Reliability Workbook for Active Directory Domain Services

Published on December 2016 | Categories: Documents | Downloads: 37 | Comments: 0 | Views: 206
of 87
Download PDF   Embed   Report

Comments

Content

Reliability Workbook for Active Directory Domain Services
Document version: 1.0 Published: January 2010

Overview
Reliability is the state in which a service and all the components it depends on are behaving as desired within acceptable limits. This task list provides a schedule of proactive health monitoring and maintenance tasks to review and adapt to your individual requirements. For further instructions about the configuration and use of this task list, see the Administrator's Guide to Reliability Workbooks at www.microsoft.com/mof.

Task List Columns
Health Attribute: A group of requirements for a healthy system. Health Area: A category of health action. Health Requirement: A requirement in a particular health control area that drives monitoring activity, which ensures continued component health. Monitoring Task: An action that involves observing trends and paying attention to warning levels and error alerts. These alerts will trigger maintenance tasks. Maintenance Task: Regularly scheduled or trend-driven work that ensures the continued health of the component. Monitoring Parameter: The picture of health for a component. These conditions are determined by your organization's requirements and may vary according to factors such as the component's importance to the business, the size of the organization, or staffing constraints. Owner: Person with the responsibility to ensure that a task is done. The owner can complete the task, automate it, or delegate it and confirm that the work has been done. Notes: Additional information relating to this item.

Feedback
Please direct questions and comments about this guide to [email protected]. Note Although many of the monitoring and maintenance tasks in this guide can be performed manually, best practice is to use automated methods because of the frequency and complexity of the individual tasks.

Monitoring Activities
Title
Verify that all accounts with Remote Access Service access are appropriate.

Health attribute
Security

Health area
Authentication

Verify that all accounts with Terminal Services access are Security appropriate.

Authentication

Check for a high number of locked-out, disabled, or expired accounts.

Security

Authentication

Verify that upcoming certificate renewals are in the schedule.

Security

Certificate Maintenance

Verify that expiration dates for domain controller certificates have been set.

Security

Certificate Maintenance

Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.

Domain and Forest Trust Management

Monitor for network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.

Domain and Forest Trust Management

Confirm that Group Policy has not been misconfigured.

Security

Group Policy

Verify that share permissions are set appropriately.

Security

Share Permissions

Verify that shared folders are required.

Security

Shared Folders

Verify that NTFS file system permissions are set Security appropriately on all shared folders and content in shared folders.

NTFS Permissions

Verify that all security settings available via Group Policy objects are managed centrally by policies. Security Group Policy

Verify that all user account passwords are configured to meet minimum length and complexity requirements.

Security

Authentication

Check the password policy for the Maximum Password Age setting.

Security

Authentication

Check the password policy for the Minimum Password Age setting.

Security

Authentication

Check the password policy for the Minimum Password Length setting.

Security

Authentication

Verify that the Account Lockout policy meets minimum organizational security policy requirements.

Security

Authentication

Review LanManager compatibility settings.

Security

Authentication

Review the LanManager authentication protocol hash storage settings.

Security

Authentication

Verify that all domain controllers are in the Domain Controllers organizational unit.

Security

Domain Controller Security

Check the replication provider.

Availability

Replication

Check the partner replication count.

Availability

Replication

Check replication latency.

Availability

Replication

Verify that the appropriate replication service is running. Availability

Replication

Verify that the Kerberos Key Distribution Center service is Availability running.

Replication

Test the availability of each domain controller.

Security

The System Volume share

Back up system state on each domain controller.

Continuity

Backup and Restore

Verify that critical volumes are backed up.

Continuity

Backup and Restore

Verify the full server backup.

Continuity

Backup and Restore

Verify the authoritative restore of Active Directory Domain Services.

Continuity

Backup and Restore

Verify the non-authoritative restore of Active Directory Domain Services.

Continuity

Backup and Restore

Check for changes in administrative authority.

Appropriate Use

Administrative Authority

Look for non-standard grants of Write access to Active Directory Domain Services (AD DS) and AD DS objects.

Appropriate Use

Administrative Authority Domain Controller

Check for dangerous or unnecessary services that are not Appropriate use disabled.

Check for dormant user accounts.

Appropriate Use

User Accounts

Audit the membership of all domain groups that grant Appropriate Use administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.

Administrative Authority

Verify that user rights are assigned to groups, not users.

Appropriate Use

User Rights

Monitor each domain controller for general responsiveness. Monitor the responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.

Performance

Authentication Response Time General Response

Performance

Measure the time required to perform a global catalog search. Verify that operations masters are responsive.

Performance

Global Catalog Search Response Operations Masters

Performance

Verify that the domain controller is advertising.

Performance

Domain Controller

Check for the latest service pack and security updates.

Patching

Updates and Configuration Windows Time Service

Verify that the Windows Time service is running.

Integrity

Monitor database and log file size as well as the available Availability free space on the associated disk volumes.

Active Directory Domain Services Database

Check the Active Directory Domain Services domain functional level.

Security

Active Directory Domain Services Functional Level Active Directory Domain Services Functional Level DNS SRV Records

Check the Active Directory Domain Services forest functional level.

Security

Verify that all Domain Name System (DNS) service records Availability are registered in DNS for each domain controller and appropriate service.

Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Security

Anonymous Connections

Verify membership in the Pre-Windows Compatible Access group.

Security

Anonymous Connections

Ensure that no standard users can read key properties for Security administrative groups and users.

Lightweight Directory Access Protocol Access to Active Directory Domain Services Encrypting File System

Verify that Encrypting File System is not enabled for domain controllers.

Security

Verify that no user accounts have the Password Never Expires property configured.

