Secure Active Directory management. Part 2
Good day to all!
We continue to share the ideas of one of our authors, Brian Svidergol, the author of the book Active Directory CookBook. We present the second part of the post dedicated to the safe management of AD.
')
Dedicated subnets for administrative tasks.
A good example that Brian cites is online banking systems: most banks use risk monitoring systems that track suspicious attempts to log in to an online client, for example, if such an attempt is made from a non-standard device or there are unusual regional settings on your computer.
If you try to log into an online client from an unknown subnet (for example, on vacation or a business trip), the banking system will enable an additional authentication mechanism, such as SMS with a confirmation code, etc. But if several login attempts from different countries are recorded within an hour the banking system is likely to block your account until all the circumstances are clarified.
We advise you to organize the execution of administrative tasks in a similar way: alerts should be sent to the information security staff if an attempt to connect to administrative resources (consoles, servers, etc.) from normal subnets is recorded. The idea is very simple, but to implement it in practice is quite difficult. The problem is represented by web interfaces for administrative tasks that use TCP port 443. Blocking traffic to this port from one subnet to another is a time consuming task. But if you did it - the result will not keep you waiting.
The first positive result is an alert. You will receive an immediate notification (and will be able to act according to circumstances) if, for example, someone tries to connect to the domain controller via RDP from a normal network or guest Wi-Fi. In many organizations such connections are possible from any network, in some even through the Internet!
The second advantage of using dedicated subnets is the ability to provide them with additional security measures. For example, multi-factor identification using tokens or sms with disposable codes.
Dedicated servers and client machines for administrative tasks.
In case you cannot organize dedicated subnets, use at least dedicated servers and separate workstations to perform administrative tasks. The benefits are the same - additional security measures, two-factor authentication, monitoring and warning of possible incidents. The use of special client machines also makes it possible to separate risky daily tasks (viewing mail, visiting web sites) from administrative ones, and reduce the likelihood of phishing attacks. The best result is achieved when using special administrative accounts on dedicated machines.
We tried to highlight the main ideas. Original text is available here.
We continue to share the ideas of one of our authors, Brian Svidergol, the author of the book Active Directory CookBook. We present the second part of the post dedicated to the safe management of AD.
')
Dedicated subnets for administrative tasks.
A good example that Brian cites is online banking systems: most banks use risk monitoring systems that track suspicious attempts to log in to an online client, for example, if such an attempt is made from a non-standard device or there are unusual regional settings on your computer.
If you try to log into an online client from an unknown subnet (for example, on vacation or a business trip), the banking system will enable an additional authentication mechanism, such as SMS with a confirmation code, etc. But if several login attempts from different countries are recorded within an hour the banking system is likely to block your account until all the circumstances are clarified.
We advise you to organize the execution of administrative tasks in a similar way: alerts should be sent to the information security staff if an attempt to connect to administrative resources (consoles, servers, etc.) from normal subnets is recorded. The idea is very simple, but to implement it in practice is quite difficult. The problem is represented by web interfaces for administrative tasks that use TCP port 443. Blocking traffic to this port from one subnet to another is a time consuming task. But if you did it - the result will not keep you waiting.
The first positive result is an alert. You will receive an immediate notification (and will be able to act according to circumstances) if, for example, someone tries to connect to the domain controller via RDP from a normal network or guest Wi-Fi. In many organizations such connections are possible from any network, in some even through the Internet!
The second advantage of using dedicated subnets is the ability to provide them with additional security measures. For example, multi-factor identification using tokens or sms with disposable codes.
Dedicated servers and client machines for administrative tasks.
In case you cannot organize dedicated subnets, use at least dedicated servers and separate workstations to perform administrative tasks. The benefits are the same - additional security measures, two-factor authentication, monitoring and warning of possible incidents. The use of special client machines also makes it possible to separate risky daily tasks (viewing mail, visiting web sites) from administrative ones, and reduce the likelihood of phishing attacks. The best result is achieved when using special administrative accounts on dedicated machines.
We tried to highlight the main ideas. Original text is available here.
Source: https://habr.com/ru/post/216489/
All Articles