Domain Controller Security Hardening

Security Hardenig çalışması ile Domain Controller hizmetleri güvenlik perspektifinden kontrol edilir. Tespit edilen eksikler ve ihtiyaçlar doğrultusunda gerekli düzeltmeler yapılarak, olası açıklar kapatılır. Bunların dışında güvenliği arttırıcı düzeltmeler yapılarak ta mevcut yapı sıkılaştırılarak daha güvenli bir hale getirilir.

Mevcut yapınızda bulunan “Default Domain Controller Policy” üzerinde aşağıdaki değişiklikleri yapmayınız. Domain Controller sunucularına uygulanacak politika için yeni bir GPO oluşturarak, yapınıza uygun sıkılaştırmaları ilk olarak test ortamınızda test edip, olumsuz etkisi olmadığı tespit edildikten sonra production ortamına uygulanmalıdır.

“T0 Security Policy” adında yeni bir GPO oluşturulur ve aşağıdaki konfigürasyonlar yapılır.

Computer Management

  • Administrator account enable edilir ve password  length min. 14 karakterlik verilir.
  • Local Administrators grubu kontrol edilir olmaması gereken accountlar çıkarılır.

USER RIGHT ASSIGNMENT

  • Access This computer from network: Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS
  • Add workstation to the domain: Administrators
  • Allow logon locally: Administrators, Enterprise Domain Controller
  • Back up files and directories: Administrator
  • Change the system time : Local System, Administrators
  • Change time zones: Administrators
  • Force shutdown the remote system: Administrators
  • Load un-load Drivers: Administrators
  • Logon on as a batch job: Administrators
  • Restore files and directories: Administrators
  • Shutdown the system: Administrators

SECURITY OPTIONS

  • Guest Account : Disable
  • Rename Administrator account: Ziyaretci
  • Guest rename: Ares
  • Audit: Audit use of Backup and Restore privilege: Enabled
  • Audit: Force Audit policy subcategory settings to override audit policy: Enabled
  • Audit: Shutdown system immediately : Enabled
  • Devices: Allowed to format and ejected removable media: Administrators
  • Devices: prevent users installing printer drivers: Enabled
  • Restricted CD-Rom access: Enabled
  • Devices: Restricted floppy access: Enabled
  • Domain Controller: Allow server operators to schedule tasks: Disable
  • Domain Controller: LDAP Server signing requirements: require signing
  • Domain Member Digital sign secure channel data: Enabled
  • İnteractive Logon: Display user information when the session is locked : user display name only
  • Interactive logon: Machine inactivity limit : 300 second
  • Microsoft network client: digital sign communications (always) :enabled
  • Microsoft network client: Send encrypted password to third party SMB Server: Disabled
  • Network access:Allow anonymous sid/name translation :disabled
  • Network access: Do not allow anonymous enumeration of SAM accounts: enabled
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares: Disabled
  • Network access: Do not allow storage of passwords and credentials for network authentication :enabled
  • Network access: Let Everyone permissions apply to anonymous users: enable
  • Network Security: Configure encryption types allowed for kerberos: Des’ler kaldırılır.
  • Network security: do not store lan manager hash value next password change: enable
  • Network security: LAN Manager authentication level: Sent NTLM and refuse lm, ntlm
  • Domain controller: LDAP server signing requirements: Require signing
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: rquire NTLMV2, 128 Bits
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) Clients: rquire NTLMV2, 128 Bits
  • Restrict NTLM: Audit NTLM Authentication in this domain: Enable all
  • Restrict NTLM: Audit incoming NTLM Trafffic : enable auditing for all users
  • Recovery console: Allow automatic administrative logon: Disabled
  • Shutdown: Clear virtual memory page file: Disabled
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations: enabled
  • User Account Control: Admin Approval Mode for the Built-in Administrator account: Enabled
  • User Account Control: Switch to the secure desktop when prompting for elevation: Enabled
  • User Account Control: Run all administrators in Admin Approval Mode: enabled
  • User Account Control: Visualize file and registry write failures to per-user locations: Enabled
  • User Account Control: Detect application installations and prompt for elevation: Enabled
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent

PASSWORD POLICY

  • Enforce Password History: 24
    • Max password age: 30
    • Min password age: 1
    • Min password Length 14
    • Password Complexity: enable

ACCOUNT LOCKOUT POLICY

  • Account lockout duration:5
    • Account lockout threshold:5
    • Reset account lockout counter after: 5

REMOTE DESKTOP HARDENING YAPILIR

  • Set client connection encryption level:  Enable – High Secure

EVENT LOGS: konfigürasyonu aşağıdaki gibi yapılır.

Maximum Application log size : 1 GB
Maximum Security Log Size: 4 GB
Maximum System Log Size: 1 GB

Retention method for application log: as needed
Retention method for security log: as needed
Retention method for system log: as needed

WINDOWS FIREWALL ENABLE EDILIR. DOMAIN, PUBLIC, PRIVATE.

Inbound block (Default)
Outbound block (Default)

ADMINISTRATIVE TEMPLATES → WINDOWS COMPONENTS → WINDOWS POWERSHELL Enable yapmak için;

“Windows PowerShell” GPO, “Turn on Module Logging” enable edilir.
“Options” panel’den “show Module Name” buton’una tıklanır.
Module Names ekranında * all modules yazılır.
Ok tıklanır “Module Names”.
OK tıklanır “Module Logging”.

“Turn on autoplay  administrator\windows  components\auto policies\turn on autoplay” ile otomoatik olarak usb, dvd vs. çalışması engellenecektir.

COMMAND LINE LOGGING, CMD KOMUT SATIRINDA YAPILAN IŞLEMLER LOG’LANACAKTIR.

Administrative Templates\System\Audit Process Creation

RESTRICTED GROUPS POLICY KONFIGÜRASYONU YAPILIR.

Administrators: Administrator, Domain Admins, Enterprise Admins
Domain Admins: Administrator, Volkan
Enterprise Admins:
Schema Admins:
Server Operators: Server Admins
Backup Operators:
Print Operators:

REMOTE SESSION IDLE TIMES” KONFIGÜRASYONU ILE IDLE VE DISCONNECTED DURUMDA OLAN SESSION’LAR LOGOUT EDILIR.

Set time limit for disconnect sessions: Enabled 15 min.

Set time limit for active but idle Remote Desktop Services Sessions: enabled :1 hour

DNS HARDENING IÇIN AŞAĞIDAKI KONFIGÜRASYONLAR YAPILIR.
Advanced: Enabled automatic scavening of stale records enable yapılır.
DNS Debug log’lar enable edilir. Log file C:\DNSLogs, Max Log size:5 GB
Dynamic Updates: Secure only yapılır.
Aging: scavenge stale records 7 gün yapılır.