Security

Authentication

Check for Windows Firewall rules.

Appropriate Use

Domain Controller

Check for changes in administrative authority for Group Policy management.

Security

Group Policy

Verify that audit policy settings are configured properly.

Security

Auditing

Verify that the name of the last user who logged on does Security not appear during logon.

Authentication

Verify that the logon banner is displayed during logon.

Security

Authentication

Verify that Group Policy objects are backed up.

Continuity

Backup and Restore

Ensure that administrator-level accounts have dual accounts or use User Account Control.

Appropriate Use

Administrative Authority

Ensure that the crash dump file is configured to meet company requirements.

Continuity

Domain Controllers

Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated.

Security

Domain Name System

Ensure that the correct security is in place for all Domain Appropriate Use Host Configuration Protocol services running on domain controllers.

Domain Host Configuration Protocol

Ensure that all domain controllers are in the appropriate site based on IP address.

Continuity

Replication

Ensure that the design of the location of global catalog servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.

Continuity

Global Catalog Location

Ensure that the design of the location of Domain Name System (DNS) servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.

Continuity

Domain Name System Location

Ensure that the design of the location of domain controllers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.

Continuity

Domain Controller Location

Health requirement
Remote access

Monitoring task
Verify that all accounts with Remote Access Service access are appropriate.

Monitoring parameter
Remote Access Service account access is limited to those deemed appropriate per company policy.

Terminal Services/Remote Desktop

Verify that all accounts with Terminal Services access are appropriate.

Terminal Services account access is limited to those deemed appropriate per company policy.

Current accounts

Check for a high number No more than n number of of locked-out, disabled, anomalous accounts or expired accounts.

Current certificates

Verify that upcoming Certificates are valid for one certificate renewals are in month past the current date. the schedule. Verify that expiration dates for domain controller certificates have been set. The expiration date is in the future.

Current certificates

Secure trusting forest

Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.

Secure trusting forest

Monitor for network Security ID filtering on all trusts by authentication requests default by malicious users who are located in a trusted forest network and have administrative credentials.

Group Policy is working as expected.

Confirm that Group Policy No Override is disabled for all has not been Active Directory Domain Services misconfigured. nodes (domain and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Shares are safe from unauthorized users.

Verify that share permissions are set appropriately.

The most restrictive permissions are applied.

Limit the number of shared folders.

Verify that shared folders The list of shared folders should are required. meet the minimum shared folders required for each server. Verify that NTFS file The most restrictive permissions system permissions are are applied. set appropriately on all shared folders and content in shared folders. Verify that all security settings are managed centrally by policies. All settings are confirmed.

NTFS file system permissions should protect shared folders and all content from unauthorized users.

The server is configured to a standard security policy.

Strong passwords

Verify that all user Password length and complexity account passwords are are established (specifics per configured to meet company policy). minimum length and complexity requirements.

Maximum password age

Check the password policy for the Maximum Password Age setting. Check the password policy for the Minimum Password Age setting.

The Maximum Password Age is set between 30 and 120 days per organization policy. The Minimum Password Age is set to a minimum of one day or per organization policy.

Minimum password age

Minimum password length

Check the password The Minimum Password Length is policy for the Minimum set to a minimum of 7–14 days or Password Length setting. per organization policy. Verify that the Account Account Lockout policy settings Lockout policy meets the minimum organization security policy requirements. Review LanManager compatibility settings. Review the LanManager authentication protocol hash storage settings. LMCompatibilityLEvel setting

Account Lockout policy

LanManager authentication protocol LanManager authentication protocol hash storage

LanManager hash storage settings

All domain controllers receive Verify that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Replication links between Check the replication domain controllers and provider. replication partners are healthy.

No domain controllers are outside the Domain Controllers organizational unit.

ModifiedNumConsecutiveSyncFail ures is <2 days old; TimeOfLastSyncSuccess is <14 days old

Domain controllers within a Check the partner forest are able to replicate with replication count. each other.

The domain controller always has at least one outbound connection; the domain controller has at least one connection to another site; the domain controller does not have more than a specified number of connections.

Changes are properly replicated Check replication latency. Convergence latency is within the across the forest. desired maximum determined time. Changes are properly replicated Verify that the across the forest. appropriate replication service is running. Updated domain controllers Verify that the Kerberos Key Distribution Center service is running. NT File Replication Service and/or Distributed File System Replication is running. The Kerberos Key Distribution Center service is running.

The System Volume share is accessible on every domain controller. Domain controller backup

Test the availability of each domain controller.

The System Volume share can be accessed on each domain controller from across the network. System state has been backed up within the past 24 hours.

Back up system state on each domain controller.

Critical volumes are backed up. Verify that critical volumes are backed up.

Completed

The server is backed up.

Verify the full server backup. Verify the authoritative restore of Active Directory Domain Services.

Completed

Active Directory Domain Services is authoritatively restored.

Completed

Active Directory Domain Services is non-authoritatively restored.

Verify the nonCompleted authoritative restore of Active Directory Domain Services.

Appropriately assigned authority

Check for changes in No change administrative authority.

Appropriately assigned authority Domain controllers are free of dangerous services.

Look for non-standard grants of Write access.

No change

Check for dangerous or Dangerous or unnecessary unnecessary services that services are disabled. are not disabled. Check for dormant User accounts. User accounts are disabled when a personnel change is entered in the Human Resources system.

The network is free of unauthorized users.

Appropriately assigned authority

Audit the membership of Apply least privilege. all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators.

Appropriately assigned authority

Verify that user rights are Only administrators should have not assigned to users. user rights assigned.

Expected response time

Monitor each domain controller for responsiveness.

Less than one second

Active Directory Domain Services is responsive.

