory

Password changes for computers and Group Managed Service Accounts (gMSA) can be set to occur more frequently than the default 90 days within Active Directory configurations.

Risks of Inactive Accounts

Inactive accounts pose a security risk as they can be reactivated, granting previous access rights. It's crucial to manage these accounts actively.

Admin Account Monitoring

The attribute "adminCount = 1" indicates that a user has had administrative privileges at some point. This could serve as a potential attack vector if not monitored properly.

Engagement and Rewards

A challenge was posed for participants to identify what "Ad r" means, with rewards offered for correct answers. Participants were encouraged to engage directly via LinkedIn for verification purposes.

Microsoft Security Compliance Toolkit

Application of Security Policies

Microsoft provides recommended Group Policy settings for Office 365 security that can be applied through Local Group Policy or standard Group Policies.

Deactivation vs. Deletion of Old Accounts

Old accounts should be deleted rather than just deactivated due to ongoing risks associated with inactive accounts retaining access capabilities.

SCT Documentation Overview

The Security Compliance Toolkit (SCT) includes documentation, reports, GPO files (backups), and scripts necessary for maintaining system security compliance.

Configuration Comparison Tools

Utilizing SCT Applications

An application from the SCT package allows users to compare configurations and detect inconsistencies in settings across systems.

Excel Reporting in Administration

Exporting data into Excel is a common practice among administrators for managing network configurations effectively.

Integration of LAPS with Server 2022

LAPS Functionality

Local Administrator Password Solution (LAPS), integrated into Windows Server 2022, enhances password management by automating local admin password changes on domain computers.

Documentation Access

Detailed Excel files provided by Microsoft allow administrators to monitor system settings and compliance effectively; however, installation may vary based on individual needs.

Customization Needs in Directory Services

Tailoring Security Settings

Organizations have different security requirements; thus, directory services must be customizable according to specific business needs rather than using one-size-fits-all templates.

This structured approach ensures clarity while providing essential insights from the transcript regarding system updates, password management practices, and tools available for enhancing security compliance within organizations.

Configuration and Management of Domain Controllers

Recommended Settings for Domain Controllers

Discussion on recommended configurations for domain controllers, including firewall settings and target configurations for both domain and non-domain devices.

Introduction to GP reports that can be generated from existing Group Policy Objects (GPOs), focusing on security policies within the domain.

Analyzing GPO Settings

Examination of a specific example related to password attributes in the domain policy, highlighting the importance of understanding GPO exports.

Presentation of basic security settings such as password length, account lockout thresholds, and reset intervals, emphasizing their significance in maintaining security.

Comparing GPO Configurations

Steps outlined for comparing different GPO settings using tools like Policy Analyzer to identify discrepancies between current and desired configurations.

Mention of backup strategies for GPOs to facilitate easy restoration or modification when necessary.

Importing and Exporting Policies

Instructions on importing GPO settings into a designated folder for easier management during comparisons with existing policies.

Identification of conflicts between default domain policy settings and custom configurations regarding password management practices.

Security Best Practices

Discussion on the implications of weak password policies versus stronger ones, advocating for adherence to Microsoft's recommendations on password complexity.

Overview of advanced authentication methods such as passwordless login using FIDO keys, showcasing modern approaches to enhance security.

Managing Risks in Domain Environments

Emphasis on the importance of not installing unnecessary applications directly on domain controllers to minimize risk exposure.

Personal anecdote shared about past experiences with software installation mistakes on a domain controller, reinforcing best practices in IT environments.

Emergency Access Protocol

Introduction to "break glass" accounts as a last line of defense in case of emergencies; these accounts should have strict access controls and secure handling procedures.

Recommendations against unnecessary installations on critical systems like domain controllers while suggesting alternative workstations for administrative tasks.

Understanding Domain Administration and Security Practices

Importance of Dedicated Accounts

The training emphasizes the necessity of having dedicated accounts with full administrative privileges (Domain Admin, Enterprise Admin, Administrators) for secure operations.

It is recommended to maintain two such accounts to ensure redundancy in case one fails or is compromised during a security incident.

Best Practices for Account Management

Good practices include using a dedicated physical domain controller for logging in with these accounts to prevent unauthorized access during the login process.

Regular testing every six months is advised, along with requiring two-person authentication for sensitive actions to enhance security.

Handling Security Incidents

In the event of a hacking attack, it’s crucial that recovery processes are in place; past experiences highlight the importance of having backup accounts available.

The discussion includes splitting passwords between two individuals to ensure that no single person can authenticate without collaboration.

Demonstration of Account Creation

A demonstration follows on creating new user accounts through scripting, which allows for consistent and error-free account management.

The speaker shares insights on restoring environments post-cyberattacks, emphasizing the luck involved in successful recoveries.

Tools and Resources for Active Directory Management

Mentioned tools include GitHub scripts that assist in managing Active Directory effectively; however, some scripts are not publicly shared.

The creation of test users with specific permissions is demonstrated as part of setting up an effective administrative environment.

Final Thoughts on Security Measures

New admin accounts should be created while removing existing members from critical groups like Enterprise Admin and Domain Admin to mitigate risks during crises.

Various software options are discussed for enhancing Active Directory functionalities, including libraries and modules available online.

