Module 10 - Improving The Security of Authentication in An AD DS Domain

07/06/13
Module 10: Improving the Security of Authentication in an AD DS Domain
Module10:ImprovingtheSecurityofAuthenticationin anADDSDomain
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: ConfigurePasswordandLockoutPolicies ConfigurePasswordandAccountLockoutPolicies AuditAuthentication AuditAuthentication ConfigureReadOnlyDomainControllers ConfigureReadOnlyDomainControllers
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe
1/90
07/06/13
WhenuserslogontoanActiveDirectory domain,theyentertheirusernameand password.Then,theclientcomputerusesthosecredentialstoauthenticatetheusers identitiesagainsttheirActiveDirectoryaccounts.InModule3,youlearnedhowto createandmanageuseraccountsandtheirproperties,includingpasswords.Inthis module,youwillexplorethedomainsidecomponentsofauthentication,includingthe policiesthatspecifypasswordrequirementsandtheauditingofauthenticationrelated activities.YouwillalsodiscovertwofeaturesintroducedbyWindowsServer2008 thatcansignificantlyimprovethesecurityofauthenticationinanActiveDirectory DomainServices(ADDS)domain,passwordsettingsobjects(betterknownasfine grainedpasswordpolicy)andreadonlydomaincontrollers(RODCs).
Objectives
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=12&FontSize=3&FontType=segoe 2/90
07/06/13
Aftercompletingthismodule,youwillbeableto: Configurepasswordandaccountlockoutpolicies. Configureauditingofauthenticationrelatedactivity. ConfigureRODCs.
Lesson 1: Configure Password and Lockout Policies
Bydefault,inaWindowsServer2008orWindowsServer2008R2domain,users
07/06/13
needtochangetheirpasswordevery42days,andapasswordmustbeatleastseven characterslongandmeetcomplexrequirements,includingtheuseofthreeoffour charactertypes:uppercase,lowercase,numeric,andnonalphanumeric.Typically,in anActiveDirectorydomain,administratorsandusersfirstencounterthreepassword policiesmaximumpasswordage,passwordlength,andpasswordcomplexity.Rarely dothesedefaultsettingsalignpreciselywithanorganizationspasswordsecurity requirements.Yourorganizationmightrequirepasswordstobechangedmoreorless frequently,ortobelonger.Inthislesson,youwilllearntoimplementyour enterprisespasswordandlockoutpoliciesbymodifyingtheDefaultDomainPolicy GroupPolicyobject(GPO). Asyouknow,thereareexceptionstoeveryrule,andyoumayrequireexceptionsto yourpasswordpolicies.Toenhanceyourdomainssecurity,youcanplacemore restrictivepasswordrequirementsforaccountsassignedtoadministrators,for accountsusedbyservicessuchasMicrosoftSQLServer,orforabackuputility. InearlierversionsofWindows,thiswasnotpossibleasinglepasswordpolicy appliedtoallaccountsinthedomain.Inthislesson,youwilllearntoconfigurefine grainedpasswordpolicies.ThisisanewfeatureinWindowsServer2008thatallows youtoassigndifferentpasswordpoliciestousersandgroupsinyourdomain.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandpasswordandaccountlockoutpolicies.
07/06/13
Implementyourdomainpasswordandaccountlockoutpolicy. Configureandassignfinegrainedpasswordpolicies.
Understand Password Policies
YourdomainspasswordpolicyisconfiguredbyaGPOscopedtothedomain.Within theGPO,intheGroupPolicyconsoletree,expandComputerConfiguration,Policies, WindowsSettings,SecuritySettings,andthenAccountPolicies.IntheAccount Policiesnode,accessthePasswordPolicynodetoconfigurethepolicysettingsthat determinepasswordrequirements.ThePasswordPolicynodeisshowninthe

07/06/13
followingscreenshot.
Youcanunderstandtheeffectofthepoliciesbyconsideringthelifecycleofauser password.Auserneedstochangethepasswordwithinthenumberofdaysspecified bytheMaximumPasswordAgepolicysetting.Whentheuserentersanewpassword, thelengthofthenewpasswordwillbecomparedwiththenumberofcharactersin theMinimumPasswordLengthpolicy. IfthePasswordandMustMeetComplexityRequirementspolicyisenabled,the passwordmustcontainatleastthreeofthefollowingfourcharactertypes: Uppercase:AtoZ Lowercase:atoz Numeric:0to9
07/06/13
Nonalphanumericsymbols:!,#,%,or&
Ifthenewpasswordmeetsrequirements,ActiveDirectoryputsthepasswordthrough amathematicalalgorithmthatproducesarepresentationofthepasswordcalledthe hashcode.Thehashcodeisuniquenotwodifferentpasswordscancreatethesame hashcode.Thealgorithmusedtocreatethehashcodeiscalledaonewayfunction. Youcannotputthehashcodethroughareversefunctiontoderivethepassword.The factthatitisahashcodeandnotthepassworditselfthatisstoredinActiveDirectory helpsincreasetheuseraccountssecurity. Occasionally,someapplicationsrequiretheabilitytoreadauser'spassword.Thisis notpossiblebecause,bydefault,onlythehashcodeisstoredinActiveDirectory.To supportsuchapplications,youcanenabletheStorePasswordsUsingReversible Encryptionpolicysetting.Thispolicysettingisnotenabledbydefault.Ifyouenable thepolicy,userpasswordsarestoredinanencryptedformthatcanbedecryptedby theapplication.Reversibleencryptionsignificantlyreducesadomainssecurity,soitis disabledbydefault,andyoushouldstrivetoeliminateapplicationsthatrequiredirect accesstopasswords. Additionally,ActiveDirectorycancheckthecacheoftheusersprevioushashcodesto ensurethatthenewpasswordisnotthesameastheuserspreviouspasswords.The numberofpreviouspasswordsagainstwhichanewpasswordisevaluatedis determinedbytheEnforcePasswordHistorypolicy.Bydefault,Windowsmaintains
07/06/13
theprevious24hashcodes,whichmeansthatausercannotusethelast24 passwordswhenenteringanewone. Ifauserisdeterminedtoreusethesamepasswordwhenthepasswordexpiration periodoccurs,theusercouldsimplychangethepassword25timestoworkaround thepasswordhistory.Topreventthatfromhappening,theMinimumPasswordAge policyspecifiesanamountoftimethatmustpassbetweenpasswordchanges.By default,itisoneday.Therefore,thedetermineduserwouldhavetochangethe passwordonceperdayfor25daystoreuseapassword.Thisservesasaneffective deterrentofsuchbehavior. Thesepolicysettingshistory,minimumage,andmaximumageaffectonlyauser whochangesthepassword.Thesettingsdonotaffectanadministratorwhousesthe ResetPasswordcommandtochangeanotheruser'spassword.
Understand Account Lockout Policies
8/90
07/06/13
Anintrudercangainaccesstotheresourcesinyourdomainbydeterminingavalid usernameandpassword.Usernamesarerelativelyeasytoidentify,becausemost organizationscreateusernamesfromanemployee'semailaddress,initials, combinationsoffirstandlastnames,oremployeeIDs.Afterausernameisknown, theintrudermustdeterminethecorrectpassword.Thiscanbedonebyguessing,or byrepeatedlyloggingonwithcombinationsofcharactersorwordsuntilthelogonis successful. Thistypeofattack,calledbruteforce,canbethwartedbylimitingthenumberof incorrectlogonsthatareallowed.Thatiswhataccountlockoutpoliciesachieve. AccountlockoutpoliciesarelocatedinthenodeoftheGPOdirectlybelowthe PasswordPolicy.TheAccountLockoutPolicynodeisshowninthefollowingscreen
07/06/13
shot.
Therearethreesettingsrelatedtoaccountlockout.TheAccountLockoutThreshold settingdeterminesthenumberofinvalidlogonattemptspermittedwithinatime specifiedbytheResetaccountlockoutcounterafterpolicy.Ifanattackresultsin moreunsuccessfullogonswithinthattimeframe,theuseraccountislockedout. Whenanaccountislockedout,ActiveDirectorydenieslogontothataccount,evenif thecorrectpasswordisspecified.Theaccountwillremainlockedoutfortheperiodof timespecifiedintheAccountlockoutdurationsetting.Ifyousetthistoavalueof0, onlytheadministratorcanmanuallyunlockalockeduseraccountbyusingtheActive DirectoryUsersandComputersconsole. NoteAlthoughaccountlockoutpoliciescanbeusefulinpreventingbrute forceattacks,someorganizationschoosenottodefineaccountlockout policies,becausetheycanactuallycreatedenialofservicescenarios.Ifa hackerperformsabruteforceattackagainstan
10/90
07/06/13
accountusedbyaserviceaccountyourSQLservers,forexampleandtheaccount is locked,eventuallytheservicewillfail.Manyorganizationschoosetouseauditing, intrusiondetection,andothermonitoringapproachestomitigatebruteforceattacks.
Configure the Domain Password and Lockout Policy
ActiveDirectorysupportsonesetofpasswordandlockoutpoliciesforadomain. ThesepoliciesareconfiguredinaGPOthatisscopedtothedomain.Anewdomain containsaGPOcalledtheDefaultDomainPolicythatislinkedtothedomainandthat includesthedefaultpolicysettingsforpassword,accountlockout,andKerberos

