We recently discussed the Red Forest concept as one of the latest trends in Active Directory security thinking which addresses some of the leading risks to infosec today. But what if you could start from scratch and build out a perfect domain controller hosting environment based on
- up-to-date understanding of Windows security and Active Directory risks including
- SID filtering flaw and its impact on domain security boundaries
- Pass-the-hash and golden tickets
- latest hardware and platform security technology like
- Secure boot
- TPM
- Secure virtualization
- Best practices such as
- Privileged Access Workstations
- 2-Factor authentication
- Clean source
- Secure admin enclave (aka Red Forest)
- Read-only domain controllers (or compensating controls)
What would it look like? And how close can you migrate your current environment to that golden standard?
In this real training for free ™ webinar we will discuss the ultimate up-to-date hardened Active Directory environment. And we mean a modern environment – one that leverages virtualization but does it securely. How do you securely host domain controllers as virtual machines? We will discuss risks that are often swept under the rug. In a virtual or physical DC situation you have a lot of people who can compromise AD. Besides Domain Admins, we’re talking about anyone with access to
|
Physical DCs
|
Virtual DCs
|
vCenter or whatever virtualization management solution you use.
Includes not just the vCenter application but all the other layers in the stack
· Operating system
· Database
|
|
?
|
Virtual console access and virtual removable media/usb
|
|
?
|
IPMI/ILO
|
?
|
?
|
Backups of the domain controller
|
?
|
?
|
Physical access to server hardware
|
?
|
?
|
Anyone who
· Can exploit a remote vulnerability on the server or admin workstation
· Can send an email that is opened on the admin workstation
· Owns or can hack a website that downloads content on the admin workstation
|
?
|
?
|
Let's see what it takes to deal with all of that. You can basically break the necessary steps into 4 areas:
- Active Directory hygiene
- Secure admin environment
- Protect domain controllers
- Secure admin forest (related to "red forest")
Helping me with this real training for free ™ event is Russell Rice from our sponsor, Skyport Systems and Allen Brokken from Ascent Solutions, who will briefly show you their hyper-secure infrastructure and discuss Skyport System's free Active Directory security assessment service.