Solved

Is it possble to Encrypt Primary domain controller, to secure from hacking or taking over authentication ?

Posted on 2014-09-22
5
212 Views
Last Modified: 2014-09-24
Dear EE's

Is there anyway to secure domain controller and active directory environment from hacking or taking over authentication to manipulate?

Please advice.
0
Comment
Question by:Shamil Mohamed
5 Comments
 
LVL 11

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 250 total points
ID: 40336095
This guide would help to plan for securing AD : http://technet.microsoft.com/en-us/library/cc773365(v=ws.10).aspx

Word document :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&sqi=2&ved=0CDAQFjAC&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FD%2F1%2F8%2FD1866CDE-9824-40F4-836A-4C8C233693F1%2FBest%2520Practices%2520for%2520Securing%2520Active%2520Directory.docx&ei=_dYfVMvIBcKQuASl94KwCQ&usg=AFQjCNHhbSXImv0d7fpc6eEhFzlC6WM1kA&sig2=wCtDwFuF1fTjav1tFkmX4w&bvm=bv.75775273,d.c2E


a) Review firewall configuration have Cisco ASA 5505 or some better firewall for internal and external access.
b) All AD OS must be done with OS hardening.
c) Inspect AD for unauthorized user account and disable it
d) Rename default Administrator account
e) Force GPO to change the password frequently or urge to keep complex passwords
f) Keep good Antivirus for all system and scan it periodically.
g) WiFi Security is must.
h) Keep 2 layer of protection and allow only certain ports through firewall.
i) Keep Domain Controllers in different VLAN.
j) Require passwords of 15 or more characters - Disable LAN Manager (LM) hashes from being stored on your computers      (http://support.microsoft.com/kb/299656)
k) Do not show/store the last username used to login (http://support.microsoft.com/kb/310125) -
l) Do not cache passwords: This setting will prevent users from logging in when the domain controller is unavailable  (http://4sysops.com/archives/manage-stored-windows-passwords/) -
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40336188
The most common way for people to login to a system that they aren't authorized on is to ask a 'friend' to let him use his login.  That's what Edward Snowden did at the NSA.
0
 
LVL 1

Author Comment

by:Shamil Mohamed
ID: 40336236
is there anyway use usb as the authentication key.?
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 40336365
cert based using token and smartcard can be bypass if malware has smartcard proxy scheme (which happened in real incident already) but we should minimally have it enforced for such critical DC and enforced in all administrator and no remote admin where possible (and if need to, get VPN at minimal which is also client cert based). The auth key is based on the 2Factor held by the user per se...

do check out below as it include GPO harden setting and restricted grp etc - primary threat include pass the hash and Kerberos Golden Ticket

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
http://www.microsoft.com/en-sg/download/details.aspx?id=36036
Protection from Kerberos Golden Ticket
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

and I kind of like this below tips and note there is Microsoft Security compliance manager free for download on recommended setting and document that is pretty handy as overall compliance.
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Bitlocker disk encryption and EFS file encryption are just part and parcel of the scheme of hardening ...
0
 
LVL 1

Author Closing Comment

by:Shamil Mohamed
ID: 40340997
Thank you.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question