07/06/13
policies.YoucanchangethesettingsbyeditingtheDefaultDomainPolicyGPO. ThebestpracticeistoedittheDefaultDomainPolicyGPOtospecifythepassword policysettingsforyourorganization.YoushouldalsousetheDefaultDomainPolicy GPOtospecifyaccountlockoutpoliciesandKerberospolicies.DonotusetheDefault DomainPolicyGPOtodeployanyothercustompolicysettings.Inotherwords,the DefaultDomainPolicyGPOonlydefinesthepassword,accountlockout,andKerberos policiesforthedomain.Additionally,donotdefinepassword,accountlockout,or KerberospoliciesforthedomaininanyotherGPO. ThepasswordsettingsconfiguredintheDefaultDomainPolicyaffectalluser accountsinthedomain.Thesettingscanbeoverridden,however,bythepassword relatedpropertiesoftheindividualuseraccounts.OntheAccounttabofauser's Propertiesdialogbox,youcanspecifysettingssuchasPasswordNeverExpiresor StorePasswordsUsingReversibleEncryption.Forexample,iffiveusershavean applicationthatrequiresdirectaccesstotheirpasswords,youcanconfigurethe accountsforthoseuserstostoretheirpasswordsbyusingreversibleencryption.
12/90
07/06/13
Demonstration: Configure Domain Account Policies
13/90
07/06/13
Inthisdemonstration,youseehowtoconfigurethedomainaccountpoliciestomeet thefollowingrequirementsforpasswords: Aminimumofeightcharacterslong. ComplywithWindowsdefaultcomplexityrequirements. Usersmustchangetheirpasswordevery90days. Userscannotchangetheirownpasswordmorethanonceaweek. Ausercannotreuseapasswordwithinayear.
14/90
07/06/13
Demonstration Steps
1. IntheGroupPolicyManagementconsole,intheconsoletree,expand Forest:contoso.com,Domains,andcontoso.com. 2. RightclickDefaultDomainPolicyunderneaththedomain,contoso.com,and thenclickEdit. 3. IntheGroupPolicyManagementEditorconsoletree,expandComputer Configuration,Policies,WindowsSettings,SecuritySettings,and AccountPolicies,andthenclickPasswordPolicy. 4. Doubleclickthefollowingpolicysettingsintheconsoledetailspaneand configurethesettingsasindicated: Enforcepasswordhistory:53passwordsremembered Maximumpasswordage:90days Minimumpasswordage:7days Minimumpasswordlength:8characters Passwordmustmeetcomplexityrequirements:Enabled 5. 6. ClosetheGroupPolicyManagementEditorwindow. ClosetheGroupPolicyManagementwindow.
15/90
07/06/13
Fine-Grained Password and Lockout Policy
IntheWindowsServer2003ActiveDirectoryenvironment,itwasnotpossibleto havemorethanonepasswordandaccountlockoutpolicyperdomain.Becauseofthis limitationintheearlierWindowsServerversions,youhadtocreatemorethanone domainintheActiveDirectoryforestfordifferentpasswordrequirementsinasingle organization.Forexample,considerascenariowhereyouwantyouradministratorsto havepasswordswithaminimumlengthof14charactersandotheruserstohaveat least7ormorecharacters.Theonlywaytoaccomplishthisistomoveadministrators (orusers)toanotherdomain.Insuchscenarios,administratorsusuallycreatetwo domainssuchascontoso.comandusers.contoso.com.However,itcancause additionalmaintenanceandadministrativecosttosupporttwodomainstructures.You
07/06/13
cansolvethisproblembyusingWindowsServer2008.Youcanoverridethedomain passwordandlockoutpolicybyusinganewfeatureofWindowsServer2008called finegrainedpasswordandlockoutpolicy,oftenshortenedtosimplyfinegrained passwordpolicy.Afinegrainedpasswordpolicyallowsyoutoconfigureapolicythat appliestooneormoregroupsorusersinyourdomain.However,youcannotapply thisfunctionalitybyusingGroupPolicy.Youcanapplyitonlybydefininganewtype ofobjectandsomeadditionalattributestouserandgroupobjects. AfinegrainedpasswordpolicyisahighlyanticipatedadditiontoActiveDirectory. Thereareseveralscenariosforwhichafinegrainedpasswordpolicycanbeusedto increaseyourdomainsecurity. AccountsusedbyadministratorsaredelegatedprivilegestomodifyobjectsinActive Directory.Therefore,ifanintrudercompromisesanadministrator'saccount,more damagecanbedonetothedomainthancouldbedonewiththeaccountofa standarduser.Therefore,considerimplementingstricterpasswordrequirementsfor administrativeaccounts.Forexample,youmightrequireagreaterpasswordlength andmorefrequentpasswordchanges. Anothertypeofaccountthatrequiresspecialtreatmentinadomainisanaccount usedbyservicessuchasSQLServer.Aserviceperformsitstaskswithcredentialsthat mustbeauthenticatedwithausernameandpasswordjustlikethoseofahuman user.However,mostservicesarenotcapableofchangingtheirownpassword,so administratorsconfigureserviceaccountswiththePasswordNeverExpiresoption
07/06/13
enabled.Whenanaccountspasswordwillnotbechanged,youshouldensurethat thepasswordisdifficulttocompromise.Youcanusefinegrainedpasswordpolicies tospecifyanextremelylongminimumpasswordlength.
Understand Password Settings Objects
Thesettingsmanagedbyfinegrainedpasswordpolicyareidenticaltothoseinthe PasswordPolicyandAccountsPolicynodesofaGPO.However,finegrained passwordpoliciesareneitherimplementedaspartofGroupPolicynorarethey appliedaspartofaGPO.Instead,thereisaseparateclassofobjectinActive DirectorythatmaintainsthesettingsforfinegrainedpasswordpolicythePassword SettingsObject(PSO).

07/06/13
MostActiveDirectoryobjectscanbemanagedwithuserfriendlygraphicaluser interface(GUI)tools,suchastheActiveDirectoryUsersandComputerssnapin.You managePSOs,however,withlowleveltools,includingActiveDirectoryService InterfaceEditor(ADSIEdit). YoucancreateoneormorePSOsinyourdomain.EachPSOcontainsacompleteset ofpasswordandlockoutpolicysettings.APSOisappliedbylinkingthePSOtoone ormoreglobalsecuritygroupsorusers.Actually,bylinkingaPSOtoauserora group,youremodifyinganattributecalledmsDSPSOApplied,whichisemptyby default.Thisapproachnowtreatspasswordandaccountlockoutsettingsnotas domainwiderequirements,butasattributestoaspecificuseroragroup.For example,toconfigureastrictpasswordpolicyforadministrativeaccounts,createa globalsecuritygroup,addtheserviceuseraccountsasmembers,andlinkaPSOto thegroup.Applyingfinegrainedpasswordpoliciestoagroupinthismannerismore manageablethanapplyingthepoliciestoeachindividualuseraccount.Ifyoucreatea newserviceaccount,yousimplyaddittothegroup,andtheaccountbecomes managedbythePSO. Touseafinegrainedpasswordpolicy,yourdomainmustbeattheWindowsServer 2008domainfunctionallevel,whichmeansthatallofyourdomaincontrollersinthe domainarerunningWindowsServer2008,andthedomainfunctionallevelhasbeen raisedtoWindowsServer2008. Toconfirmandmodifythedomainfunctionallevel:
07/06/13
1. 2.
OpenActiveDirectoryDomainsandTrusts. Intheconsoletree,expandActiveDirectoryDomainsandTrusts,andthen expandthetreeuntilyoucanseethedomain.
3.
Rightclickthedomain,andthenclickRaisedomainfunctionallevel.
Demonstration: Configure Fine-Grained Password Policy
Inthisdemonstration,youwillseehowtoconfigureafinegrainedpasswordpolicyto enhancethesecurityofaccountsintheDomainAdminsgroup.
20/90
07/06/13
Demonstration Steps
1. 2. 3. VerifythatthedomainfunctionallevelisWindowsServer2008. RuntheADSIEditutilityonadomaincontroller. CreateanewPSO,namedMyDomainAdminsPSOinDC=Contoso>DC=com >CN=System>CN=PasswordSettingsContainer,withfollowingsettings: Passwordstoredwithreversibleencryption:False Passwordhistory:Enabled Passwordcomplexityrequirement:Enabled Minimumpasswordage:1day Maximumpasswordage:45days Accountlockoutthreshold:5 Accountlockoutduration:1day Accountlockoutcounterreset:1hour 4. AssignanewPSOtoDomainAdminsgroup.
PSO Precedence and Resultant PSO

07/06/13
APSOcanbelinkedtomorethanonegrouporuser,anindividualgrouporusercan havemorethanonePSOlinkedtoit,andausercanbelongtomultiplegroups.So, whichfinegrainedpasswordandlockoutpolicysettingsapplytoauser?Oneand onlyonePSOdeterminesthepasswordandlockoutsettingsforauser,whichiscalled theresultantPSO.EachPSOhasanattributethatdeterminesthePSOsprecedence. Theprecedencevalueisanynumbergreaterthan0,wherethenumber1indicates thehighestprecedence.IfmultiplePSOsapplytoauser,thePSOwiththehighest precedencetakeseffect.Therulesthatdetermineprecedenceareasfollows: IfmultiplePSOsapplytogroupstowhichtheuserbelongs,thePSOwiththe highestprecedencewins.
07/06/13
IfoneormorePSOsarelinkeddirectlytotheuser,PSOslinkedtogroupsare ignored,regardlessoftheirprecedence.TheuserlinkedPSOwiththehighest precedencewins. IfoneormorePSOshavethesameprecedencevalue,ActiveDirectorymust choose.ItpicksthePSOwiththelowestgloballyuniqueidentifier(GUID).GUIDs arelikeserialnumbersforActiveDirectoryobjectsnotwoobjectshavethesame GUID.GUIDshavenoparticularmeaningtheyarejustidentifierssopickingthe PSOwiththelowestGUIDis,ineffect,anarbitrarydecision.Youshouldconfigure PSOswithunique,specificprecedencevaluessothatyouavoidthisscenario.
TheserulesdeterminetheresultantPSO.ActiveDirectoryexposestheresultantPSO inauserobjectattribute,msDSResultantPSO,soyoucanreadilyidentifythePSO thatwillaffectauser.PSOscontainallpasswordandlockoutsettings,sothereisno inheritanceormergingofsettings.TheresultantPSOistheauthoritativePSO. ToviewthemsDSResultantPSOattributeofauser: 1. 2. 3. 4. EnsurethatAdvancedFeaturesisenabledontheViewmenu. Openthepropertiesoftheuseraccount. ClicktheAttributeEditortab. ClickFilterandensurethatConstructedisselected.

