RE: [ActiveDir] Hardening Active Directory
A good general guide for securing Active Directory can be found at: http://www.microsoft.com/windows2000/technologies/directory/AD/AD_SecurityPt1.asp Cheers, Stuart P.S. I think everyone should read that paper, by the way. [This posting is provided AS IS with no warranties, and confers no rights.] -Original Message- From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 8:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Stuart, Thanks for this. This was pointed out by one of our readers, and it's a good read. However, now that I've finally finished the Lord of the Rings trilogy-I'm waiting for part II of THIS series. ;) Yeah, I know. Get a life, Rick. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stuart KwanSent: Tuesday, December 31, 2002 1:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory A good general guide for securing Active Directory can be found at: http://www.microsoft.com/windows2000/technologies/directory/AD/AD_SecurityPt1.asp Cheers, Stuart P.S. I think everyone should read that paper, by the way. [This posting is provided "AS IS" with no warranties, and confers no rights.] -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 8:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Really? Dothey have a ritual for server cleansing and consecration? Maybe a psalmto ward off PHB's? :^) -Original Message-From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 9:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Hardening Active Directory http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
Re: [ActiveDir] Hardening Active Directory
Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-) -gil -Original Message-From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Yeah, but they are pretty damn secure then. Brad Martin Go Daddy Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
Re: [ActiveDir] Hardening Active Directory
Title: Message I think that Gil is referring to the setting that sets "shut down the computer when the securityaudit log is full". That caused servers to reboot over and over. I also recall thatone of the templates set additional restrictions for anonymous connections to "no access without explicit anonymous permissions". This will kill downlevel trusts and keep downlevelclients from logging on. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 1:30 PM Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? Id rather not find out the hard way J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil KirkpatrickSent: Friday, December 27, 2002 11:43 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-) -gil -Original Message-From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Thanks for clarifying, Gil. This is great information. Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 1:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Hey Larry, It was a problem one of our customers experienced after deploying the NSA templates in their test lab a few days before production deployment. He frequents the list so may be able to give details, but as I understand it, one of the policy settings on their DCs was to shutdown onaudit failure. I'm not clear on the the specifics on the audit failure, but when the machine went down, it corrupted something (perhaps the audit log?) and then would come back up and then fail again. There was also some issue of removing the Everyone group from the template (I'm reading from our support log) but I don't know what this means exactly. Hopefully the person who had the problem can describe the problem in more detail on-list, or at least get with you offline. The problem has been experienced by several people that I'm aware of. -gil -Original Message- From: Larry A. Duncan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message As far as I can tell (Im new at the company here, and I still haven't gotten a full run down of the environment) there will be people actually authenticating with them. Brad Martin Go Daddy Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, Justin Sent: Friday, December 27, 2002 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Another setting that can have detrimental affects on down-level clients is the LAN Manager Authentication Level. Set it the highest level only if you will have Win2000/XP clients authenticating the domain. The AD servers on the net; are they going to just supporta web front end or something similar, or are users going to actually authenticate to them ona day to day basis? -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory I think that Gil is referring to the setting that sets shut down the computer when the securityaudit log is full. That caused servers to reboot over and over. I also recall thatone of the templates set additional restrictions for anonymous connections to no access without explicit anonymous permissions. This will kill downlevel trusts and keep downlevelclients from logging on. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 1:30 PM Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message why out on the Net? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brad MartinSent: Friday, December 27, 2002 11:11To: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250