Default Domain Policy Recommendations:
1- Password Policy
* Enforce password history
Users who reuse and recycle their passwords are more susceptible to credential theft than others. Enable the enforce password history policy to require users to create a new and unique password every time they change it. This setting determines how many times a user has to change their password before reusing an old one.
* Set the minimum password age
Employees can override the password history setting by changing their passwords repeatedly until they can reuse their original passwords. To prevent this, set the minimum password age, and control how long users have to keep a password before changing it.
* Configure the maximum password age
The longer a password is used, the more susceptible it becomes to a brute-force attack. To overcome this, employees must change their passwords regularly. Configure the maximum password age to prompt employees for password changes periodically. This setting determines the time (in days), after which users need to change their passwords.
* Fix the minimum password length
Short passwords, though easy to remember, are prone to dictionary attacks while long passwords are easily forgotten, leading to frequent account lockouts. To strike the right balance, specify the minimum password length to determine the fewest number of characters required for users' passwords.
* Add password must meet complexity requirements
Weak passwords make it easy for hackers to perpetrate password guessing attacks. Enable password complexity requirements to implement stringent conditions for valid passwords. These conditions ensure strong passwords, which don't contain the users' names or parts of it, and require the use of alphanumeric characters and symbols, making them harder to guess.
* Disable reversible encryption
Storing passwords using reversible encryption means that they can be decrypted. This would allow any capable attacker to exploit your organization's vital resources through a compromised account. This is why it's recommended you disable reversible encryption for all users. The only exception is when you have an application requiring the user's password for authentication.
* Enable the “Account lockout duration” policy
Setting the duration to zero will keep the account secure by locking the account until an admin unlocks it.
However, this also results in excessive requests to the help desk.
The recommended duration is between 30 and 60 minutes
* Leverage the “Account lockout threshold” policy
determines the number of failed sign-in attempts that will cause a user account to be locked.
If the account lockout threshold is set too low, accidental lockouts will be frequent. This could also make the account vulnerable to denial-of-service attacks since it's easier for the attacker to intentionally enter the wrong passwords to lock the account.
On the other hand, if the threshold is set too high, the probability of a successful brute-force attack increases as the attacker has more opportunities to try and guess the credentials.
The recommended threshold is 15 to 50.
* Configure the “Reset account lockout counter after” policy
While calculating the “reset account lockout counter after” value, organizations need to keep in mind the type and level of security threats they face, balanced with the cost of help desk calls. This value should be less than or equal to the account lockout duration.
The recommended setting is anything less than 30 minutes.
3- Kerberos Policy
* Enforce User Logon Restrictions.
KDC (Key Distribution Center) validates every request for service tickets against the rights granted to the requesting account. This process takes extra time, and although it’s somewhat more secure, it might slow access to network resources, so it can be disabled if needed.
The recommended setting is enabled (the default)
* Maximum Lifetime For Service Ticket.
This setting specifies in minutes how long a service ticket can be used before a new ticket must be requested to access the resource the ticket was granted for.
The default is 600 minutes or 10 hours. The minimum allowed value is 10 minutes, and the maximum value is equal to the “Maximum lifetime for user ticket” setting.
* Maximum Lifetime For User Ticket.
This setting is the maximum amount of time in hours a TGT (Ticket-granting tickets) can be used before it must be renewed or a new one must be requested.
The default value is 10 hours.
* Maximum Lifetime For User Ticket Renewal.
This setting, specified in days, is the maximum period during which a TGT can be renewed.
In this period, a TGT can be renewed without having to go through the full authentication process. After this period has expired (or the account logs off), a new TGT must be requested.
The default setting is 7 days.
* Maximum Tolerance For Computer Clock Synchronization.
This setting determines the maximum time difference allowed between a Kerberos message timestamp and the receiving computer’s current time.
If the time difference falls outside this limit, the message is considered invalid.
Timestamp messages are corrected for time zone, so it’s important to have the correct time zone set on all computers in the domain and have the domain controller clocks synchronized with a reliable source. By default, member computers are synchronized with the DC’s clock.
The default is 5 minutes.
Default Domain controllers Policy Recommendations:
* Access Credential Manager as a trusted caller: No one (empty value)
Access to the Credential Manager is granted during Windows logon only to the user who is logging on.
