Hi! Basically, default settings of Domain Controllers are not hardened. Every DC has by default the “Default Domain Controllers Policy” in place, but this GPO creates different escalation paths to Domain Admin if you have any members in Backup Operators or Server Operators for example. They can become Domain Admin. Start with replacing the “Default Domain Controllers Policy” and replace it with a new GPO that is more security-focused.
User Right Assignment:
- Access this computer from the network: Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLER
- Add workstations to a domain: Administrators
- Allow log on locally: Administrators, Backup Operators
- Backup files and directories: Administrators, Backup Operators
- Change the system time: LOCAL SERVICE, Administrators
- Debug Programs: Administrators
- Deny access to this computer from the network: Guests
- Deny log on through Remote Desktop Services: Guests
- Enable computer and user accounts to be trusted for delegation: Administrators
- Force shutdown from remote system: Administrators
- Load and unload device drivers: Administrators
- Restore files and directories: Administrators, Backup Operators
- Shutdown the system: Administrators
- Take ownership of files and objects: Administrators
Note: Remove Backup Operators if it is not in use.
Security Options:
- Devices – Prevent users from installing printer drivers: Enabled
- Domain Controller – Allow server operator to schedule tasks: Disabled
- Network access – Do not allow anonymous enumeration of SAM accounts: Enabled
- Network access – Do not allow anonymous enumeration of SAM accounts and shares: Enabled
- Network security – LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
The setting that has been marked with * needs more attention because it can break things, which means that it needs to be tested very well, before deploying it in production. There are two NTLM audit settings that need to be enabled to track down the use of NTLM.
- Network security – Restrict NTLM: Audit In-coming NTLM Traffic: Enable auditing for domain accounts
- Network security – Restrict NTLM: Audit NTM authentication in this domain: Enable all
Event 4624 with data fields like “Authentication Package” and “Package name (NTLM only)” needs to be filtered. If you see something like NTLMV1 at Package Name. It shows you that there is an application still using NTLMv1. Disabling NTLM immediately can have broken an application. Make sure this is tested properly.
Recommendation:
Configure all those recommended settings, but keep a sharp eye on the “LAN Manager Authentication Level”. It is recommended to use Send NTLMv2 response only and refusing LM & NTLM, but to test this properly.
Start the following test phase:
- Enable the two NTLM auditing policies and start monitoring to see if there are applications using NTLMv1. If you are confident that there are no legacy apps anymore.
- Start changing the policy to: “Send NTLMv2 response only and Refuse LM“.
- Now keep monitoring and if you are confident to make the ste.p
- Change the policy to: “Send NTLMv2 response only. Refuse LM & NTLM“.
Vanguard Summit 2019 – Vanguard Summit 2019 – Continuous Data Protection!
Vanguard Summit 2019 – Vanguard Summit 2019 – NAS Backup Sneak peek!!
Vanguard Summit 2019 – New Universal License overview!
Veeam Multi-Cloud Strategy & Components – Blog Post!
Step by Step Guide Veeam Backup for Office365 v2 Installation – Step by Step Guide!
VeeamON 2019 Coverage – v10 is coming!
VeeamON Forum France – Interviewed by LeMagIT: LeMagIT
MUG – Microsoft User Group – First event in Monaco! Join us!.
1 ping
[…] Hardening settings for domain controllers […]