Monitor the Less than one second responsiveness of Active Directory Domain Services to a Lightweight Directory Access Protocol request.

The Active Directory Domain Services global catalog is responsive. Operations masters are responsive. The domain controller is advertising.

Measure the time required to perform a global catalog search. Verify that operations masters are responsive. Verify that the domain controller is advertising.

Response time is <5 seconds.

Operations masters are available.

The domain controller locator is working.

The system is up to date with the latest service pack and security updates. Domain controllers on the network are in time synchronization with each other.

Check for the latest Completed service pack and security updates. Verify that the Windows Time service is running. The primary domain controller is synching with a valid external time source/MaxPosPhaseCorrection and MaxPosPhaseCorrection should not be <48 hours but >1 hour. Verify that the Windows Time service is running.

Adequate free space in database

Monitor database and log At least 20% of the current file size as well as database is available. available free space on the associated disk volumes. Existing domain functional level

Ensure that the functional level Check the Active of the domain is at the highest Directory Domain level possible. Services domain functional level.

Ensure that the functional level Check the Active Existing forest functional level of the forest is at the highest Directory Domain level possible. Services forest functional level. Domain controller services are available. Verify that all Domain The Domain Name System service Name System (DNS) records exist. service records are in DNS for each domain controller and appropriate service.

Deny anonymous access.

Verify that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Check anonymous connection parameters.

Deny anonymous access.

Verify membership in the Verify membership in the PrePre-Windows Compatible Windows Compatible Access Access group. group. Ensure that no standard Verify Lightweight Directory users can read key Access Protocol access to Active properties for Directory Domain Services. administrative groups and users. Verify that Encrypting File Check whether files can be System is not enabled for encrypted. domain controllers. Verify that no user accounts have the Password Never Expires property configured. Check for Windows Firewall rules. Check all user accounts for the Password Never Expires property configuration.

Deny Read access to key security groups and users for standard users.

Ensure that Encrypting File System is disabled for domain controllers. Ensure that user account passwords expire.

Domain controllers are free of dangerous network access.

Dangerous or unnecessary network access protocols/applications are denied. Group Policy Management Console delegation is set correctly.

Appropriately assigned authority

Check for changes in administrative authority for Group Policy management. Verify that audit policy settings are configured properly.

Appropriately assigned audit policy Restrict access to user names.

Check audit policy settings for success and/or failure.

Verify that the name of Check whether the last user name the last user who logged is displayed at logon. on does not appear during logon.

Display the company logon banner.

Verify that the logon banner is displayed during logon.

Verify that the logon banner is displayed at logon. Completed

Group Policy objects are backed Verify that Group Policy up. objects are backed up. Appropriate logon access privilege level

Ensure that administrator- Require least-privilege access for level accounts have dual administrators. accounts or use User Account Control. Ensure that the crash Verify crash dump settings. dump file is configured to meet company requirements. Ensure that Domain Name System servers that support Active Directory Domain Services (AD DS) are all AD DS integrated. Verify the configuration and location of Domain Name System.

Configure the crash dump file.

Active Directory–integrated Domain Name System

Domain Host Configuration Ensure that the correct Verify membership in the Protocol services are running on security is in place for all DNSUpdateProxy group domain controllers. Domain Host Configuration Protocol services running on domain controllers. Site configuration Ensure that all domain Verify domain controller locations controllers are in the in sites. appropriate site based on IP address. Ensure that the design of Verify the number of global the location of global catalog servers in each physical catalog servers is location. appropriate for the number of users, applications, and other criteria for logging on and accessing information in the global catalog.

Global catalog servers must be available.

Domain Name System servers must be available.

Ensure that the design of Verify the number of Domain the location of Domain Name System servers in each Name System (DNS) physical location. servers is appropriate for the number of users, applications, and other criteria for logging on and accessing information on the DNS servers.

Domain controllers must be available.

Ensure that the design of Verify the number of domain the location of domain controllers in each physical controllers is appropriate location. for the number of users, applications, and other criteria for logging on and accessing information on domain controllers.

Frequency
Daily

Owner
Operator

Manual
Verify under Permissions for Remote Access Service (RAS) and Internet Authentication Service servers in the Active Directory Servers and Computers snap-in. Verify group membership for RAS access.

Automation
Microsoft System Center Operations Manager can audit Remote Access Service access. Perfmon

Daily

Operator

Verify under the User account Perfmon properties and the Remote Desktop group and that the Terminal Server has the correct user right for Allow Logon Through Terminal Services configured. Verify group membership for Remote Access Service access.

Daily

Operator

Verify that the Account Lockout Duration policy setting in Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy matches the policy.

Microsoft System Center Operations Manager can audit for anomalous accounts.

Active Directory Users and Computers Lockoutstatus.exe saved queries Weekly Operator Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use the Certificate Request Wizard in the Microsoft Management Console Certificates snap-in. Use Microsoft Certificate Lifecycle Manager 2007 or Microsoft Forefront Identity Manager 2010. Use Microsoft Certificate Lifecycle Manager 2007 Certificate Authority Monitor and Microsoft System Center Operations Manager Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Weekly

Operator

Daily

Operator

Firewall logs

Daily

Operator Netmon

Automate this process by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Monthly

Operator

Check Group Policy settings in the Group Policy Management Console. GPOTool.exe

Use Windows PowerShell scripts in the Windows Server 2008 R2 and Windows 7 release of the Group Policy management tools. If possible, install and use Microsoft Advanced Group Policy Management.

Monthly

Operator

Use Computer Management or Server Manager to verify.

Windows PowerShell scripts

Monthly

Operator

Computer Management

Script to enumerate shares

Semi-annually

Operator

Review of access control lists on the Security tab.