Active Directory Audit Practices

Importance of Active Directory Audits

The presentation discusses the necessity of auditing Active Directory (AD) to assess its health and configuration over time, allowing for problem resolution and progress tracking.

Free Tools for Active Directory Auditing

Introduction of free tools available for AD auditing, including a personal set of scripts shared on GitHub, PowerShell modules, and other resources.

Paid Tools for Enhanced Auditing

Mention of paid tools like PIN Castle and Microsoft’s Active Directory report that provide in-depth insights into AD configurations. A demonstration of the free version of PIN Castle is planned.

Practical Demonstration Setup

Transitioning from theory to practice with a live demo where audit results are generated using specific commands in PowerShell, outputting data into CSV files for further analysis.

Analysis Using Visualization Tools

Discussion on utilizing Power BI to visualize imported audit data effectively. Emphasis on personal preference for Windows Terminal due to familiarity rather than functionality.

Executing an Audit

Running the Audit Command

Execution of an audit command through a batch file; results will reveal domain admin privileges and any irregularities in user permissions within the environment.

Findings from the Audit Results

The audit reveals critical information about domain admins' permissions and highlights potential security risks associated with generic accounts having full control over multiple objects.

Understanding Security Layers

Membership Insights

Explanation of how to interpret membership layers within groups, focusing on direct security settings applied to objects. This is crucial for identifying unauthorized access or excessive privileges.

Additional Resources Shared

Availability of additional scripts and tools shared via chat; some resources are not publicly available but are used internally for setting up test environments.

Reporting and Recommendations

Generating Reports

Instructions on generating HTML reports post-audit which detail findings related to domain controller relationships and metadata management practices.

Evaluating AD Health

Discussion around extracting data from AD databases; emphasizes the importance of understanding current configurations versus best practices in user management and system hardening strategies.

Identifying Configuration Issues

Common Misconfigurations

Highlights common issues such as users being able to add too many computers or lack of essential features like recycle bin functionality within AD environments.

This structured approach provides clarity on key topics discussed during the presentation while linking directly back to relevant timestamps for deeper exploration.

Analysis of Active Directory Security Tools

Introduction to Environment Analysis

The speaker emphasizes the importance of analyzing cloud environments when starting at a new company, using tools like Tule and Prema to identify issues and prioritize areas for improvement.

Insights on Domain Controllers

Discussion includes insights about domain controllers, group memberships, and security configurations. The speaker recommends using PIN Castle for effective analysis.

Offline Functionality of Tools

It is noted that certain tools can operate offline, which distinguishes them from others in the market.

Accessing Blocked Environments

If an environment is blocked, there are options available through CSP providers who can access it via service accounts.

Licensing Considerations

The speaker mentions running a free version of a tool while emphasizing the need for proper licensing when conducting commercial audits.

Audit Scripts and Data Collection

The discussion covers the use of scripts to gather data on domain controllers and privileged groups, highlighting practical experiences from multiple projects related to assessments and audits in Active Directory.

Reporting Best Practices

Emphasizes the importance of creating reports before and after implementing changes in order to track progress effectively.

Key Elements in Security Implementation

A summary is provided regarding critical elements such as domains and domain controllers being essential for authentication and authorization processes within an organization’s security framework.

Recommendations for Security Practices

The speaker advises that configuration snapshots are crucial for monitoring changes over time, suggesting regular updates every six months with tools like PIN Castle.

Educational Resources Available

Information about discounts on educational materials related to IT security is shared, including a 15% discount code for a book series focused on security fundamentals.

Upcoming Training Opportunities

Announcement regarding upcoming training sessions at Sekurak Academy with live courses planned for 2024.

Advanced Workshops Planned

Future workshops will focus on building secure environments through hands-on activities aimed at enhancing participants' skills in cybersecurity practices.

Personal Blog Invitation

An invitation is extended to visit the speaker's blog for further insights into cybersecurity topics.

Tool Comparisons & Licensing Clarifications

A comparison between Purple Castle and other tools indicates they provide similar functionalities but differ in presentation; clarification on licensing compliance during testing versus commercial auditing scenarios follows.

Commercial Training and Certification

Overview of the Training Program

The commercial training is available through Sekurak Academy, with participants guaranteed to receive certificates upon completion.

Attendees will also receive a PDF version of the presenter's slides for reference.

Technical Considerations in Remote Work

Discussion on potential issues when users work remotely, particularly regarding browser settings and cloud identity management.

Emphasis on creating a "Break Glass" account that should remain inactive to enhance security.

Infrastructure Recommendations

Advocates for separate infrastructures for different tiers (TIR zero vs. TIR one), suggesting distinct antivirus solutions for each tier.

Importance of migrating user accounts from default containers to improve Group Policy Object (GPO) application.

Delegation and User Management

Delegating Permissions

Encouragement to read about delegation of permissions, with references to articles available on the presenter's blog.

Migration Strategies

Discusses the necessity of migrating users from outdated systems (e.g., Windows Server 2008), as support will soon be discontinued.

Closing Remarks and Future Sessions

Engagement and Feedback

Acknowledgment of audience participation during the session, highlighting the importance of feedback for future improvements.

Upcoming Topics

Assurance that future sessions will delve deeper into topics without skimming over details, aiming for comprehensive coverage.

Appreciation and Farewell

Thanking attendees for their time and engagement, expressing hope for better-prepared future sessions.