Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePointondrej@sevecek.com | www.sevecek.com

Passwords everywhere aka why use smart cards instead

Agenda

Why are workstations doomed Why not type strong accounts' passwords on insecure

computers Why use separate administrative accounts and thus limit

attack surface Why use smart cards instead of passwords wherever

possible

Separate administrators (basic physical security principle)

PCPC

PC

ForestADomainB

DC

SRV

ForestADomainA

DC1

SRVSRV

SRVSRV

SRV

NTBNTB

NTB

ForestADomainA

DC2

Separate administrators (better physical security principle)

PCPCPCopen-space

ForestADomainB

DC

ForestADomainA

DC1

SRVSRV

SRVin

datacenter

NTBNTBNTB

no BitLocker

ForestADomainA

DC2

PCPCPCin-office

SRVin

branche1

SRVin

branche2

NTBNTBNTB

with BitLocker

NTBNTBNTB

no BitLocker

NTBNTBNTB

with BitLocker

Separate administrators (server role principle)

PCPCPCopen-space

ForestADomainB

DC

ForestADomainA

DC1

SRVSRV

FS

ForestADomainA

DC2

PCPCPCin-office

SRVSRV

SQLSRV

SRVWeb

SRVSRV

SharePoint SRV

SRVExchange

SRVSRV

RDP

SRVSRVRemote Access

SymantecBackup

SQL

SharePointFarm

Intranet

SharePointFarm

Intranet

Separate administrators (application principle)

ForestADomainB

DC

ForestADomainA

DC1

ForestADomainA

DC2

DPMBackup

SQL

SharePointFarm

Intranet

SRVSRVExchange

SQL

SharePointFarm

Intranet

SharePointFarm

Intranet

DPMBackup

SQL

SharePointFarm

Extranet

RDPfarm

AD FS

NPSRADIUS

RDP Gateway

SRVSRV

FS

Kurzy Počítačové školy Gopas na www.gopas.cz

GOC169 - Auditing ISO/IEC 2700xGOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced Security

Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.

Počítačová škola Gopas – Vaše IT škola života