Access control lists (ACLs) in a script; Group Policy object to establish ACLs

Daily

Operator

Use Gpresult to confirm security settings.

Automated by using Desired Configuration Management Packs or by analyzing the results of Gpresult.

Monthly

Operator

Verify Group Policy password settings using Secpol.msc on a domain controller.

Audit the Group Policy password policy with Microsoft System Center Operations Manager.

Monthly

Operator

Secpol.msc on a domain controller

Microsoft System Center Operations Manager audits the Group Policy password policy. Microsoft System Center Operations Manager

Monthly

Operator

Secpol.msc on a domain controller

Monthly

Operator

Secpol.msc on a domain controller

Microsoft System Center Operations Manager

Monthly

Operator

Secpol.msc

Microsoft System Center Operations Manager

Monthly

Operator

Secpol.msc

Microsoft System Center Operations Manager Microsoft System Center Operations Manager

Monthly

Operator

Secpol.msc

Monthly

Operator

Active Directory Users and Computers Script

Dsquery Weekly Operator Monitor the event logs for event ID 13508 and event ID 13509, which may point to File Replication Service replication issues. Also, use Repladmin/Showrepl to find replication partners and issues.

Daily

Operator

Use Repadmin.

Daily

Operator

Use Repadmin.

Daily

Operator

Use Computer Management or Server Manager.

Windows PowerShell script

Daily

Operator

Use Computer Management or Server Manager.

Windows PowerShell script

Daily

Operator

Ping command

Daily

Operator

Verify backup logs. Configure auditing and verify using Event Viewer.

Configure auditing and verify using Event Viewer.

Daily

Backup operator

Verify backup logs. Configure auditing and verify using Event Viewer. Verify backup logs.

Configure auditing and verify using Event Viewer.

Weekly

Configure auditing and verify using Event Viewer.

Every three backups

Backup operator

NTdsutil.exe

Every three backups

Backup operator

NTdsutil.exe

Daily

Operator

Active Directory Domain Services delegation of authority, Dsacls.exe

Configure auditing and verify using Event Viewer.

Daily

Operator

Active Directory Domain Services delegation of authority, Dsacls.exe Use Computer Management or Server Manager.

Configure auditing and verify using Event Viewer. Windows PowerShell script

Daily

Operator

Daily

Operator

Custom Lightweight Directory Access Windows PowerShell script Protocol query, saved query using Active Directory Users and Computers.

Daily

Operator

Custom Lightweight Directory Access Protocol query

Windows PowerShell script

Active Directory Users and Computers Event Viewer

Monthly

Operator

Secpol.msc

Daily

Operator

Ping command

Microsoft System Center Operations Manager Microsoft System Center Operations Manager

Daily

Operator

Daily

Operator

Microsoft System Center Operations Manager

Every five minutes Daily

Operator

Operator

Daily

Operator

Windows Server Update Services, Microsoft Baseline Security Analyzer

Microsoft System Center Configuration Manager

Daily

Operator

Verify these registry settings using the Windows PowerShell script Registry Editor.

Use Computer Management or Server Manager. Every 15 minutes Operator System Monitor Microsoft System Center Operations Manager

Once

Operator

Active Directory Users and Computers Windows PowerShell script

Once

Operator

Active Directory Domains and Trusts

Windows PowerShell script

Daily

Operator

DNS Admin tool, Nslookup, Dnscmd.exe

Monthly

Operator

Secpol.msc

Windows PowerShell script

Monthly

Operator

Secpol.msc

Windows PowerShell script

Monthly

Operator

Dsacls.exe

Monthly

Operator

Group Policy object report of the Default Domain policy through Group Policy Management Console, Secpol.msc Active Directory Users and Computers user properties, saved queries, custom Lightweight Directory Access Protocol query Server Manager

Monthly

Operator

Daily

Operator

Daily

Operator

Group Policy Management Console Delegation tab, Advanced Group Policy Management Secpol.msc Windows PowerShell script

Daily

Operator

Daily

Operator

Secpol.msc, manual check after pressing CTRL+ALT+DEL

Windows PowerShell script

Daily

Operator

Secpol.msc, manual check after pressing CTRL+ALT+DEL

Windows PowerShell script

Daily

Backup operator Operator

Group Policy Management Console, Scheduled Task using Group Event Viewer operational log for Group Policy Management Console Policy scripts Secpol.msc Windows PowerShell script

Daily

Daily

Operator

System properties

Drwtsn32

Monthly

Operator

DNS Admin tool, Dnscmd.exe

Monthly

Operator

Active Directory Users and Computers

Monthly

Operator

Dsquery.exe

Monthly

Operator

Monthly

Operator

DNS Admin tool

Monthly

Operator

Notes

Consult the Microsoft Identity and Access Management Series Solution Accelerator.

Look for global settings here, not detailed settings within Group Policy Management Console. This is only to make sure that the Group Policy object application is not effected incorrectly.

Verify that share permissions set are not too weak. NTFS file system permissions should control access, not share permissions. Make sure that any shares created are really needed.

Ensure that all legacy LanManager protocols are removed and disabled. Ensure that all legacy LanManager protocols are removed and disabled.

Ensure that replication between domain controllers is configured and available.

Make sure that all domain controllers can replicate to other domain controllers, that none is orphaned, and that the topology is efficient.

Make sure the domain controllers are online and that the System Volume share is working.

Make sure that the key domain groups that have admin authority are not modified incorrectly. Make sure delegation was not granted to update (write) to Active Directory Domain Services objects incorrectly.

User rights should be to groups, not to users. If to a user, it Is difficult to alter when a user no longer needs the user right. Confirm for each domain controller.