Saved user credentials might be compromised if someone else has this privilege.
* Access this computer from the network: Administrators, Authenticated Users
This Required for users to connect to the computer and its resources, such as an SMB share, shared printers, COM+, etc. If you remove this user right on the DC, no one will be able to log on to the domain.
Note: Remote Desktop Services are not affected by this user right..
* Allow log on locally: Administrators.
The default configuration includes the Users group, which allows a standard user to log on to the server console. Limit this privilege only to administrators.
* Allow log on through Remote Desktop Services: Administrators, Remote Desktop Users
Note: On the DC, it is recommended to allow only administrators to connect via RDP.
Back up files and directories: Administrators
This is a sensitive privilege that allows a user to bypass NTFS permissions (only via an NTFS API interface, such as NTBACKUP). A malicious user could backup and restore data on a different computer, thereby gaining access to it.
Deny access to this computer from the network/Deny log on through Terminal Services: Local accounts and Administrators group(built-in), Guests
The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised, it cannot be used to elevate privileges on any other network resource, or access it via RDP.
Force shutdown from a remote system/Shut down the system: Administrators
Only administrators should be able to shut down any server, to prevent denial-of-service (DoS) attacks.
Manage auditing and security log: Administrators
This is a sensitive privilege, as anyone with these rights can erase important evidence of unauthorized activity.
Note: If you are running MS Exchange, the “Exchange Servers” group must be added to DCs.
Restore files and directories: Administrators
Attackers with this privilege can overwrite data, or even executable files used by legitimate administrators, with versions that include malicious code.
Take ownership of files or other objects: Administrators
User having this privilege can take control (ownership) of any object, such as a file or folder, and expose sensitive data.
Deny log on as a batch job/Deny log on as a service/Deny log on locally: Guests
To increase security, you should include the Guests group in these three settings.
Debug programs/Profile single process/Profile system performance: Administrators
This setting allows a user to attach a debugger to a system or process, thereby accessing critical, sensitive data. It can be used by attackers to collect information about running critical processes, or which users are logged on.
Change the system time: Administrators, Local Service
Changes in system time might lead to DoS issues, such as unavailability to authenticate to the domain. The Local Service role is required for the Windows Time service, VMware Tools service, and others to synchronize system time with the DC or ESXi host.
Create a token object: No one (empty value)
Users with the ability to create or modify access tokens can elevate any currently logged on account, including their own.
Impersonate a client after authentication: Administrators, Local Service, Network Service, Service
An attacker with this privilege can create a service, trick a client into connecting to that service, and then impersonate that account.
Note: For servers running Internet Information Services (IIS), the "IIS_IUSRS" account must also be added.
Load and unload device drivers: Administrators
Malicious code can be installed that pretends to be a device driver. Administrators should only install drivers with a valid signature.
2- Audit Policy
The following advanced security audit policy settings are recommended:
* Account Logon
Audit Credential Validation: Success and Failure
* Account Management
Audit Computer Account Management: Success and Failure
Audit Other Account Management Events: Success and Failure
Audit Security Group Management: Success and Failure
Audit User Account Management: Success and Failure
* DS Access (Directory Service Access)
Audit Directory Service Access: Success and Failure on DC
Audit Directory Service Changes: Success and Failure on DC
* Logon/Logoff
Audit Account Lockout: Success
Audit Logoff: Success
Audit Logon: Success and Failure
Audit Special Logon: Success and Failure
* Object Access
Enable these settings only if you have a specific use for the data that will be logged, because they can cause a large volume of entries to be generated in your Security logs.
* Policy Change
Audit Audit Policy Change: Success and Failure
Audit Authentication Policy Change: Success and Failure
* Privilege Use
Enable these settings only if you have a specific use for the data that will be logged, because they can cause a large volume of entries to be generated in your Security logs.
* Process Tracking (Detailed Tracking)
Audit Process Creation: Success
Enable these settings only if you have a specific use for the information that will be logged, because they can cause a large volume of entries to be generated in your Security logs.
* System
Audit Security State Change: Success and Failure
Audit Other System Events: Success and Failure
Audit System Integrity: Success and Failure
No comments:
Post a Comment