Solved

Is it possble to Encrypt Primary domain controller, to secure from hacking or taking over authentication ?

Posted on 2014-09-22
5
208 Views
Last Modified: 2014-09-24
Dear EE's

Is there anyway to secure domain controller and active directory environment from hacking or taking over authentication to manipulate?

Please advice.
0
Comment
Question by:Shamil Mohamed
5 Comments
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 250 total points
ID: 40336095
This guide would help to plan for securing AD : http://technet.microsoft.com/en-us/library/cc773365(v=ws.10).aspx

Word document :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&sqi=2&ved=0CDAQFjAC&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FD%2F1%2F8%2FD1866CDE-9824-40F4-836A-4C8C233693F1%2FBest%2520Practices%2520for%2520Securing%2520Active%2520Directory.docx&ei=_dYfVMvIBcKQuASl94KwCQ&usg=AFQjCNHhbSXImv0d7fpc6eEhFzlC6WM1kA&sig2=wCtDwFuF1fTjav1tFkmX4w&bvm=bv.75775273,d.c2E


a) Review firewall configuration have Cisco ASA 5505 or some better firewall for internal and external access.
b) All AD OS must be done with OS hardening.
c) Inspect AD for unauthorized user account and disable it
d) Rename default Administrator account
e) Force GPO to change the password frequently or urge to keep complex passwords
f) Keep good Antivirus for all system and scan it periodically.
g) WiFi Security is must.
h) Keep 2 layer of protection and allow only certain ports through firewall.
i) Keep Domain Controllers in different VLAN.
j) Require passwords of 15 or more characters - Disable LAN Manager (LM) hashes from being stored on your computers      (http://support.microsoft.com/kb/299656)
k) Do not show/store the last username used to login (http://support.microsoft.com/kb/310125) -
l) Do not cache passwords: This setting will prevent users from logging in when the domain controller is unavailable  (http://4sysops.com/archives/manage-stored-windows-passwords/) -
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40336188
The most common way for people to login to a system that they aren't authorized on is to ask a 'friend' to let him use his login.  That's what Edward Snowden did at the NSA.
0
 

Author Comment

by:Shamil Mohamed
ID: 40336236
is there anyway use usb as the authentication key.?
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 40336365
cert based using token and smartcard can be bypass if malware has smartcard proxy scheme (which happened in real incident already) but we should minimally have it enforced for such critical DC and enforced in all administrator and no remote admin where possible (and if need to, get VPN at minimal which is also client cert based). The auth key is based on the 2Factor held by the user per se...

do check out below as it include GPO harden setting and restricted grp etc - primary threat include pass the hash and Kerberos Golden Ticket

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
http://www.microsoft.com/en-sg/download/details.aspx?id=36036
Protection from Kerberos Golden Ticket
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

and I kind of like this below tips and note there is Microsoft Security compliance manager free for download on recommended setting and document that is pretty handy as overall compliance.
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Bitlocker disk encryption and EFS file encryption are just part and parcel of the scheme of hardening ...
0
 

Author Closing Comment

by:Shamil Mohamed
ID: 40340997
Thank you.
0

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now