This can possibly grant anonymous access.

This provides the highest level of Domain Name System security in Active Directory Domain Services.

Maintenance Activities
Title
Review the Remote Access Service account access policy, and update it to meet security policies.

Health attribute
Security

Health area
Authentication

Review User account properties, and update the Remote Desktop group to meet security policies.

Security

Authentication

Remove locked-out, disabled, or expired accounts.

Security

Authentication

Review the Active Directory Domain Services Expiration Dates policy.

Security

Certificate Maintenance

Ensure that certificates are renewed.

Security

Certificate Maintenance

Deny network authentication requests by malicious Security users who are located in a trusted forest network and have administrative credentials.

Domain and Forest Trust Management

No Override is disabled for all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Security

Group Policy

Ensure that the most restrictive permissions are applied.

Security

Share Permissions

Remove shared folders that are no longer required.

Security

Shared Folders

Verify and ensure that NTFS file system permissions are set appropriately on all shared folders and content in shared folders.

Security

NTFS File System Permissions

Change any security settings not set to the standard security policy.

Security

Group Policy

Review the password policy for password length and complexity settings, and ensure that the policy matches company security requirements.

Security

Authentication

Review the password policy for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.

Security

Authentication

Review the password policy for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.

Security

Authentication

Review the password policy for the Minimum Security Password Length setting, and ensure that the setting matches organizational security requirements.

Authentication

Review the Account Lockout policy, and ensure that it Security meets minimum organizational security policy requirements.

Authentication

Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements.

Security

Authentication

Review LanManager authentication protocol hash Security storage settings, and ensure that they meet minimum organizational security policy requirements.

Authentication

Review the certificate renewal policy.

Security

Certificate Maintenance Domain Controller Security

Ensure that all domain controllers are in the Domain Controllers organizational unit.

Security

Restore replication links between domain controllers Availability and replication partners.

Replication

Remove excess replication connections between domain controllers in different sites.

Availability

Replication

Verify that the replication intervals of site links between domain controllers in different sites meet company requirements.

Availability

Replication

Restart the appropriate replication service, if required.

Availability

Replication

Restart the Kerberos Key Distribution Center service, Availability if required.

Replication

Schedule tests on each domain controller.

Availability

Sysvol Share

Schedule a backup. Schedule a backup.

Continuity Continuity

Backup and Restore Backup and Restore

Schedule a backup.

Continuity

Backup and Restore Backup and Restore

Schedule an authoritative restore of Active Directory Continuity Domain Services.

Ensure that a test restoration is scheduled and verified.

Continuity

Backup and Restore

Schedule a non-authoritative restore of Active Directory Domain Services.

Continuity

Backup and Restore

Schedule a test for a non-authoritative restore.

Continuity

Backup and Restore

Schedule a test for an authoritative restore.

Continuity

Backup and Restore

Remove inappropriately assigned administrative authority.

Appropriate use

Administrative Authority

Remove non-standard grants of Write access.

Appropriate use

Administrative Authority Domain Controller

Remove dangerous or unnecessary services that are not disabled.

Appropriate use

Remove dormant user accounts.

Appropriate use

User Accounts

Ensure that the membership of all domain groups Appropriate Use that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets least-privilege requirements.

Administrative Authority

Remove user rights where they are assigned to users. Appropriate Use

User Rights

Troubleshoot slow response times.

Performance

Authentication Response Time General Response

Troubleshoot Active Directory Domain Services nonresponsiveness.

Performance

Troubleshoot global catalog nonresponsiveness.

Performance

Global Catalog Search Response

Troubleshoot operations master nonresponsiveness.

Performance

Operations Masters

Troubleshoot why a domain controller is not advertising.

Performance

Domain Controller

Ensure that the latest service pack and security updates are scheduled.

Patching

Updates and Configuration

Change any user account permissions that have been Privacy set to Read access by default.

Account Permissions

Synch domain controllers running the primary domain Integrity controller emulator with a valid external time source, if required.

Windows Time Service

Address the need for more available free space on the Availability associated disk volumes.

Active Directory Domain Services Database

Verify the domain functional level and adjust it according to company requirements.

Security

Active Directory Domain Services Functional Level

Verify the forest functional level and adjust it according to company requirements.

Security

Active Directory Domain Services Functional Level

Verify that all Domain Name System (DNS) service Availability records are in DNS for each domain controller and appropriate service, and update them when needed.

DNS SRV Records

Ensure that anonymous access to shares, the Security Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Anonymous Connections

Verify membership in the Pre-Windows Compatible Access group.

Security

Anonymous Connections

Ensure that no standard users can read key properties Security for administrative groups and users; deny access, if necessary.

Lightweight Directory Access Protocol Access to Active Directory Domain Services

Verify that Encrypting File System is not enabled for domain controllers; disable, if necessary.

Security

Encrypting File System

Verify that no user accounts have the Password never Security expires property configured; remove this setting, if necessary.

Authentication

Check for Windows Firewall rules, and configure additional rules where appropriate.

Appropriate Use

Domain Controller

Check for changes in administrative authority for Group Policy management; modify security to meet company security requirements.

Security

Group Policy

Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.

Security

Auditing

Verify that the name of the last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.

Security

Authentication

Verify that the logon banner is displayed during logon; Security configure it not to appear if it is displayed.

Authentication

Ensure that accounts with administrator-level privilege have dual accounts or use User Account Control.

Appropriate Use

Administrative Authority

Ensure that the crash dump file is configured to meet Continuity organizational requirements; modify settings to meet organizational security requirements.

Domain Controllers

Ensure that all Domain Name System (DNS) servers Security that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.

Domain Name System

Ensure that the correct security is in place for all Appropriate use Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.

