Top 10 Security Hardening Settings for Windows Servers and Active

SESSION ID:

Derek Melber

Top 10 Security Hardening Settings for Windows Servers and Active Directory

CRWD-R04

Technical Evangelist – ADSolutionsManageEngine@derekmelber

Agenda

Traditional security hardening

Top 10 security settings

Next-gen security hardening

Security hardening resources

Traditional security hardening

Goal is to get all servers to a secure state.

Typically use Microsoft or other industry “best practice.”

Often Group Policy is used to configure security.

Once configurations are complete, task is considered complete, too.

Top 10 security settings

1. User accounts with non-expiring passwords

IssuesInfinite time to be hacked.

All internal users can determine these accounts.

Resetting passwords at scheduled intervals improves security.Forces attackers to have time limit to break into account.Compromised accounts need to be re-compromised.

1. User accounts with non-expiring passwords

SolutionsAll user accounts need to have expiring passwords:

ITDevelopersHelp deskExecutives

Service accounts...more later.

2. User accounts that never logged in

IssuesAccounts have “new user password.”

All employees know “new user password.”

Any employee could log on to these accounts.

Access and privileges are already granted at time of creation.

2. User accounts that never logged in

SolutionsDelete user accounts that will never be used.

Report on all user accounts that are not logged into regularly.

Do not use same “new user password” for all new user accounts.

Implement a random password generator for new user accounts.

3. Default privileged groups need evaluation

IssuesDomain level groups:

Domain AdminsAdministratorsDNSAdminsEtc.

Forest level groups:Enterprise AdminsSchema Admins

3. Default privileged groups need evaluation

SolutionsVerify group membership regularly.

Use tool that can get group members recursively.

Use least privilege concepts.

#RSAC4. Application and custom privileged groups need evaluation

IssuesMicrosoft applications:

SQL ExchangeSharepointEtc.

Third party applications

#RSAC4. Application and custom privileged groups need evaluation

SolutionsDocument all privileged groups.

Verify group membership regularly.

Use tool that can get group members recursively.

5. Server-based user rights

Issues Provide privileges over computer where user rights are assigned.

User rights supercede resource access.

User rights can allow inappropriate access.

User rights can allow denial of service attacks.

5. Server-based user rights

SolutionsVerify user rights using appropriate tool – secpol.msc.

Use Group Policy to standardize and deploy user rights settings.

6. Active Directory delegations

IssuesDelegations provide privileged access to AD objects:

Resetting user passwordsCreating groupsModifying group membership

Delegations are difficult to report.

Delegations can be difficult to remove.

6. Active Directory delegations

SolutionsVerify delegations on all OUs and domain – dsacls.

Use third party tool for delegations:Proxy userEasier and increased delegationsTrack all activity and actions

7. Group Policy delegations

IssuesGroup Policy is integral to Active Directory.

Group Policy can decrease security providing access.

Group Policy can cause significant issues and consequences.

Delegations provide access over GPOs:Creating for domainLinking to domain, OU, siteModifying GPO settings

7. Group Policy delegations

SolutionsUse least privilege concepts.

User GPMC, GPMC scripts, or PowerShell to obtain delegations.

8. Service accounts

IssuesService accounts are granted privileges at install or configuration.

Service accounts often have non-expiring passwords.

Service accounts often have original passwords.

Service accounts are rarely monitored for access.

8. Service accounts

SolutionsAssociate all service accounts to servers where configured.

User long and strong passwords.

Configure accounts to only be able to log on to specified computers.

Configure accounts to not be able to change own password.

9. Password policy

IssuesControls domain and local user password parameters.

Most password policy settings are weak.

Password policy changes are difficult to “see.”

Password policy is misunderstood in GPOs.

Fine-grained password policies are rarely used.

9. Password policy

SolutionsUse correct tool(s) to report on current password policy –secpol.msc.

Ensure password policies in GPOs linked to OUs are not considered for domain users.

User fine-grained password policies or third party tool to have multiple password policies in same domain.

Use security concepts to set password parameters, not compliance.

#RSAC10. Real-time monitoring of Active Directory changes

IssuesSecurity settings change over time.

Security settings are hard to “see” and report.

Privileged accounts can alter security settings.

Security settings change to solve problems.

