2014 Active Directory Assessment

2014 Active Directory Assessment

Spotsylvania

County

[Presented: December 2014]

2014

Active Directory

Assessment

• No reproduction or dissemination of information in this report may occur without prior written consent1

2014 Active Directory Assessment

Active Directory

Of all the technologies at an organization, Active Directory is one of the most - if not the most - important technologies to control and secure.

Rating: -Needs Improvement

Control Objective:

Assess the overall health of Active Directory and ensure best practices are being followed

Key Areas:

Current Environment – Status check of current AD environment

Replication – Verify all domain controllers are replicating with no errors; Check DC health

FSMO Roles – Verify FSMO role placement is following best practice

Group Policies – Review GPO’s and check they are applied correctly

Best Practice Results – Results from BPA analyzer

DNS – Verify DNS is setup according to best practice

Accounts and Passwords – Check inactive account and password policies

Tools Used:

Active Directory Best Practices Analyzer

The ActiveDirectory Best Practices Analyzer (BPA) identifies deviations from best practices to help IT professionals better manage their ActiveDirectory deployments. BPA uses WindowsPowerShell cmdlets to gather run-time data. It analyzes ActiveDirectory settings that can cause unexpected behavior. It then makes ActiveDirectory configuration recommendations in the context of your deployment. The ActiveDirectory BPA is available in Server Manager.

Active Directory module for Windows PowerShell and WindowsPowerShell™ cmdlets

The Active Directory module for Windows PowerShell provides command-line scripting for administrative, configuration, and diagnostic tasks, with a consistent vocabulary and syntax. It provides predictable discovery and flexible output formatting. You can easily pipe cmdlets to build complex operations. The Active Directory module enables end-to-end manageability with Exchange Server, GroupPolicy, and other services.

Current Environment

•Domain Name: spotsy.gov

•NetBIOS Name: SPOTSY

•Domain functional level: Windows Server 2003

•Forest Functional level: Windows Server 2003

•fsmoPDC: SCDC01HOL.spotsy.gov

•fsmoINFRA: SCDC01HOL.spotsy.gov

•fsmoRID: SCDC01HOL.spotsy.gov

•fsmoDomain: SCDC01HOL.spotsy.gov

•fsmoSchema: SCDC01P10.spotsy.gov

•AD Schema: 47 (Windows 2008 R2)

•EX Schema: 14732 (Exchange 2010 SP1 or newer)

•RTC Schema: 1100 (Lync Server 2010)

•Site names: Holbert, PNR, Utilities, SD, Peak10

•Domain Controllers: SCDC01HOL, SCDC02HOL, SCDC01UTIL, SCDC01PNR, SCDC01SD, SCFS01UTIL, SCFS01PNR, SCDC01P10, SCDC02P10, SCFS01SD, SCDC03HOL

Active Directory is in 2003 mode for Forest and Domain functional levels.

This prevents the following features of Server 2008 Mode:

Fine-grained password policies – Allows multiple password policies to be applied to different users in the same domain.

Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.

Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.

Granular auditing – Allows history of object changes in Active Directory.

Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Last Interactive Logon Information – Displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

Active Directory Recycle Bin – IT professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object. Accidental object deletion causes business downtime.

Managed Service Accounts – Managed Service Accounts provide simple management of service accounts. At the Windows Server 2008 R2 domain functional level, this feature provides better management of service principal names (SPNs).

1.Replication

Replication was tested from all domain controllers. Please see appendix to view data collection. Overall replication is working correctly with available domain controllers. We did find that SCDC02P10 in the Peak10 site has not been online this year. This DC possibly crashed or is simply turned off. SCDC01SD in the SD site is online but RPC is failing and hasn’t replicated since June of this year. We also found that the time difference between some domain controllers is off by more than a minute.

2.FSMO Role Placement

The schema role currently resides on SCDC01P10 while the rest reside on SCDC01HOL. SCDC01P10 is in a separate AD site from SCDC01HOL. Microsoft has published their recommendations regarding FSMO role placement.

3.Group Policies

Group policies were reviewed. We found once critical issue here. The Default Domain Controllers Policy in the domain spotsy.gov is not applied to the OU OU=Domain Controllers,DC=spotsy,DC=gov. This is enabled by default so this was manually disabled.

4.Best Practice Results

A full list of all Active Directory BPA results can be found in the appendix. The following are issues that need to be addressed:

•AD objects not protected from accidental deletion.

•Domain controllers must have "Enable computer and user accounts to be trusted for delegation" granted to the Built-in Administrators security group.

•Domain controllers must have "Access this Computer from the Network" granted to the appropriate security principals.

5.DNS

A full list of all DNS BPA results can be found in the appendix. The following are issues that need to be addressed:

•Scavenging is disabled on the DNS servers.

6.Accounts and Passwords

A list of inactive accounts older than 90 days was generated for review in the appendix. We also reviewed the current password policy and generated a list of user accounts with non-expiring passwords.A membership list was created for Domain Admins and Enterprise Admins. We found the followings settings for the password policy:

Account Policies/Password Policy

Policy Setting

Enforce password history 0 passwords remembered

Maximum password age180 days

Minimum password age0 days

Minimum password length6 characters

Password must meet complexity requirementsDisabled

Store passwords using reversible encryption Disable

Account Policies/Account Lockout Policy

PolicySetting

Account lockout threshold0 invalid logon attempts

We consider this a relaxed password policy which could allow the passwords to be compromised with little effort.

7.Recommendations:

High Priority Recommendations –

•Apply Default Domain Controllers Policy to DC OU – If not applied Active Directory Operations may fail.

• Correct Enable computer and user accounts to be trusted for delegation – Without it, installation of additional domain controllers in domain spotsy.gov may fail if they select spotsy.gov DC’s as a replication partner during the installation.

•Correct Access this Computer from the Network- Replication operations initiated by other domain controllers in the domain or by administrators may fail. Users and computers may also experience failure to apply Group Policy objects.

Medium Priority Recommendations –

•Properly remove or recover domain controllers that are not replicating. Domain Controllers will continue to generate replication errors until this corrected

•Sync time between servers. Servers not in sync can have replication and access issues affecting users.

•Windows Server 2008 R2 forest and domain function level – To activate new forest-wide features.

Low Priority Recommendations –

•Move schema master role to same site as other FSMO roles- It’s a best practice for FSMO roles to have fast connectivity to each other, roles can be on the same server or different servers in the same site.

•Protect AD OUs and objects from accidental deletion. Saves restoration of accidently deleted objects.

•Review the list of 90 day inactive accounts in the appendix and verify if they should still be enabled.

•Review the password policy- We recommend a stricter policy and can work with Spotsylvania to establish something acceptable.

•Review Non-Expiring Passwords list- Non-Expiring Passwords are common for service accounts but should not be used for standard user accounts.

•Review Domain Admins and Enterprise Admins group membership – Check if all accounts are needed. We recommend creating separate admin accounts for each authorized user. This increases security because these admin accounts are only used when needed. Using a standard account with admin privileges creates a security concern because if that account is compromised, the attacker then has full admin access.

Appendix

AD BPA Results

DNS BPA Results

DCDiag Results

RepAdmin Results

Group Policies

Accounts

• No reproduction or dissemination of information in this report may occur without prior written consent1