Dynamic Host Configuration Protocol

Ensure that all domain controllers are in the appropriate site based on IP address; modify site membership where appropriate.

Continuity

Replication

Add global catalog servers to physical locations when Continuity required.

Global Catalog Location

Add Domain Name System servers to physical locations when required.

Continuity

Domain Name System Server Location

Add domain controllers to physical locations when required.

Continuity

Domain Controller Location

Health requirement
Remote access

Maintenance task

Frequency

Owner
Operator

Review the Remote Access Monthly Service account access policy, and update it to meet security policies.

Terminal Services/Remote Desktop

Review User account Monthly properties, and update the Remote Desktop group to meet security policies.

Operator

Current accounts

Remove locked-out, disabled, or expired accounts.

Daily

Operator

Current certificates

Review the Active Directory Monthly Domain Services Expiration Dates policy.

Operator

Current certificates

Ensure that certificates are Weekly renewed.

Operator

Secure trusting forest

Deny network Daily authentication requests by malicious users who are located in a trusted forest network and have administrative credentials.

Backup operator

Group Policy is working as expected.

No Override is disabled for Daily all Active Directory Domain Services nodes (domains and all organizational units), and Block Policy Inheritance is not configured for Group Policy objects.

Operator

Shares are safe from unauthorized users.

Ensure that the most restrictive permissions are applied.

Monthly

Operator

Limit the number of shared folders. NTFS file system permissions should protect shared folders and all content from unauthorized users.

Remove shared folders that Monthly are no longer required. Verify and ensure that NTFS Semiannually file system permissions are set appropriately on all shared folders and content in shared folders.

Operator

Operator

Servers are configured to the standard security policy.

Change any security settings Daily not set to the standard security policy. Review the password policy Monthly for password length and complexity settings, and ensure that the policy matches company security requirements.

Operator

Strong passwords

Operator

Maximum Password Age

Review the password policy Monthly for the Maximum Password Age setting, and ensure that the setting matches organizational security requirements.

Operator

Minimum Password Age

Review the password policy Monthly for the Minimum Password Age setting, and ensure that the setting matches organizational security requirements.

Operator

Minimum Password Length

Review the password policy Monthly for the Minimum Password Length setting, and ensure that the setting matches organizational security requirements.

Operator

Account Lockout policy

Review the Account Lockout Monthly policy, and ensure that it meets minimum organizational security policy requirements.

Operator

LanManager authentication protocol

Review LanManager compatibility settings, and ensure that they meet minimum organizational security policy requirements. Review LanManager authentication protocol hash storage settings, and ensure that they meet minimum organizational security policy requirements. Review the certificate renewal policy.

Monthly

Operator

LanManager authentication protocol hash storage

Monthly

Operator

Current certificates

Monthly

Operator

All domain controllers receive Ensure that all domain the same Group Policy objects. controllers are in the Domain Controllers organizational unit. Healthy replication links are established between domain controllers and replication partners.

Monthly

Operator

Restore replication links As needed between domain controllers and replication partners.

Operator

Domain controllers within a forest are able to replicate with each other.

Remove excess replication connections between domain controllers in different sites.

As needed

Operator

Changes are properly replicated across the forest.

Verify that the replication Daily intervals of site links between domain controllers in different sites meet company requirements.

Operator

Changes are properly replicated across the forest.

Restart the appropriate replication service, if required.

As needed

Operator

Updated domain controllers

Restart the Kerberos Key As needed Distribution Center service, if required. Schedule tests on each domain controller. Daily

Operator

The System Volume share is accessible on every domain controller. Domain controller backup Critical volumes are backed up. Servers are backed up. Active Directory Domain Services is authoritatively restored.

Operator

Schedule a backup. Schedule a backup.

Daily Daily

Backup operator Backup operator Backup operator Backup operator

Schedule a backup. Schedule an authoritative restore of Active Directory Domain Services.

Weekly Every three backups

Restore Active Directory Ensure that a test Monthly Domain Services from system restoration is scheduled and state, critical-volumes, or a full verified. server backup.

Backup operator

Active Directory Domain Schedule a nonServices is non-authoritatively authoritative restore of restored. Active Directory Domain Services. Effective non-authoritative restore Schedule a test for a nonauthoritative restore.

Every three backups

Backup operator

Tied to restore

Backup operator Backup operator Operator

Effective authoritative restore Schedule a test for an authoritative restore. Appropriately assigned authority Remove inappropriately assigned administrative authority. Remove non-standard grants of Write access.

Tied to restore

As needed

Appropriately assigned authority

As needed

Operator

Domain controllers are free of Remove dangerous or dangerous services. unnecessary services that are not disabled. The network is free of unauthorized users. Remove dormant user accounts.

As needed

Operator

As needed

Operator

Appropriately assigned authority

Ensure that the As needed membership of all domain groups that grant administrative privileges—for example, Administrators, Domain Admins, Enterprise Admins, Schema Admins, DNS Admins, DHCP Admins, Server Operators, Account Operators—meets leastprivilege requirements.

Operator

Appropriately assigned authority

Remove user rights where they are assigned to users.

As needed

Operator

Expected response time

Troubleshoot slow response As needed times. Troubleshoot Active Directory Domain Services nonresponsiveness. As needed

Operator

Active Directory Domain Services is responsive.

Operator

The Active Directory Domain Services global catalog is responsive. Operations masters are responsive.

Troubleshoot global catalog As needed nonresponsiveness.

Operator

Troubleshoot operations As needed master nonresponsiveness.

Operator

The domain controller is advertising.

Troubleshoot why a domain As needed controller is not advertising.

Operator

The system is up to date with the latest service pack and security updates. User information is private.