23/90
07/06/13
5.
LocatethemsDSResultantPSOattribute.
PSOs, OUs, and Shadow Groups

PSOscanbelinkedtoglobalsecuritygroupsorusers.PSOscannotbelinkedto organizationalunits(OUs).Ifyouwanttoapplypasswordandlockoutpoliciesto usersinanOU,youmustcreateaglobalsecuritygroupthatincludesalloftheusers intheOU.Thistypeofgroupiscalledashadowgroupitsmembershipshadows,or mimics,themembershipofanOU. NoteThereisnographicaltoolinWindowsServer2008tocreateshadow groups.However,youcancreateandmanagethembyusingaverysimple scriptthatwillrunperiodically.Thisscriptshouldenumerateuserobjectsin thedesiredOUandputtheminagroup.
Lab A: Configure Password and Account Lockout Policies
24/90
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
25/90
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you mustenforceaspecifiedpasswordpolicyforalluseraccounts,andamorestringent passwordpolicyforsecuritysensitive,administrativeaccounts.
Exercise 1: Configure the Domains Password and Lockout Policies

Inthisexercise,youwillmodifytheDefaultDomainPolicyGPOto implementapasswordandlockoutpolicyforusersinthecontoso.com domain. Themaintasksforthisexerciseareasfollows: 1. Configurethedomainaccountpolicies.
26/90
07/06/13
Task: Configure the domain account policies.
1.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2. 3.
EdittheDefaultDomainPolicyGPO. Configurethefollowingpasswordpolicysettings.Leaveothersettingsattheir defaultvalues. Maximumpasswordage:90days Minimumpasswordlength:10characters
4.
Configurethefollowingaccountlockoutpolicysetting.Leaveothersettingsat theirdefaultvalues. Accountlockoutthreshold:5invalidlogonattempts.
5.
CloseGroupPolicyManagementEditorandGroupPolicyManagement.
Results:Inthisexercise,youconfigurednewsettingsforthedomainaccount policies.
Exercise 2: Configure Fine-Grained Password Policy

07/06/13
Inthisexercise,youwillcreateaPSOthatappliesarestrictive,fine grainedpasswordpolicytouseraccountsintheDomainAdminsgroup.You willidentifythePSOthatcontrolsthepasswordandlockoutpoliciesforan individualuser.Finally,youwilldeletethePSOthatyoucreated. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. CreateaPSO. LinkaPSOtoagroup. IdentifytheResultantPSOforauser. DeleteaPSO.
Task 1: Create a PSO.
1.
ClickStart,pointtoAdministrativeTools,rightclickADSIEdit,andclick Runasadministrator.
2. 3. 4.
ClickUseanotheraccount. IntheUsernamebox,typePat.Coleman_Admin. InthePasswordbox,typePa$$w0rd,andthenpressEnter.TheADSIEdit consoleopens.
28/90
07/06/13
5. 6. 7. 8. 9.
RightclickADSIEditandclickConnectTo. Acceptalldefaults.ClickOK. ClickDefaultNamingContextintheconsoletree. ExpandDefaultNamingContextandclickDC=contoso,DC=com. ExpandDC=contoso,DC=comandclickCN=System.
10. ExpandCN=SystemandclickCN=PasswordSettingsContainer. AllPSOsarecreatedandstoredinthePasswordSettingsContainer(PSC). 11. RightclickCN=PasswordSettingsContainerandchooseNew,Object.The CreateObjectdialogboxappears. Itpromptsyoutoselectthetypeofobjecttocreate.Thereisonlyonechoice:
msDSPasswordSettingsthetechnicalnamefortheobjectclassreferredtoasa
PSO. 12. ClickNext.YouarethenpromptedforthevalueforeachattributeofaPSO. Theattributesaresimilartothosefoundinthedomainaccountpolicies. 13. Configureeachattributeasindicatedbelow.ClickNextaftereachattribute. cn:MyDomainAdminsPSO.ThisisthefriendlynameofthePSO. msDSPasswordSettingsPrecedence:1.ThisPSOhasthehighestpossible precedence.
07/06/13
msDSPasswordReversibleEncryptionEnabled:False.Thepasswordis notstoredbyusingreversibleencryption. msDSPasswordHistoryLength:30.Theusercannotreuseanyofthelast 30passwords. msDSPasswordComplexityEnabled:True.Passwordcomplexityrulesare enforced. msDSMinimumPasswordLength:15.Passwordsmustbeatleast15 characterslong. msDSMinimumPasswordAge:1:00:00:00.Ausercannotchangethe passwordwithinonedayofapreviouschange.Theformatisd:hh:mm:ss (days,hours,minutes,seconds). msDSMaximumPasswordAge:45:00:00:00.Thepasswordmustbe changedevery45days. msDSLockoutThreshold:5.Fiveinvalidlogonswithinthetimeframe specifiedbyXXX(thenextattribute)willresultinaccountlockout. msDSLockoutObservationWindow:0:01:00:00.Fiveinvalidlogons (specifiedbythepreviousattribute)withinonehourwillresultinaccount lockout. msDSLockoutDuration:1:00:00:00.Anaccount,iflockedout,willremain lockedforoneday,oruntilitisunlockedmanually.Avalueofzerowillresult
07/06/13
intheaccountremaininglockedoutuntilanadministratorunlocksit. 14. ClickFinish. 15. CloseADSIEdit.
Task 2: Link a PSO to a group.
1.
RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd.
2.
Intheconsoletree,expandtheSystemcontainer. IfyoudonotseetheSystemcontainer,clicktheViewmenuoftheMMC console,andensurethatAdvancedFeaturesisselected.
3. 4. 5.
Intheconsoletree,clickthePasswordSettingsContainer. RightclickMyDomainAdminsPSO,andthenclickAttributeEditor. IntheAttributeslist,clickmsDSPSOAppliesTo,andthenclickEdit. TheMultivaluedDistinguishedNameWithSecurityPrincipalEditor dialogboxappears.
6.
ClickAddWindowsAccount.
31/90
07/06/13
TheSelectUsers,Computers,orGroupsdialogboxappears. 7. 8. TypeDomainAdmins,andthenpressEnter. ClickOKtwotimestoclosetheopendialogboxes.
Task 3: Identify the Resultant PSO for a user.
1.
RunActiveDirectoryUsersandComputersasanadministratorwiththeuser namePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
OpenAttributeEditorinthePropertiesdialogboxfortheaccount Pat.Coleman_Admin.
3.
ClickFilterandensurethatConstructedisselected. Theattributeyouwilllocateinthenextstepisaconstructedattribute,meaning thattheresultantPSOisnotahardcodedattributeofauserratheritis calculatedbyexaminingthePSOslinkedtoauserinrealtime. Question:WhatistheresultantPSOforPatColeman(Administrator)?
Task 4: Delete a PSO.
32/90
07/06/13
1.
WithAdvancedFeaturesenabledontheViewmenuofActiveDirectory UsersandComputers,opentheSystemcontainerandthePassword SettingsContainer.
2.
DeletetheMyDomainAdminsPSO,whichyoucreated.
Results:Inthisexercise,youcreatedaPSO,appliedittoDomainAdminsand confirmeditsapplication,andthendeletedthePSO.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecause thesettingsyouhaveconfiguredherewillbeusedinsubsequentlabsinthis module
Lab Review Questions Question:WhatarethebestpracticesformanagingPSOsinadomain? Question:Howcanyoudefineauniquepasswordpolicyforalltheservice accountsinthe ServiceAccountsOU?
33/90
07/06/13
Lesson 2: Audit Authentication
WindowsServer2008allowsyoutoauditthelogonactivityofusersinadomain.By auditingsuccessfullogons,youcanlookforinstancesinwhichanaccountisusedat unusualtimesorinunexpectedlocations,whichmayindicatethatanintruderis loggingontotheaccount.Auditingfailedlogonscanrevealattemptsbyintrudersto compromiseanaccount.Inthislesson,youwilllearntoconfigureauditinglogon authentication.
Objectives
07/06/13
Aftercompletingthislesson,youwillbeableto: Configureauditingofauthenticationrelatedactivity. Distinguishbetweenaccountlogonandlogonevents. IdentifyauthenticationrelatedeventsintheSecuritylog.
Account Logon and Logon Events
Thislessonexaminestwospecificpolicysettings,AuditAccountLogonEventsand AuditLogonEvents.Youneedtounderstandthedifferencebetweenthesetwo
07/06/13
similarlynamedpolicysettings. Whenauserlogsontoanycomputerinthedomainbyusingadomainuseraccount, adomaincontrollerauthenticatestheattempttologontothedomainaccount.This generatesanaccountlogoneventonthedomaincontroller. Thecomputertowhichtheuserlogsonforexample,theuserslaptopgeneratesa logonevent.Thecomputerdidnotauthenticatetheuseragainsttheaccountit passedtheaccounttoadomaincontrollerforvalidation.Thecomputerdid,however, allowtheusertologoninteractivelytothecomputer. Therefore,theeventisalogonevent. Whentheuserconnectstoafolderonaserverinthedomain,thatserverauthorizes theuserforatypeoflogoncalledanetworklogon.Again,theserverdoesnot authenticatetheuseritreliesontheticketgiventotheuserbythedomain controller.But,theconnectionbytheusergeneratesalogoneventontheserver. NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008 R2.
Advanced Audit Policies

