Solved

Is it possble to Encrypt Primary domain controller, to secure from hacking or taking over authentication ?

Posted on 2014-09-22
5
216 Views
Last Modified: 2014-09-24
Dear EE's

Is there anyway to secure domain controller and active directory environment from hacking or taking over authentication to manipulate?

Please advice.
0
Comment
Question by:Shamil Mohamed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 12

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 250 total points
ID: 40336095
This guide would help to plan for securing AD : http://technet.microsoft.com/en-us/library/cc773365(v=ws.10).aspx

Word document :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&sqi=2&ved=0CDAQFjAC&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FD%2F1%2F8%2FD1866CDE-9824-40F4-836A-4C8C233693F1%2FBest%2520Practices%2520for%2520Securing%2520Active%2520Directory.docx&ei=_dYfVMvIBcKQuASl94KwCQ&usg=AFQjCNHhbSXImv0d7fpc6eEhFzlC6WM1kA&sig2=wCtDwFuF1fTjav1tFkmX4w&bvm=bv.75775273,d.c2E


a) Review firewall configuration have Cisco ASA 5505 or some better firewall for internal and external access.
b) All AD OS must be done with OS hardening.
c) Inspect AD for unauthorized user account and disable it
d) Rename default Administrator account
e) Force GPO to change the password frequently or urge to keep complex passwords
f) Keep good Antivirus for all system and scan it periodically.
g) WiFi Security is must.
h) Keep 2 layer of protection and allow only certain ports through firewall.
i) Keep Domain Controllers in different VLAN.
j) Require passwords of 15 or more characters - Disable LAN Manager (LM) hashes from being stored on your computers      (http://support.microsoft.com/kb/299656)
k) Do not show/store the last username used to login (http://support.microsoft.com/kb/310125) -
l) Do not cache passwords: This setting will prevent users from logging in when the domain controller is unavailable  (http://4sysops.com/archives/manage-stored-windows-passwords/) -
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40336188
The most common way for people to login to a system that they aren't authorized on is to ask a 'friend' to let him use his login.  That's what Edward Snowden did at the NSA.
0
 
LVL 1

Author Comment

by:Shamil Mohamed
ID: 40336236
is there anyway use usb as the authentication key.?
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 40336365
cert based using token and smartcard can be bypass if malware has smartcard proxy scheme (which happened in real incident already) but we should minimally have it enforced for such critical DC and enforced in all administrator and no remote admin where possible (and if need to, get VPN at minimal which is also client cert based). The auth key is based on the 2Factor held by the user per se...

do check out below as it include GPO harden setting and restricted grp etc - primary threat include pass the hash and Kerberos Golden Ticket

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
http://www.microsoft.com/en-sg/download/details.aspx?id=36036
Protection from Kerberos Golden Ticket
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

and I kind of like this below tips and note there is Microsoft Security compliance manager free for download on recommended setting and document that is pretty handy as overall compliance.
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Bitlocker disk encryption and EFS file encryption are just part and parcel of the scheme of hardening ...
0
 
LVL 1

Author Closing Comment

by:Shamil Mohamed
ID: 40340997
Thank you.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Analyze DHCP server logs 1 46
How to script user logon 5 38
Routers to buy for MDT Multitasking 6 70
Duplicate SPN entries 1 19
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question