Ensure that the latest service pack and security updates are scheduled.

Daily

Operator

Change any user account As needed permissions that have been set to Read access by default. Synch domain controllers As needed running the primary domain controller emulator with a valid external time source, if required.

Operator

Domain controllers on the network are in time synchronization with each other.

Operator

Adequate free space in the database

Address the need for more As needed available free space on the associated disk volumes.

Operator

Ensure that the functional level of the domain is at the highest level possible.

Verify the domain Once functional level and adjust it according to company requirements.

Operator

Ensure that the functional level of the forest is at the highest level possible.

Verify the forest functional Once level and adjust it according to company requirements.

Operator

Domain controller services are Verify that all Domain Name Daily available. System (DNS) service records are in DNS for each domain controller and appropriate service, and update them when needed.

Operator

Deny anonymous access.

Ensure that anonymous access to shares, the Security Accounts Management database/Active Directory Domain Services, and named pipes is negated.

Monthly

Operator

Deny anonymous access.

Verify membership in the Pre-Windows Compatible Access group.

Monthly

Operator

Deny Read access to key security groups and users for standard users.

Ensure that no standard users can read key properties for administrative groups and users; deny access, if necessary.

Monthly

Operator

Ensure that Encrypting File Verify that Encrypting File Monthly System is disabled for domain System is not enabled for controllers. domain controllers; disable, if necessary.

Operator

Ensure that user account passwords expire.

Verify that no user accounts have the Password never expires property configured; remove this setting, if necessary.

Domain controllers are free of Check for Windows Firewall Daily dangerous network access. rules, and configure additional rules where appropriate. Appropriately assigned authority Check for changes in Daily administrative authority for Group Policy management; modify security to meet company security requirements.

Operator

Operator

Appropriately assigned audit policies

Verify that audit policy settings are configured properly; modify audit policy settings to meet company security requirements.

Daily

Operator

Restrict access to user names. Verify that the name of the Daily last user who logged on does not appear during logon; configure this setting not to show the name if it is displayed.

Operator

Display the company logon banner.

Verify that the logon banner Daily is displayed during logon; configure it not to appear if it is displayed.

Operator

Appropriate logon access privilege level

Ensure that accounts with Daily administrator-level privilege have dual accounts or use User Account Control.

Operator

Configure the crash dump file. Ensure that the crash dump Daily file is configured to meet organizational requirements; modify settings to meet organizational security requirements. Active Directory–integrated Domain Name System Ensure that all Domain Monthly Name System (DNS) servers that support Active Directory Domain Services are Active Directory–integrated; configure only Active Directory–integrated DNS servers when appropriate.

Operator

Operator

Dynamic Host Configuration Protocol service running on a domain controller

Ensure that the correct Monthly security is in place for all Dynamic Host Configuration Protocol services running on domain controllers; modify DNSUpdateProxy group membership where appropriate.

Operator

Site configuration

Ensure that all domain Daily controllers are in the appropriate site based on IP address; modify site membership where appropriate. Monthly

Operator

Global catalog servers must be Add global catalog servers available. to physical locations when required.

Operator

Domain Name System servers Add Domain Name System Monthly must be available. servers to physical locations when required.

Operator

Domain controllers must be available.

Add domain controllers to physical locations when required.

Monthly

Operator

Manual

Automation

Read written Remote Access Review using the TripWire Compliance Service access policies, and match Management Pack for Microsoft them with the permissions in place. System Center Operations Manager.

Review User account properties, and update the Remote Desktop group to meet security policies; Dsmod.exe; Dsquery.exe.

Use User Manager or Active Directory Users and Computers to remove invalid accounts.

Use Microsoft System Center Configuration Manager.

Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.

Use the Certificate Request Wizard Use Microsoft Certificate Lifecycle in the Certificates console. Manager 2007.

Exercise access control to manage user access to shared resources in Active Directory Users and Computers.

Apply Windows Service Hardening in Windows Server 2008 R2.

Verify and modify in Group Policy Management Console.

Use the Configure Your Server Wizard to configure settings.

Windows Explorer or Computer Management Windows Explorer

Group Policy preferences

Group Policy

Windows Explorer

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Group Policy Management Console, Secpol.msc

Group Policy

Active Directory Users and Computers, Dsquery.exe

Repladmin, Active Directory Sites and Services

Repladmin, Active Directory Sites and Services

Repladmin, Active Directory Sites and Services

Computer Management, Server Manager

Computer Management, Server Manager

Computer Management, Server Manager

Wbadmin Wbadmin

Wbadmin Wbadmin

Wbadmin Ntdsutil

Wbadmin

Ntdsutil

Ntdsutil

Ntdsutil

Ntdsutil

Active Directory Users and Computers, Delegation Wizard

Active Directory Users and Computers, Delegation Wizard Computer Management, Server Manager

Active Directory Users and Computers, Lightweight Directory Access Protocol queries

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsmod.exe, Dsquery.exe

Group Policy Restricted Groups

Group Policy

Varies

Varies

Varies

Varies

Varies

Windows Server Update Services

Windows Server Update Services

Active Directory Users and Computers, Lightweight Directory Access Protocol queries

Group Policy

Active Directory Users and Computers

Active Directory Domains and Trusts

Domain Name System Admin tool, Nslookup.exe, Dnscmd

Secpol.msc, Group Policy Management Console

Group Policy

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe

Group Policy

Active Directory Users and Computers, Delegation Wizard, Ldp.exe

Group Policy Management Console, Secpol.msc

Group Policy

Active Directory Users and Computers, Lightweight Directory Access Protocol queries

Server Manager, firewall

Group Policy

Group Policy Management Console, Delegation tabs, Advanced Group Policy Management

Group Policy Management Console, Secpol.msc

Group Policy

Secpol.msc, Group Policy Management Console

Group Policy

Secpol.msc, Group Policy Management Console

Group Policy

User Account Control, Group Policy User Account Control, Group Policy Management Console, Secpol.msc

System Properties – setup and recovery

Wbadmin

Active Directory Users and Computers, Lightweight Directory Access Protocol queries, Dsquery.exe, Dsmod.exe

Group Policy

Active Directory Sites and Services

Active Directory Sites and Services

Dcpromo

Notes

Health Risks
ID
1

Description
Trust relationships are not appropriate, compromising identity and access. Active Directory Domain Services object change management allows inappropriate changes to Group Policy objects.