Without change monitoring of security settings, actual settings are unknown until manually checked.

#RSAC10. Real-time monitoring of Active Directory changes

SolutionsEstablish a real-time change monitoring tool to track all Active Directory changes.

Generate reports to see “drift” of security settings.

Review reports often to ensure security is still in tact.

Next-gen security hardening

Do not stop at traditional security hardening.

“Security drift” can occur even within seconds of traditional security hardening.

Establishing security is only good for that point in time.

Monitoring changes ensures security is maintained.

Alerting on security changes provides immediate notice of security changes.

Security hardening resources

After Conference Resources

derek@manageengine.com

ManageEngine Security Hardening web site

Active Directory blog on www.manageengine.com

Microsoft Security Compliance Manager

Apply security hardening concepts

Immediately:Ensure security for Active Directory is correct.Determine which security settings should be improved.Configure Active Directory, domain controllers, and Windows servers securely.

After Active Directory is securely hardened:Implement monitoring to track when any security change occurs.Establish alerts so notifications are sent immediately when key settings change.

SESSION ID:

Derek Melber

Top 10 Security Hardening Settings for Windows Servers and Active Directory

THANK YOU!

CRWD-R04

Technical Evangelist – ADSolutionsManageEnginederek@manageengine.com

Top 10 Security Hardening Settings for Windows Servers and Active

Documents

Configuring VLAN Settings in Lifecycle Controller for Dell ...€¦ · 4 Configuring VLAN Settings in Lifecycle Controller for Dell PowerEdge Servers Introduction This document provides

ICONICS 10 · Services > FrameWorX > Network Settings > FrameWorX Network or OPC UA Network. For OPC Classic servers, add them under Platform Services > FrameWorX > Server Settings

imageRUNNER ADVANCE Security Hardening Guide€¦ · security professionals, and service personnel. Scope and coverage This guide explains and advises about the configuration settings

Surface Hardening

Hardening your Windows Server Environment · Hardening your Windows Server Environment. Caveats ... •Can also use Azure Monitoring to collect event data from on-prem/IaaS servers

11 HARDENING SERVERS Chapter 7. Chapter 7: Hardening Servers2 DEFAULT SECURITY TEMPLATES Set up Security.inf and DC Security.inf Compatws.inf Securews.inf

· PDF fileTufftride ABP, Shaft Hardening, Coil/Ring Hardening, Bevel Gear Hardening, Spur Gear Hardening, Tooth by Tooth Harden Principal Areas of Quality Foundry Consultancy

SQL Server Hardening - Cisco · SQL Server Hardening • SQLServerHardeningConsiderations,page1 • SQLServer2014SecurityConsiderations,page3 SQL Server Hardening Considerations

Optimal BIOS Settings for High Performance Computing with PowerEdge 11G Servers · 2020-06-12 · PowerEdge servers. Although 5500 series processors are similar to the 5400 series

Hardening. Consulting. Contracting....Surface hardening Flame Induction Laser Furnace processes Case hardening Nitriding HARD-INOX® Boronising Vacuum hardening Hardening and tempering

Canon imageRUNNER ADVANCE Hardening Guide Guide... · Canon imageRUNNER ADVANCE Hardening Guide ... MFDs are computer servers in their own ... requirements that may impose other security

Hardening Tomcat

Review Duplex Hardening of Steels for Aeroengine Bearings€¦ · Duplex Hardening of Steels for Aeroengine Bearings ... duplex hardening; nitriding; case hardening; ... been given

Hardening X-Fed Agency Data Center AIX Servers - GIAC

IPv6 Hardening Guide for Linux Servers - ERNW - … to Securely Configure Linux Servers to Prevent IPv6-related Attacks IPv6 Hardening Guide for Linux Servers Version: 1.0 Date: 12/17/2014

Linux Hardening Recommendations For Cisco · PDF fileLinux Hardening Recommendations For Cisco ... to provide an exhaustive list of hardening ... Linux Hardening Recommendations For

Hardening RHEL5 - Hardening Red Hat Enterprise Linux 5

Host Hardening Chapter 7. The Problem – Some attacks inevitably reach host computers – So servers and other hosts must be hardened— a complex process

Linux Hardening

Hardening Linux Servers