InWindowsServer2008R2,theAdvancedAuditPolicyconfigurationincludesnew
07/06/13
categoriesinGroupPolicyforauditinglogonandaccountlogonevents.Youlearned abouttheseadvancedauditpoliciesinModule9.Thisprovidesadministratorswith theabilitytohavemuchmoregranularandmoredetailedcontroloverthelogon processandobtaininformationaboutveryspecificeventsthathappenduringthe logonorlogoffprocess. Foranaccountlogonevent,youcannowdefinefourdifferentsettingsforaudit: CredentialValidation.Auditeventsgeneratedbyvalidationtestsonuseraccount logoncredentials. KerberosServiceTicketOperations.AuditeventsgeneratedbyKerberosservice ticketrequests. OtherAccountLogonEvents.Auditeventsgeneratedbyresponsestocredential requestssubmittedforauseraccountlogonthatarenotcredentialvalidationor Kerberostickets. KerberosAuthenticationService.AuditeventsgeneratedbyKerberosauthentication ticketgrantingticket(TGT)requests.
Youcanauditthefollowinglogonandlogoffevents: Logon.Auditeventsgeneratedbyuseraccountlogonattemptsonacomputer.
07/06/13
Logoff.Auditeventsgeneratedbyclosingalogonsession.Theseeventsoccuron thecomputerthatwasaccessed.Foraninteractivelogon,thesecurityauditevent isgeneratedonthecomputerthattheuseraccountloggedonto. AccountLockout.Auditeventsgeneratedbyafailedattempttologontoan accountthatislockedout. IPsecMainMode.AuditeventsgeneratedbyInternetKeyExchangeprotocol(IKE) andAuthenticatedInternetProtocol(AuthIP)duringMainModenegotiations. IPsecQuickMode.AuditeventsgeneratedbyIKEandAuthIPduringQuickMode negotiations. IPsecExtendedMode.AuditeventsgeneratedbyIKEandAuthIPduringExtended Modenegotiations. SpecialLogon.Auditeventsgeneratedbyspeciallogons. OtherLogon/LogoffEvents.Auditothereventsrelatedtologonandlogoffthatare notincludedintheLogon/Logoffcategory. NetworkPolicyServer.AuditeventsgeneratedbyRADIUS(IAS)andNetwork AccessProtection(NAP)useraccessrequests.TheserequestscanbeGrant,Deny, Discard,Quarantine,Lock,andUnlock.
Configure Authentication-Related Audit Policies

07/06/13
AccountlogonandlogoneventscanbeauditedbyWindowsServer2008.These settingsthatmanageauditingarelocatedinaGPOintheComputerConfiguration> Policies>WindowsSettings>SecuritySettings>LocalPolicies>AuditPolicynode. TheAuditPolicynodeandthetwosettingsareshowninthefollowingscreenshot.
InWindowsServer2008R2,youcanconfigureadditionalauditpoliciesinthe
07/06/13
AdvancedAuditPolicyConfigurationnode,asshowninthefollowingscreenshot:
Toconfigureanauditpolicy,bothbasicandadvanced,doubleclickthepolicy.Then, itspropertiesdialogboxappears.TheAuditAccountLogonEventsPropertiesdialog boxisshowninthefollowingscreenshot.Thepolicysettingcanbeconfiguredto oneofthefollowingfourstates: NotDefined:IftheDefineThesePolicySettingscheckboxiscleared,the policysettingisnotdefined.Inthiscase,theserverwillaudittheeventbasedon itsdefaultsettingsoronthesettingsspecifiedinanotherGPO. Definedfornoauditing:IftheDefineThesePolicySettingscheckboxis selected,buttheSuccessandFailurecheckboxesarecleared,theserverwillnot audittheevent. Auditsuccessfulevents:IftheDefineThesePolicySettingscheckboxis selected,andtheSuccesscheckboxisselected,theserverwilllogsuccessful eventsinitsSecuritylog.
07/06/13
Auditfailedevents:IftheDefineThesePolicySettingscheckboxisselected, andtheFailurecheckboxesselected,theserverwilllogunsuccessfuleventsinits Securitylog.
Aserversauditbehaviorisdeterminedbytheoneofthesefoursettingsthatis appliedastheresultantsetofpolicy(RSoP). InWindowsServer2008,thedefaultsettingistoauditsuccessfulaccountlogon eventsandsuccessfullogonevents.So,bothtypesofeventsare,ifsuccessful, enteredintheserversSecuritylog.Ifyouwanttoauditfailuresortoturnoff auditing,youwillneedtodefinetheappropriatesettingintheauditpolicy.
Scope Audit Policies
41/90
07/06/13
Aswithallpolicysettings,youshouldbecarefultoscopesettingssothattheyaffect thecorrectsystems.Forexample,ifyouwanttoauditattemptsbyuserstoconnect toremotedesktopserversinyourenterprise,youcanconfigurelogonevent,auditing inaGPOlinkedtotheOUthatcontainsyourremotedesktopservers.If,ontheother hand,youwanttoauditlogonsbyuserstodesktopsinyourhumanresources department,youcanconfigurelogoneventauditinginaGPOlinkedtotheOU containinghumanresourcescomputerobjects.Rememberthatdomainuserslogging ontoaclientcomputerorconnectingtoaserverwillgeneratealogoneventnotan accountlogoneventonthatsystem. Onlydomaincontrollersgenerateaccountlogoneventsfordomainusers.Remember thatanaccountlogoneventoccursonthedomaincontrollerthatauthenticatesa
07/06/13
domainuser,regardlessofwherethatuserlogson.Ifyouwanttoauditlogonsto domainaccounts,youshouldscopeaccountlogoneventauditingtoaffectonly domaincontrollers.Infact,theDefaultDomainControllersGPOthatiscreatedwhen youinstallyourfirstdomaincontrollerisanidealGPOinwhichtoconfigureaccount logonauditpolicies.
View Logon Events
Accountlogonandlogonevents,ifaudited,appearintheSecuritylogofthesystem thatgeneratedtheevent.Anexampleisshowninthefollowingscreenshot.
43/90
07/06/13
So,ifyouareauditinglogonstocomputersinthehumanresourcesdepartment,the eventsareenteredineachcomputersSecuritylog.Similarly,ifyouareauditing unsuccessfulaccountlogonstoidentifypotentialintrusionattempts,theeventsare enteredineachdomaincontrollersSecuritylog.Thismeans,bydefault,youwillneed toexaminetheSecuritylogsofalldomaincontrollerstogetacompletepictureof accountlogoneventsinyourdomain. Asyoucanimagine,inacomplexenvironmentwithmultipledomaincontrollersand manyusers,auditingaccountlogonsorlogonscangenerateatremendousnumberof events.Iftherearetoomanyevents,itcanbedifficulttoidentifyproblematicevents worthyofcloserinvestigation.Youshouldbalancetheamountofloggingyou performwiththesecurityrequirementsofyourbusinessandtheresourcesyouhave availabletoanalyzeloggedevents.
Lab B: Audit Authentication
44/90
07/06/13
ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA. However,iftheyarenot,youshouldcompleteLabAbeforecontinuing.Youwillbe unabletocompleteLabBsuccessfullyunlessyouhavecompletedLabA. 1. 2. 3. 4. Start6425CNYCDC1. LogontoNYCDC1asPat.Coleman,withthepassword,Pa$$w0rd. OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10b. RunLab10b_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
45/90
07/06/13
5. 6.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab10b.
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you needtocreateanaudittrailoflogons.
Exercise: Audit Authentication

Inthisexercise,youwilluseGroupPolicytoenableauditingofboth successfulandunsuccessfullogonactivitybyusersinthecontoso.com domain.Youwillthengeneratelogoneventsandviewtheresultingentries intheeventlogs. Themaintasksforthisexerciseareasfollows: 1. 2. 3. Configureauditingofaccountlogonevents. Configureauditingoflogonevents. ForcearefreshGroupPolicy.
46/90
07/06/13
4. 5. 6.
Generateaccountlogonevents. Examineaccountlogonevents. Examinelogonevents.
Task 1: Configure auditing of account logon events.
1.
RunGroupPolicyManagementasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
ModifytheDefaultDomainControllersPolicyGPOtoenableauditingevents forbothsuccessfulandfailedaccountlogonevents.
3.
CloseGroupPolicyManagementEditor.
Task 2: Configure auditing of logon events.
1.
CreateaGroupPolicyObject(GPO)linkedtotheServers\Important ProjectOU.NametheGPOServerLockdownPolicy.
2.
ModifytheServerLockdownPolicytoenableauditingeventsforboth successfulandfailedlogonevents.
3.
CloseGroupPolicyManagementEditorandGroupPolicyManagement.
47/90
07/06/13
Task 3: Force a refresh Group Policy.
1.
Start6425CNYCSVR1.Asthecomputerstarts,itwillapplythechangesyou madetoGroupPolicy.
2.
OnNYCDC1,runtheCommandPromptasanadministrator,withtheuser namePat.Coleman_AdminandthepasswordPa$$w0rd,andthenrunthe commandgpupdate.exe/force.Closethecommandprompt.
Task 4: Generate account logon events.
1.
LogontoNYCSVR1asPat.Coleman,butenteranincorrectpassword.The followingmessageappears:Theusernameorpasswordisincorrect.
2.
Afteryouhavebeendeniedlogon,logonagainwiththecorrectpassword, Pa$$w0rd.
Task 5: Examine account logon events.
1.
OnNYCDC1,runEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
48/90
07/06/13
2.
IdentifythefailedandsuccessfuleventsintheSecuritylog. Question:WhichEventIDisassociatedwiththeaccountlogonfailure events?(Hint:Lookfor theearliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlyto NYCSVR1.) Question:WhichEventIDisassociatedwiththesuccessfulaccountlogon? (Hint:Lookfor theearliestofaseriesofeventsatthetimeyouloggedonincorrectlytoNYC SVR1.)
Task 6: Examine logon events
1.
OnNYCSVR1,runEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
IdentifythefailedandsuccessfuleventsintheSecuritylog. Question:WhichEventIDisassociatedwiththelogonfailureevents? (Hint:Lookforthe
49/90
07/06/13
earliestofaseriesoffailureeventsatthetimeyouloggedonincorrectlytoNYC SVR1.) Question:WhichEventIDisassociatedwiththesuccessfullogon?(Hint: Lookfortheearliest ofaseriesofeventsatthetimeyouloggedonincorrectlytoNYCSVR1.)
Results:Inthisexercise,youestablishedandreviewedauditingforsuccessfuland failedlogonstothedomainandtoserversintheImportantProjectOU.
NoteDonotshutdownthevirtualmachineafteryoufinishthislabbecause thesettings
youhaveconfiguredherewillbeusedinsubsequentlabsinthismodule. Lab Review Questions Question:Youhavebeenaskedtoauditattemptstologontodesktopsand laptopsintheFinancedivisionbyusinglocalaccountssuchasAdministrator. Whattypeofauditpolicydo
50/90
07/06/13
youset,andinwhatGPO(s)?
Lesson 3: Configure Read-Only Domain Controllers
Branchofficespresentauniquechallengetoanenterprisesinformationtechnology (IT)staff:Ifabranchofficeisseparatedfromthehubsitebyawideareanetwork (WAN)link,shouldyouplaceadomaincontrollerinthebranchoffice?Inthe previousversionsofWindows,theanswertothisquestionwasnotsimple.Windows Server2008,however,introducesanewtypeofdomaincontrollertheRODCthat makesthequestioneasiertoanswer.Inthislesson,youwillexploretheissues