Probability (1–100%)
40%

2

50%

3

Domain controllers are not in compliance with corporate policy and/or management’s stated baseline settings. Domain controller security is unknowingly compromised because of inadequate review of monitoring or maintenance activities.

60%

4

50%

5

Restoration of a domain controller results in compromising the entire Active Directory Domain Services service. Inappropriate administrator access: Former administrators who have left the Active Directory Domain Services group still have administrative access. Flexible Single Master Operations roles are not configured appropriately, resulting in service degradation or inability of users to log on to the domain. Replication across forests is slow or broken. Access to data is affected or compromised. Domain controllers are out of time synchronization, resulting in degraded services. Active Directory Domain Services servers run out of database space. User passwords are not secure.

70%

6

25%

7

25%

8

80%

9

50%

10

50%

11

12

User and group information is available to standard users.

13 14

Anonymous access is allowed to Active Directory Domain Services. Legacy authentication protocols are used and stored.

15

Users will not be able to find domain controllers and the associated services running on them. Access to Active Directory Domain Services user names.

16

17

Inability to replicate between domain controllers because of incorrect site configurations.

18

Inability to replicate between domain controllers because of incorrect Domain Name System configuration.

Impact (1–5)
5

Exposure
2

5

2.5

5

3

5

2.5

5

3.5

3

0.75

4

1

3

2.4

3

1.5

5

2.5

0

0

0 0

0

0

0

0

Mitigation strategy
Review trust and domain oversight; verify the need for existing trusts.

Risk owner

Evaluate compliance with documented thresholds for classifying changes to ensure that Active Directory Domain Services object changes receive the correct level of scrutiny and approval. Policy settings are linked appropriately, and reviews include verification of account/password policy, audit and event log policy, and security options. Regular review of monitoring to ensure that specialized monitoring or security scanning is performed on domain controllers, incidents are managed and resolved appropriately and in a timely manner, and server configuration is reviewed and monitored for changes. Procedures for restoring a domain controller are well understood, documented, and tested. Management periodically changes the password for the DS Restore Mode Administrator account and logs that the change has been made.

Periodically validate Flexible Single Master Operations roles and the appropriate number of domain controllers and global catalogs.

Replication monitoring and maintenance activities are performed and reviewed.

Monitor and maintain time synchronization, and verify that the time source is valid.

Monitor capacity and initiate expansion (and any needed provisioning of hardware) with an appropriate lead time. Ensure that a password policy for domain and domain controllers is set to appropriate levels for User account passwords. Secure Lightweight Directory Access Protocol access to Active Directory Domain Services for standard users with regard to administrative groups and administrator accounts.

Restrict anonymous access to the domain controllers. Deny the use of LanManager and NT LAN Manager as well as storage of these hashes for user passwords. Ensure that Domain Name System (DNS) has all the correct information for domain controller DNS service records. Ensure that Lightweight Directory Access Protocol Read access is negated to key accounts, anonymous connections are denied, and last user name displayed is denied. Ensure that all domain controllers are in the correct Active Directory Domain Services site, the site topology is correct, intersite topology is configured correctly, and all replication events are successful. Ensure that all Domain Name System (DNS) service records for all domain controllers are correct, DNS is configured to Active Directory–integrated DNS, automatic updates are configured, and replication between DNS servers is set up correctly.

Standard Changes
Proposed standard change
Review membership in key Active Directory Domain Services security groups for correct membership. Remove locked-out, disabled, or expired accounts. Ensure that the most restrictive permissions are applied. Remove shared folders that are no longer required. Review key security settings such as password policy, audit policy, and user rights assignment for domain controllers. Review the password policy for the Default Domain Policy or Group Policy object linked to a domain that establishes password policy for domain user accounts and most computer accounts. Ensure that all domain controllers are in the domain controllers organizational unit.

Schedule backups of domain controllers, including system state. Verify that domain controller backups were successful. Remove inappropriately assigned administrative authority within Active Directory Domain Services or inappropriately assigned administrative authority produced through delegation. Remove dangerous or unnecessary services that are not disabled. Remove dormant user accounts. Ensure that the latest service pack and security updates are scheduled.

Category verified?

Approved by

Date for change development complete

Date for change release

Acknowledgments
The Microsoft Operations Framework team acknowledges and thanks the people who produced Reliability Workbook for Active Directory. The following people were either directly responsible for or made a substantial contribution to the writing and development of this guide. Contributors Joe Coulombe, Microsoft Jerry Dyer, Microsoft Mike Kaczmarek, Microsoft Don Lemmex, Microsoft Derek Melber, Xtreme Consulting Group, Inc. Betsy Norton-Middaugh, Microsoft Reviewers Jason Missildine Steve Schofield Sainath K.E.V. Robert Stuczynski Editors Michelle Anderson, Xtreme Consulting Group, Inc. Pat Rytkonen, Volt Technical Services Copyright © 2010 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94150, USA. When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation. Microsoft, Active Directory, Forefront, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close