?
Solved

Is it possble to Encrypt Primary domain controller, to secure from hacking or taking over authentication ?

Posted on 2014-09-22
5
Medium Priority
?
222 Views
Last Modified: 2014-09-24
Dear EE's

Is there anyway to secure domain controller and active directory environment from hacking or taking over authentication to manipulate?

Please advice.
0
Comment
Question by:Shamil Mohamed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 12

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 1000 total points
ID: 40336095
This guide would help to plan for securing AD : http://technet.microsoft.com/en-us/library/cc773365(v=ws.10).aspx

Word document :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&sqi=2&ved=0CDAQFjAC&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FD%2F1%2F8%2FD1866CDE-9824-40F4-836A-4C8C233693F1%2FBest%2520Practices%2520for%2520Securing%2520Active%2520Directory.docx&ei=_dYfVMvIBcKQuASl94KwCQ&usg=AFQjCNHhbSXImv0d7fpc6eEhFzlC6WM1kA&sig2=wCtDwFuF1fTjav1tFkmX4w&bvm=bv.75775273,d.c2E


a) Review firewall configuration have Cisco ASA 5505 or some better firewall for internal and external access.
b) All AD OS must be done with OS hardening.
c) Inspect AD for unauthorized user account and disable it
d) Rename default Administrator account
e) Force GPO to change the password frequently or urge to keep complex passwords
f) Keep good Antivirus for all system and scan it periodically.
g) WiFi Security is must.
h) Keep 2 layer of protection and allow only certain ports through firewall.
i) Keep Domain Controllers in different VLAN.
j) Require passwords of 15 or more characters - Disable LAN Manager (LM) hashes from being stored on your computers      (http://support.microsoft.com/kb/299656)
k) Do not show/store the last username used to login (http://support.microsoft.com/kb/310125) -
l) Do not cache passwords: This setting will prevent users from logging in when the domain controller is unavailable  (http://4sysops.com/archives/manage-stored-windows-passwords/) -
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40336188
The most common way for people to login to a system that they aren't authorized on is to ask a 'friend' to let him use his login.  That's what Edward Snowden did at the NSA.
0
 
LVL 1

Author Comment

by:Shamil Mohamed
ID: 40336236
is there anyway use usb as the authentication key.?
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 40336365
cert based using token and smartcard can be bypass if malware has smartcard proxy scheme (which happened in real incident already) but we should minimally have it enforced for such critical DC and enforced in all administrator and no remote admin where possible (and if need to, get VPN at minimal which is also client cert based). The auth key is based on the 2Factor held by the user per se...

do check out below as it include GPO harden setting and restricted grp etc - primary threat include pass the hash and Kerberos Golden Ticket

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
http://www.microsoft.com/en-sg/download/details.aspx?id=36036
Protection from Kerberos Golden Ticket
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

and I kind of like this below tips and note there is Microsoft Security compliance manager free for download on recommended setting and document that is pretty handy as overall compliance.
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Bitlocker disk encryption and EFS file encryption are just part and parcel of the scheme of hardening ...
0
 
LVL 1

Author Closing Comment

by:Shamil Mohamed
ID: 40340997
Thank you.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question