07/06/13
relatedtobranchofficeauthenticationanddomaincontrollerplacement,andyouwill learnhowtoimplementandsupportabranchofficeRODC.
Objectives
Aftercompletingthislesson,youwillbeableto: IdentifythebusinessrequirementsforRODCs. InstallanRODC. Configurepasswordreplicationpolicy. ConfigurepasswordRODCcredentialscaching. MonitorthecachingofcredentialsonanRODC.
Authentication and Domain Controller Placement in a Branch Office
52/90
07/06/13
Considerascenarioinwhichanenterpriseischaracterizedbyahubsiteandseveral branchoffices.ThebranchofficesconnecttothehubsiteoverWANlinksthatmay becongested,expensive,slow,orunreliable.Usersinthebranchofficemustbe authenticatedbyActiveDirectorytoaccessresourcesinthedomain.Shouldadomain controllerbeplacedinthebranchoffice? Inbranchofficescenarios,manyoftheITservicesarecentralizedinthehubsite, whichiscarefullymaintainedbytheITstaff.Inlargerorganizations,thehubsitemay includearobustdatacenter.Branchoffices,however,areoftensmallersitesinwhich nodatacenterexists.Infact,manybranchofficeshavenosignificantITpresence otherthanahandfulofservers.Theremaybenophysicallysecurefacilitytohouse branchofficeservers.Theremaybefew,ifany,localITstafftosupporttheservers.
07/06/13
Ifadomaincontrollerisnotplacedinthebranchoffice,authenticationandservice ticketactivitieswillbedirectedtothehubsiteovertheWANlink.Authentication occurswhenusersfirstlogontotheircomputersinthemorning.Serviceticketsarea componentoftheKerberosauthenticationmechanismusedbytheWindowsServer 2008domains.Youcanthinkofaserviceticketasakeyissuedbythedomain controllertoauser.Thekeyallowstheusertoconnecttoaservice,suchastheFile andPrintservice,onafileserver.Whenauserfirsttriestoaccessaspecificservice, theusersclientrequestswhatiscalledaserviceticketfromthedomaincontroller. Becauseuserstypicallyconnecttomultipleservicesduringaworkday,serviceticket activityhappensregularly.AuthenticationandserviceticketactivityovertheWANlink betweenabranchofficeandahubsitecanresultinsloworunreliableperformance. Ifadomaincontrollerisplacedinthebranchoffice,authenticationismuchmore efficientbutthereareseveralpotentiallysignificantrisks.Adomaincontroller maintainsacopyofallattributesofallobjectsinitsdomain,includingsecretssuchas informationrelatedtouserpasswords.Ifadomaincontrollerisaccessedorstolen,it becomespossibleforadeterminedexperttoidentifyvalidusernamesand passwords,atwhichpointtheentiredomainiscompromised.Youmustatleastreset thepasswordsofeveryuseraccountinthedomain.Becausethesecurityofserversat branchofficesisoftenlessthanideal,abranchofficedomaincontrollerposesa considerablesecurityrisk. AsecondconcernisthatchangestotheActiveDirectorydatabaseonabranchoffice domaincontrollerreplicatetothehubsiteandtoallotherDCsintheenvironment.
07/06/13
Therefore,corruptiontothebranchofficedomaincontrollerposesarisktothe integrityoftheenterprisedirectoryservice.Forexample,ifabranchoffice administratorperformsarestoreofthedomaincontrollerfromanoutdatedbackup, therecanbesignificantrepercussionsfortheentiredomain. Thethirdconcernrelatestoadministration.Abranchofficedomaincontrollermay requiremaintenancesuchasanewdevicedriver.Toperformmaintenanceona standarddomaincontroller,youmustlogonasamemberoftheAdministrators grouponthedomaincontroller,whichmeansyouareeffectivelyanadministratorof thedomain.Itmaynotbeappropriatetograntthatlevelofcapabilitytoasupport teamatabranchoffice.
What Are Read-Only Domain Controllers?
55/90
07/06/13
Thesecurity,directoryserviceintegrity,andadministrationconcernsleftmany enterpriseswithadifficultchoicetomake.WindowsServer2008introducesthe RODC,whichisdesignedspecificallytoaddressthebranchofficescenario.AnRODC isadomaincontroller,typicallyplacedinthebranchoffice,whichmaintainsacopyof allobjectsinthedomainandallattributesexceptforsecretssuchaspassword relatedproperties.Ifyoudonotconfigurecaching,whenauserinthebranchoffice logson,theRODCreceivestherequestandforwardsittoadomaincontrollerinthe hubsiteforauthentication. YoucanconfigureapasswordreplicationpolicyfortheRODCthatspecifiesuser accountstheRODCisallowedtocache.Iftheuserloggingonisincludedinthe passwordreplicationpolicy,theRODCcachesthatuserscredentials,sothenexttime
07/06/13
authenticationisrequested,theRODCcanperformthetasklocally.Asuserswhoare includedinthepasswordreplicationpolicylogon,theRODCbuildsitscacheof credentialssothatitcanperformauthenticationlocallyforthoseusers.Usually,you willadduserslocatedinthesamephysicalsiteasanRODCtothepassword replicationpolicy. BecausetheRODCmaintainsonlyasubsetofusercredentials,iftheRODCis compromisedorstolen,theeffectofthesecurityexposureislimited.Onlytheuser accountsthathadbeencachedontheRODCmusthavetheirpasswordschanged. TheRODCreplicateschangestoActiveDirectoryfromdomaincontrollersinthehub site.Replicationisoneway.NochangestotheRODCarereplicatedtoanyother domaincontroller.Thiseliminatestheexposureofthedirectoryservicetocorruption duetochangesmadetoacompromisedbranchofficedomaincontroller.Finally, RODCshavetheequivalentofalocalAdministratorsgroup.Youcangiveoneormore localsupportpersonneltheabilitytofullymaintainanRODCwithoutgrantingthem theequivalentrightsofDomainAdmins.
Prerequisites for Deploying an RODC
57/90
07/06/13
TodeployanRODC,youfirstmustperformsomepreparationsteps.Thehighlevel stepstoinstallanRODCareasfollows: 1. 2. EnsurethattheforestfunctionallevelisWindowsServer2003orlater. IftheforesthasanydomaincontrollersrunningWindowsServer2003,run adprep/rodcprep. 3. EnsurethereisatleastonewritabledomaincontrollerrunningWindowsServer 2008orWindowsServer2008R2. 4. InstalltheRODC.
58/90
07/06/13
Eachofthesestepsisdetailedinthefollowingsections.
Verifying and Configuring Forest Functional Level of Windows Server 2003 or Later
FunctionallevelsenablefeaturesuniquetospecificversionsofWindows,andare thereforedependentontheversionsofWindowsrunningondomaincontrollers.Ifall domaincontrollersareWindowsServer2003orlater,thedomainfunctionallevelcan besettoWindowsServer2003.IfalldomainsareattheWindowsServer2003 domainfunctionallevel,theforestfunctionallevelcanbesettoWindowsServer 2003.Domainandforestfunctionallevelsarediscussedindetailinanothermodule. RODCsrequirethattheforestfunctionallevelisWindowsServer2003orlatersothat thelinkedvaluereplication(LVR)isavailable.Thisprovidesahigherlevelof replicationconsistency.ThedomainfunctionallevelmustbeWindowsServer2003or latersothatKerberosconstraineddelegationisavailable.Thismeansalldomain controllersintheentireforestmustberunningWindowsServer2003orlater. Constraineddelegationsupportssecuritycallsthatmustbeimpersonatedunderthe contextofthecaller.Delegationmakesitpossibleforapplicationsandservicesto authenticatetoaremoteresourceonbehalfofauser.Becausedelegationprovides powerfulcapabilities,typicallyonlydomaincontrollersareenabledforit.ForRODCs, applicationsandservicesmustbeabletodelegate,butonlyconstraineddelegationis allowedbecauseitpreventsthetargetfromimpersonatingagainandmakinganother hop.TheuserorcomputermustbecacheableattheRODCforconstraineddelegation
07/06/13
towork.ThisrestrictionplaceslimitsonhowarogueRODCmaybeabletoabuse cachedcredentials. Todeterminethefunctionallevelofyourforest: 1. 2. 3. OpenActiveDirectoryDomainsandTrusts. Rightclickthenameoftheforest,andthenclickProperties. Verifytheforestfunctionallevel,asshownbelow.Anyusercanverifytheforest functionallevelinthisway.Nospecialadministrativecredentialsarerequiredto viewtheforestfunctionallevel.
60/90
07/06/13
IftheforestfunctionallevelisnotatleastWindowsServer2003,examinethe propertiesofeachdomaintoidentifyanydomainsforwhichthedomainfunctional levelisnotatleastWindowsServer2003.Ifyoufindsuchadomain,ensurethatall domaincontrollersinthedomainarerunningWindowsServer2003.Then,inActive DirectoryDomainsandTrusts,rightclickthedomainandclickRaiseDomain FunctionalLevel.Afteryouhaveraisedeachdomainfunctionalleveltoatleast WindowsServer2003,rightclicktherootnodeoftheActiveDirectoryDomainsAnd TrustssnapinandclickRaiseForestFunctionalLevel.IntheSelectAn AvailableForestFunctionalLeveldropdownlist,clickWindowsServer2003, andclickRaise.Youmustbeanadministratorofadomaintoraisethedomain's functionallevel.Toraisetheforestfunctionallevel,youmustbeeitheramemberof theDomainAdminsgroupintheforestrootdomainoramemberoftheEnterprise Adminsgroup.
Running ADPrep /RODCPrep

