Securing Active Directory
Summary
TLDRThe Windows Server Summit 2025 highlighted key updates in Active Directory security, including the introduction of enhanced policies like account lockout, LDAP signing, and the deprecation of legacy protocols. New features for Windows LAPS, such as passphrase support and automatic account management, were showcased. Best practices were emphasized, like avoiding weak passwords in scripts and the importance of migrating to Delegated Managed Service Accounts (DMSAs). Additionally, the session discussed the upcoming transition from NTLM to Kerberos and the need for upgrading Domain and Forest Functional Levels to leverage new features. A demo demonstrated how to configure these updates.
Takeaways
- ๐ **Account Lockout Policy**: Windows Server 2025 introduces a default account lockout policy for local admin accounts, preventing brute force attacks. The policy is set to lock out after 10 failed login attempts for 10 minutes.
- ๐ **LDAP Server Signing**: LDAP signing is enforced by default in Server 2025, with enhanced security requiring encrypted LDAP connections for accessing confidential attributes.
- ๐ **Deprecation of NetBIOS**: Server 2025 deprecates NetBIOS-based domain controller locator and introduces DNS-based discovery for more secure and efficient domain controller location.
- ๐ **New Features in LAPS**: Windows LAPS introduces automatic account management (enable, disable, rename), passphrase support (like 'correct horse battery staple'), readability enhancements, and image rollback detection for DC recovery.
- ๐ **LAPS Account Management**: Automatic management in LAPS can randomize local admin account names and enforce passphrase generation, making passwords easier to remember but still secure.
- ๐ **Common AD Security Mistakes**: Avoid storing passwords in scripts, group policies, or GPPs. Use LAPS for secure password management instead.
- ๐ **Machine Account Quota**: The default machine account quota in AD is 10, which allows unauthorized machines to join the domain. It's recommended to set this to 0 for stricter security.
- ๐ **AD Functional Levels**: Upgrading your Domain and Forest Functional Levels (DFL and FFL) unlocks new features like the AD recycle bin, protected users, and Jet 32K page sizing for Server 2025.
- ๐ **NLM Deprecation**: Microsoft has deprecated NetLogon (NLM) authentication, pushing for modern Kerberos authentication for better security. Audit your NLM usage and disable it where possible.
- ๐ **DMSA (Delegated Managed Service Accounts)**: DMSAs allow seamless migration from unmanaged service accounts, offering improved security, encryption, and the ability to authorize specific machines for access.
- ๐ **Best Practices for AD Security**: Avoid using unconstrained delegation, apply strong name mapping for certificates, and implement customized certificate templates rather than relying on default templates for better security.
Q & A
What are the key policy updates for Active Directory (AD) in Windows Server 2025?
-The key policy updates include the 'allow administrator account lockout' policy, which helps prevent brute force attacks on local admin accounts, and new settings for LDAP server signing requirements. Additionally, there are default settings for LDAP channel binding and LDAP client encryption, which now require encrypted LDAP connections for accessing sensitive AD attributes.
What is the purpose of the 'allow administrator account lockout' policy?
-This policy helps prevent brute force attacks on local admin accounts by locking the account after a set number of failed login attempts. The default setting allows up to 10 failed attempts before the account is locked for 10 minutes.
How does the deprecation of NLM (NetLogon) affect Windows Server 2025?
-With Windows Server 2025, NLM is deprecated, and administrators are encouraged to transition to Kerberos and modern authentication methods. External trusts using NLM may face compatibility issues, and NLM v1 will be disabled, making it crucial for organizations to migrate away from NLM.
What are the new features introduced in Windows LAPS (Local Administrator Password Solution) in Server 2025?
-The new features in Windows LAPS include automatic account management, passphrase support for easier-to-remember yet secure passwords, readability support to avoid confusing characters, and image rollback detection to ensure password state integrity during domain controller recoveries.
What is the advantage of using Delegated Managed Service Accounts (DMSA) in Windows Server 2025?
-DMSAs offer enhanced security and encryption for service accounts by ensuring that only authorized machines can request service tickets. They also provide automatic secret rotation and are protected by CreditGuard, improving both service account management and security.
What is the recommended setting for machine account quotas in Windows Server 2025 for better security?
-The recommended setting for machine account quotas is to set it to zero. By default, the machine account quota allows up to 10 machines to join the domain without administrative privileges. Setting this to zero helps to tighten control over domain joins.
How can administrators use passphrases with Windows LAPS?
-Administrators can configure LAPS to generate passphrases, which are easier to remember while maintaining password entropy. The passphrases can be set to a specific number of words, and the LAPS system ensures that they meet the security requirements of long and complex passwords.
What common AD security mistake involves using passwords in scripts or group policy preferences?
-Storing passwords in scripts or group policy preferences is a common AD security mistake. Even though this has been mitigated to some extent, passwords placed in scripts that reside in sysvol folders can still be accessible to all machines in the domain, posing a security risk.
What changes have been made regarding domain controller (DC) locator and NetBIOS to DNS mappings in Windows Server 2025?
-Windows Server 2025 has deprecated NetBIOS and mail slots for domain controller location discovery. New policies have been introduced to block NetBIOS-based discovery and map short NetBIOS names to fully qualified DNS names. These changes ensure more secure and modern DNS-based domain controller location methods.
How does Windows Server 2025 handle LDAP signing and encryption by default?
-In Windows Server 2025, LDAP signing is enforced by default, and LDAP client encryption is set to 'preferred.' This means that an encrypted LDAP connection is required to access confidential attributes on AD accounts and objects, enhancing security during directory operations.
Outlines
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowMindmap
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowKeywords
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowHighlights
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowTranscripts
This section is available to paid users only. Please upgrade to access this part.
Upgrade NowBrowse More Related Video
Windows Server Homelab: Implementing Security Policies | Fine-Grained Passwords
Installing and Configuring Active Directory, DNS, DHCP
Window Server 2008 R2 Tutorial - Create Active Directory User Account
17. Migrate Active Directory from Windows Server 2008 R2 to Server 2022
How to Set Up Active Directory on Windows Server 2022 | Full Step-by-Step Project!
6. How to Setup Active Directory Domain on Windows Server 2022 | A Step by Step Guide
5.0 / 5 (0 votes)