Ifyouareupgradinganexistingforesttoincludedomaincontrollersrunning WindowsServer2008,youmustrunadprep/rodcprep.Thiscommandconfigures permissionssothatRODCsareabletoreplicateDNSapplicationdirectorypartitions. DNSapplicationdirectorypartitionsarediscussedinanothermodule.Ifyouare creatinganewActiveDirectoryforest,anditwillhaveonlydomaincontrollersrunning WindowsServer2008,youdonotneedtorunadprep/rodcprep. Thecommandisfoundinthe\sources\adprepfolderoftheWindowsServer2008 installationDVD.Copythefoldertothedomaincontrolleractingastheschema
07/06/13
master.Theschemamasterroleisdiscussedinanothermodule.Logontothe schemamasterasamemberoftheEnterpriseAdminsgroup,openacommand prompt,changedirectoriestotheadprepfolder,andtypeadprep/rodcprep. Beforerunningadprep/rodcpep,youmustrunadprep/forestprepandadprep /domainprep.SeeModule15formoreinformationaboutpreparingaWindowsServer 2003domainandforestforthefirstWindowsServer2008domaincontroller.
Placing a Writable Windows Server 2008 Domain Controller

AnRODCmustreplicatedomainupdatesfromawritabledomaincontrollerrunning WindowsServer2008orWindowsServer2008R2.ItiscriticalthatanRODCisable toestablishareplicationconnectionwithawritableWindowsServer2008domain controller.Ideally,thewritableWindowsServer2008domaincontrollershouldbein theclosestsitethehubsite.IfyouwanttheRODCtoactasaDNSserver,the writableWindowsServer2008domaincontrollermustalsohosttheDNSdomain zone.
Installing an RODC
62/90
07/06/13
Aftercompletingthepreparatorysteps,youcaninstallanRODC.AnRODCcanbe eitherafullorServerCoreinstallationofWindowsServer2008.Withafullinstallation ofWindowsServer2008,youcanusetheActiveDirectoryDomainServices InstallationWizardtocreateanRODC.SimplyclickReadonlyDomainController (RODC)ontheAdditionalDomainControllerOptionspageofthewizard,as showninthefollowingscreenshot. Alternatively,youcanusethedcpromo.execommandwiththe/unattendswitchto createtheRODC.OnaServerCoreinstallationofWindowsServer2008,youmust usethedcpromo.exe/unattendcommand. YoucancompletetheinstallationofanRODCintwostages,eachperformedbya
07/06/13
differentindividual.Thefirststageoftheinstallation,whichrequiresDomainAdmin credentials,createsanaccountfortheRODCinADDS.Thesecondstageofthe installationattachestheactualserverthatwillbetheRODCinaremotelocation,such asabranchoffice,totheaccountthatwaspreviouslycreatedforit.Youcandelegate theabilitytoattachtheservertoanonadministrativegrouporuser. Duringthisfirststage,theActiveDirectoryDomainServicesInstallationWizard recordsalldataabouttheRODCthatwillbestoredinthedistributedActiveDirectory database,suchasitsdomaincontrolleraccountnameandthesiteinwhichitwillbe placed.ThisstagemustbeperformedbyamemberoftheDomainAdminsgroup. TheadministratorwhocreatestheRODCaccountcanalsospecifyatthattimewhich usersorgroupscancompletethenextstageoftheinstallation.Thenextstageofthe installationcanbeperformedinthebranchofficebyanyuserorgroupwhowas delegatedtherighttocompletetheinstallationwhentheaccountwascreated.This stagedoesnotrequireanymembershipinbuiltingroups,suchastheDomain Adminsgroup.IftheuserwhocreatestheRODCaccountdoesnotspecifyany delegatetocompletetheinstallationandadministertheRODC,onlyamemberofthe DomainAdminsorEnterpriseAdminsgroupscancompletetheinstallation. YoucanperformastagedinstallationofanRODCbyusingseveralapproaches.You canprecreateanRODCaccountbyusingActiveDirectoryUsersandComputers console,whichisappropriateforasmallernumberofaccounts.Youcanalsousethe dcpromocommandlineutilitywithappropriateswitches,oryoucanusetheanswer
07/06/13
filetoperformanunattendedinstallationofanRODC.
Demonstration: Configure a Password Replication Policy
Apasswordreplicationpolicydetermineswhichuserscredentialscanbecachedona specificRODC.IfapasswordreplicationpolicyallowsanRODCtocacheauser's credentials,theauthenticationandserviceticketactivitiesofthatusercanbe processedbytheRODC.Ifauser'scredentialscannotbecachedonRODC,the authenticationandserviceticketactivitiesarereferredbytheRODCtoawritable domaincontroller.Toaccessthepasswordreplicationpolicy,openthepropertiesof thedomaincontrollerintheDomainControllersOUandthenclickthePassword ReplicationPolicytab.ThepasswordreplicationpolicyofanRODCisdeterminedby

07/06/13
twomultivaluedattributesoftheRODC'scomputeraccount.Theseattributesare commonlyknownastheAllowedListandtheDeniedList.Ifauser'saccountison theAllowedList,theuser'scredentialsarecached.Youcanincludegroupsonthe AllowedList,inwhichcasealluserswhobelongtothegroupcanhavetheir credentialscacheontheRODC.IftheuserisbothontheAllowedListandtheDenied List,theuser'scredentialswillnotbecachedtheDeniedListtakesprecedence.
Configure Domain-Wide Password Replication Policy

Tofacilitatethemanagementofpasswordreplicationpolicy,WindowsServer2008 createstwodomainlocalsecuritygroupsintheUserscontainerofActiveDirectory. Thefirstone,namedAllowedRODCPasswordReplicationGroup,isaddedtothe AllowedListofeachnewRODC.Bydefault,thegrouphasnomembers.Therefore, bydefault,anewRODCwillnotcacheanyuserscredentials.Ifthereareuserswhose credentialsyouwanttobecachedbyalldomainRODCs,addthoseuserstothe AllowedRODCPasswordReplicationGroup. ThesecondgroupisnamedDeniedRODCPasswordReplicationGroup.Itisaddedto theDeniedListofeachnewRODC.Ifthereareuserswhosecredentialsyouwantto ensurearenevercachedbydomainRODCs,addthoseuserstotheDeniedRODC PasswordReplicationGroup.Bydefault,thisgroupcontainssecuritysensitive accountsthataremembersofgroupsincludingDomainAdmins,EnterpriseAdmins, andGroupPolicyCreatorOwners.
66/90
07/06/13
NoteRememberthatitisnotonlyuserswhogenerateauthenticationand serviceticketactivity.Computersinabranchofficealsorequiresuchactivity. Toimproveperformanceofsystemsinabranchoffice,allowthebranchRODC tocachecomputercredentialsaswell.
Configure RODC-Specific Password Replication Policy

Thetwogroupsdescribedintheprevioussectionprovideamethodtomanage passwordreplicationpolicyonallRODCs.However,tobestsupportabranchoffice scenario,youneedtoallowtheRODCineachbranchofficetocachecredentialsof usersinthatspecificlocation.Therefore,youneedtoconfiguretheAllowedListand theDeniedListofeachRODC. ToconfigureanyRODCspasswordreplicationpolicy,openthepropertiesofthe RODCscomputeraccountintheDomainControllersOU.OnthePasswordReplication Policytab,showninthefollowingscreenshot,youcanviewthecurrentpassword replicationpolicysettingsandaddorremoveusersorgroupsfromthepassword replicationpolicy.
67/90
07/06/13
Demonstration Steps
1. RunActiveDirectoryUsersandComputerswithadministrativecredentials. UsetheaccountPat.Coleman_AdminwiththepasswordPa$$w0rd. 2. 3. 4. 5. IntheDomainControllersOUopenthepropertiesofBRANCHDC01. ClickthePasswordReplicationPolicytabandviewthedefaultpolicy. ClosetheBRANCHDC01properties. IntheActiveDirectoryUsersandComputersconsoletree,clicktheUsers container.
68/90
07/06/13
6.
DoubleclickAllowedRODCPasswordReplicationGroup.Gotothe MemberstabandexaminethedefaultmembershipofAllowedRODC PasswordReplicationGroup.
7. 8.
ClickOK. DoubleclickDeniedRODCPasswordReplicationGroupandgotothe Memberstab.
9.
ClickCanceltoclosetheDeniedRODCPasswordReplicationGroup properties.
Demonstration: Administer RODC Credentials Caching
69/90
07/06/13
Inthisdemonstration,youwillseehowtoadministerRODCcredentialscaching. WhenyouclicktheAdvancedbuttononthePasswordReplicationPolicytabof anRODC,anAdvancedPasswordReplicationPolicydialogboxappears.An exampleisshowninthefollowingscreenshot.
70/90
07/06/13
ThedropdownlistatthetopofthePolicyUsagetaballowsyoutoselectoneof tworeportsfortheRODC: AccountswhosepasswordsarestoredonthisReadOnlyDomain Controller:Displaythelistofuserandcomputercredentialsthatarecurrently cachedontheRODC.Usethislisttodeterminewhethernotrequiredcredentialsare beingcachedontheRODC,andmodifythepasswordreplicationpolicyaccordingly. AccountsthathavebeenauthenticatedtothisReadOnlyDomain Controller:Displaythelistofuserandcomputercredentialsthathavebeen referredtoawritabledomaincontrollerfor authenticationorserviceticketprocessing.Usethislisttoidentifyusersor computersthatareattemptingtoauthenticatewiththeRODC.Ifanyofthese accountsarenotbeingcached,consideraddingthemtothepasswordreplication policy.
71/90
07/06/13
Inthesamedialogbox,theResultantPolicytaballowsyoutoevaluatethe effectivecachingpolicyforanindividualuserorcomputer.ClicktheAddbuttonto selectauserorcomputeraccountforevaluation. YoucanalsousetheAdvancedPasswordReplicationPolicydialogboxto prepopulatecredentialsintheRODCcache.IfauserorcomputerisontheAllowlist ofanRODC,theaccountcredentialscanbecachedontheRODC,butwillnotbe cacheduntiltheauthenticationorserviceticketeventscausestheRODCtoreplicate thecredentialsfromawritabledomaincontroller.Byprepopulatingcredentialsinthe RODCcache,forusersandcomputersinthebranchofficeforexample,youcan ensurethatauthenticationandserviceticketactivitywillbeprocessedlocallybythe RODCevenwhentheuserorcomputerisauthenticatingforthefirsttime.To prepopulatecredentials,clickPrepopulatePasswordsandselecttheappropriate usersandcomputers. DemonstrationSteps: 1. OnNYCDC1,intheActiveDirectoryUsersandComputersconsoletree, clicktheDomainControllersOUandopenthepropertiesofBRANCHDC01. 2. 3. ClickPasswordReplicationPolicy. ClickAdvanced. TheAdvancedPasswordReplicationPolicyforBRANCHDC01dialogbox appears.
07/06/13
ThePolicyUsagetabdisplaysaccountswhosepasswordsarestoredonthis ReadOnlyDomainController. 4. Fromthedropdownlist,selectAccountsWhosePasswordsAreStoredOn ThisReadOnlyDomainController. 5. Fromthedropdownlist,selectAccountsthathavebeenauthenticatedto thisReadonlyDomainController. 6. ClicktheResultantPolicytab,andthenclickAdd. TheSelectUsersorComputersdialogboxappears. 7. 8. 9. TypeChris.Gallagher,andthenpressEnter. ClickPolicyUsage. ClickPrepopulatePasswords. TheSelectUsersorComputersdialogboxappears. 10. Typethenameoftheaccountyouwanttoprepopulate(forexample,type Chris.Gallagher),andthenclickOK. 11. ClickYestoconfirmthatyouwanttosendthecredentialstotheRODC. Thefollowingmessageappears:Passwordsforallaccountsweresuccessfully prepopulated.
73/90
07/06/13
Administrative Role Separation
RODCsinbranchofficesmayrequiremaintenancesuchasanupdateddevicedriver. Additionally,smallbranchofficesmaycombinetheRODCrolledwiththefileserver roleonasinglesystem,inwhichcaseitwillbeimportanttobeabletobackupthe system.RODCssupportlocaladministrationthroughafeaturecalledadministrative roleseparation.Thisfeaturespecifiesthatanydomainuserorsecuritygroupcanbe delegatedtobethelocaladministratorofanRODCwithoutgrantingthatuseror grouprightsforthedomainorotherdomaincontrollers.Therefore,adelegated administratorcanlogontoanRODCtoperformmaintenancework,suchas upgradingadriver,ontheserver.Butthedelegatedadministratorcannotlogonto anyotherdomaincontrollerorperformanyotheradministrativetaskinthedomain.
07/06/13
EachRODCmaintainsalocaldatabaseofgroupsforspecificadministrativepurposes. Youcanaddadomainuseraccounttotheselocalrolestoallowsupportofaspecific RODC. Youcanconfigureadministrativeroleseparationbyusingthedsmgmt.execommand. ToaddausertotheAdministratorsroleonanRODC,followthesesteps: 1. 2. 3. OpenacommandpromptontheRODC. Typedsmgmt,andthenpressEnter. Typelocalroles,andthenpressEnter. Atthelocalrolesprompt,youcantype?andpressEnterforalistofcommands. YoucanalsotypelistrolesandpressEnterforalistoflocalroles. 4. Typeaddusernameadministrators,whereusernameisthepreWindows2000 logonnameofadomainuser,andthenpressEnter.
YoucanrepeatthisprocesstoaddotheruserstothevariouslocalrolesonanRODC.
Lab C: Configure Read-Only Domain Controllers
75/90
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
76/90
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5. 6.
OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab10c. RunLab10c_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_Admin,withthepassword,Pa$$w0rd.
7. 8.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab10c.
Lab Scenario
ThesecurityteamatContoso,Ltdhastaskedyouwithincreasingthesecurityand monitoringofauthenticationagainsttheenterprisesADDSdomain.Specifically,you aretoimprovethesecurityofdomaincontrollersinbranchoffices.
Exercise 1: Install an RODC

Inthisexercise,youwillconfiguretheserverBRANCHDC01asanRODCin
07/06/13
thedistantbranchoffice.Toavoidtravelcosts,youdecidetodothe conversionremotelywiththeassistanceofAaronPainter,thedesktop supporttechnicianandonlyITstaffmemberatthebranch.AaronPainter hasalreadyinstalledaWindowsServer2008computernamed BRANCHDC01asaserverinaworkgroup.Youwillstageadelegated installationofanRODCsothatAaronPaintercancompletetheinstallation. Themaintasksforthisexerciseareasfollows: 1. 2. StageadelegatedinstallationofanRODC. RuntheActiveDirectoryDomainServicesInstallationWizardonaworkgroup server.
Task 1: Stage a delegated installation of an RODC.
1.
RunActiveDirectoryUsersandComputersasanadministrator,withthe usernamePat.Coleman_AdminandthepasswordPa$$w0rd.
2.
RightclicktheDomainControllersOU,andthenclickPrecreateReadonly DomainControlleraccount.
3.
StepthroughtheActiveDirectoryDomainServicesInstallationWizard,accepting alldefaults.UsethecomputernameBRANCHDC01andontheDelegationof RODCInstallationandAdministrationpage,delegateinstallationto
78/90
07/06/13
Aaron.Painter_Admin.
NoteWhenthewizardiscomplete,theserverappearsintheDomain ControllersOUwiththeDCTypecolumnshowingUnoccupiedDC Account(Readonly,GC).
Task 2: Run the Active Directory Domain Services Installation Wizard on a workgroup server. 1. 2. 3. 4. Start6425CBRANCHDC01. LogontoBRANCHDC01asAdministratorwiththepasswordPa$$w0rd. ClickStart,andthenclickRun. Typedcpromo,andthenpressEnter. AwindowappearsthatinformsyouthattheADDSbinariesarebeinginstalled. Wheninstallationiscompleted,theActiveDirectoryDomainServicesInstallation Wizardappears. 5. 6. ClickNext. OntheOperatingSystemCompatibilitypage,clickNext.
79/90
07/06/13
7.
OntheChooseADeploymentConfigurationpage,clicktheExistingforest option,clickAddadomaincontrollertoanexistingdomain,andthenclick Next.
8. 9.
OntheNetworkCredentialspage,typecontoso.com. ClicktheSetbutton. AWindowsSecuritydialogboxappears.
10. IntheUserNamebox,typeAaron.Painter_Admin. 11. InthePasswordbox,typePa$$w0rd,andthenpressEnter. 12. ClickNext. 13. OntheSelectaDomainpage,selectcontoso.com,andthenclickNext. Amessageappearstoinformyouthatyourcredentialsdonotbelongtothe DomainAdminsorEnterpriseAdminsgroups.Becauseyouhaveprestagedand delegatedadministrationoftheRODC,youcanproceedwiththedelegated credentials. 14. ClickYes. AmessageappearstoinformyouthattheaccountforBRANCHDC01hasbeen prestagedinActiveDirectoryasanRODC. 15. ClickOK.
07/06/13
16. OntheLocationForDatabase,LogFiles,andSYSVOLpage,clickNext. 17. OntheDirectoryServicesRestoreModeAdministratorPasswordpage, typePa$$w0rd12345inthePasswordandConfirmPasswordboxes,and thenclickNext. Inaproductionenvironment,youshouldassignacomplexandsecurepassword totheDirectoryServicesRestoreModeAdministratoraccount. Also,notethatwemodifiedtheminimumpasswordlengthinLabAandassuch needtomeetthenewminimumpasswordlengthrequirements. 18. OntheSummarypage,clickNext. 19. Intheprogresswindow,selecttheRebootOnCompletioncheckbox.Active DirectoryDomainServicesisinstalledonBRANCHDC01,theserverreboots.
Results:Inthisexercise,youcreatedanewRODCnamedBRANCHDC01inthe contoso.comdomain.
Exercise 2: Configure Password Replication Policy

Inthisexercise,youwillconfigureadomainwidepasswordreplication policyandthepasswordreplicationpolicyspecifictoBRANCHDC01.
07/06/13
Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Configuredomainwidepasswordreplicationpolicy. CreateagrouptomanagepasswordreplicationtothebranchofficeRODC. ConfigurepasswordreplicationpolicyforthebranchofficeRODC. Evaluateresultantpasswordreplicationpolicy.
Task 1: Configure domain-wide password replication policy.
WhoarethedefaultmembersoftheAllowedRODCPasswordReplicationGroup? WhoarethedefaultmembersoftheDeniedRODCPasswordReplicationGroup? AddtheDNSAdminsgroupasamemberoftheDeniedRODCPasswordReplication Group. ExaminethepasswordreplicationpropertyforNYCBRANCHDC01. WhatarethepasswordreplicationpoliciesfortheAllowedRODCPassword ReplicationGroupandfortheDeniedRODCPasswordReplicationGroup?
Task 2: Create a group to manage password replication to the branch office RODC.
07/06/13
1.
IntheGroups\RoleOU,createanewglobalsecuritygroupcalledBranch OfficeUsers.
2.
AddthefollowinguserstotheBranchOfficeUsersgroup: Anav.Silverman Chris.Gallagher Christa.Geller Daniel.Roth
Task 3: Configure password replication policy for the branch office RODC.
ConfigureBRANCHDC01sothatitcachespasswordsforusersintheBranch OfficeUsersgroup.
Task 4: Evaluate resultant password replication policy.
OpentheResultantPolicyforBRANCHDC01'spasswordreplicationpolicy. Question:WhatistheresultantpolicyforChris.Gallagher?
83/90
07/06/13
Results:Inthisexercise,youconfiguredthedomainwidepasswordreplication policytopreventthereplicationofpasswordsofmembersofDNSAdminsto RODCs.YoualsoconfiguredthepasswordreplicationpolicyforBRANCHDC01to allowreplicationofpasswordsofmembersofBranchOfficeUsers.
Exercise 3: Manage Credential Caching

Inthisexercise,youwillmonitorcredentialcaching. Themaintasksforthisexerciseareasfollows: 1. 2. Monitorcredentialcaching. Prepopulatecredentialcaching.
Task 1: Monitor credential caching.
1.
LogontoBRANCHDC01asChris.GallagherwiththepasswordPa$$w0rd andthenlogoff.
2.
LogontoBRANCHDC01asMike.DansegliowiththepasswordPa$$w0rd, andthenlogoff. Thecontoso.comdomainusedinthiscourseincludesaGroupPolicyobject
84/90
07/06/13
(named6425C)thatallowsuserstologontodomaincontrollers.Ina productionenvironment,itisnotrecommendedtogiveuserstherighttologon todomaincontrollers. 3. OnNYCDC1,inActiveDirectoryUsersandComputers,examinethe passwordreplicationpolicyforBRANCHDC01. Question:Whichusers'passwordsarecurrentlycachedonBRANCHDC01? Question:WhichusershavebeenauthenticatedbyBRANCHDC01?
Task 2: Prepopulate credential caching.
InthepasswordreplicationpolicyforBRANCHDC01,prepopulatethepasswordfor ChristaGeller.
Results:Inthisexercise,youidentifiedtheaccountsthathavebeencachedon BRANCHDC01,orhavebeenforwardedtoanotherdomaincontrollerfor authentication.YoualsoprepopulatedthecachedcredentialsforChristaGeller.
Lab Review Questions

07/06/13
Question:Whyshouldyouensurethatthepasswordreplicationpolicyfora branchoffice RODChas,initsAllowlist,theaccountsforthecomputersinthebranchofficeaswell asthe
users? Question:Whatwouldbethemostmanageablewaytoensurethatcomputers inabranch areintheAllowlistoftheRODC'spasswordreplicationpolicy? To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
86/90
07/06/13
3. 4.
IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR1and6425CBRANCHDC01.
Module Review and Takeaways
Review Questions
Question:Inyourorganization,anumberofusersdealwithconfidentialfiles onaregular
87/90
07/06/13
basis.Youneedtoensurethatalltheseusershavestrictaccountpolicesenforced. TheuseraccountsarescatteredacrossmultipleOUs.Howwouldyouaccomplishthis withtheleastadministrativeeffort? Question:Whereshouldyoudefinethedefaultpasswordandaccountlockout policiesfor useraccountsinthedomain? Question:Whatwouldbethedisadvantageofauditingallsuccessfulandfailed logonsonallmachinesinyourdomain? Question:Whataretheadvantagesanddisadvantagesofprepopulatingthe credentialsfor allusersandcomputersinabranchofficetothatbranch'sRODC?
Common Issues Related to Authentication in Active Directory

Issue
Userisnotforcedtochangethe passwordevenifthatsettingis configuredinDefaultDomainPolicy. Userorgroupdoesnothavethe
88/90
Troubleshootingtip
07/06/13
rightPSOapplied. YoucannotdeployanRODC.
Real World Issues and Scenarios

Youmustensurethatalluserschangetheirpasswordevery30days.Company proceduresspecifythatifauser'spasswordwillexpirewhiletheuserisoutofthe office,theusermaychangethepasswordpriortodeparture.Youmustaccountfora userwhoisoutoftheofficeforuptotwoweeks.Additionally,youmustensurethat ausercannotreuseapasswordwithinaoneyeartimeperiod.Howwouldyou configureaccountpoliciestoaccomplishthis?
Best Practices Related to Authentication in an AD DS Domain

UseDefaultDomainPolicyGPOtospecifygeneralpasswordandaccountlockout policiesthatwillapplyformostusers. Usefinegrainedpasswordpolicytospecifypasswordandaccountlockoutpolicies forspecificusersandgroupswithadministrativeprivileges. Donotenablealloptionsforauditingbecauseyouwillhavemanysecuritylogs, whichwillbehardtosearch.Useadvancedauditloggingtohavemoregranular control. DeployRODCsinsiteswherephysicalsecurityisanissue.
89/90
07/06/13
Tools
Tool
GroupPolicy Managementconsole
Usedfor
Editingandmanaging grouppolicyobjects
Wheretofindit
AdministrativeTools
ADSIEdit
CreatingPassword SettingObjects
AdministrativeTools
Dcpromo
Creatingandmanaging domaincontrollers
Commandlineutility
Windows Server 2008 R2 Features Introduced in this Module

Feature
AdvancedAuditPolicies
Description
NewsettingsinGroupPolicyobjectformoredetailedauditingofvarious systemevents
90/90

Module 10 - Improving The Security of Authentication in An AD DS Domain

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Module 10 - Improving The Security of Authentication in An AD DS Domain

Caricato da

Copyright:

Formati disponibili

07/06/13

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Aftercompletingthismodule,youwillbeableto: Configurepasswordandaccountlockoutpolicies. Configureauditingofauthenticationrelatedactivity. ConfigureRODCs.

Lesson 1: Configure Password and Lockout Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Understand Password Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Understand Account Lockout Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

accountusedbyaserviceaccountyourSQLservers,forexampleandtheaccount is locked,eventuallytheservicewillfail.Manyorganizationschoosetouseauditing, intrusiondetection,andothermonitoringapproachestomitigatebruteforceattacks.

Configure the Domain Password and Lockout Policy

ActiveDirectorysupportsonesetofpasswordandlockoutpoliciesforadomain. ThesepoliciesareconfiguredinaGPOthatisscopedtothedomain.Anewdomain containsaGPOcalledtheDefaultDomainPolicythatislinkedtothedomainandthat includesthedefaultpolicysettingsforpassword,accountlockout,andKerberos

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Demonstration: Configure Domain Account Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Fine-Grained Password and Lockout Policy

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

enabled.Whenanaccountspasswordwillnotbechanged,youshouldensurethat thepasswordisdifficulttocompromise.Youcanusefinegrainedpasswordpolicies tospecifyanextremelylongminimumpasswordlength.

Understand Password Settings Objects

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

OpenActiveDirectoryDomainsandTrusts. Intheconsoletree,expandActiveDirectoryDomainsandTrusts,andthen expandthetreeuntilyoucanseethedomain.

Demonstration: Configure Fine-Grained Password Policy

Module 10: Improving the Security of Authentication in an AD DS Domain

PSO Precedence and Resultant PSO

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

PSOs, OUs, and Shadow Groups

Lab A: Configure Password and Account Lockout Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

Exercise 1: Configure the Domains Password and Lockout Policies

Module 10: Improving the Security of Authentication in an AD DS Domain

Task: Configure the domain account policies.

EdittheDefaultDomainPolicyGPO. Configurethefollowingpasswordpolicysettings.Leaveothersettingsattheir defaultvalues. Maximumpasswordage:90days Minimumpasswordlength:10characters

Configurethefollowingaccountlockoutpolicysetting.Leaveothersettingsat theirdefaultvalues. Accountlockoutthreshold:5invalidlogonattempts.

Exercise 2: Configure Fine-Grained Password Policy

Module 10: Improving the Security of Authentication in an AD DS Domain

Task 1: Create a PSO.

ClickUseanotheraccount. IntheUsernamebox,typePat.Coleman_Admin. InthePasswordbox,typePa$$w0rd,andthenpressEnter.TheADSIEdit consoleopens.

Module 10: Improving the Security of Authentication in an AD DS Domain

RightclickADSIEditandclickConnectTo. Acceptalldefaults.ClickOK. ClickDefaultNamingContextintheconsoletree. ExpandDefaultNamingContextandclickDC=contoso,DC=com. ExpandDC=contoso,DC=comandclickCN=System.

10. ExpandCN=SystemandclickCN=PasswordSettingsContainer. AllPSOsarecreatedandstoredinthePasswordSettingsContainer(PSC). 11. RightclickCN=PasswordSettingsContainerandchooseNew,Object.The CreateObjectdialogboxappears. Itpromptsyoutoselectthetypeofobjecttocreate.Thereisonlyonechoice:

Module 10: Improving the Security of Authentication in an AD DS Domain

Module 10: Improving the Security of Authentication in an AD DS Domain

intheaccountremaininglockedoutuntilanadministratorunlocksit. 14. ClickFinish. 15. CloseADSIEdit.

Task 2: Link a PSO to a group.

Intheconsoletree,expandtheSystemcontainer. IfyoudonotseetheSystemcontainer,clicktheViewmenuoftheMMC console,andensurethatAdvancedFeaturesisselected.

Intheconsoletree,clickthePasswordSettingsContainer. RightclickMyDomainAdminsPSO,andthenclickAttributeEditor. IntheAttributeslist,clickmsDSPSOAppliesTo,andthenclickEdit. TheMultivaluedDistinguishedNameWithSecurityPrincipalEditor dialogboxappears.