S 5.16 Active Directory
Description
Active Directory is a directory service developed by Microsoft that was introduced for the first time with the Windows 2000 Server operating system. Based on the Active Directory functions available in the Microsoft Windows 2000 Server operating system, additional key functions were added to the Active Directory service in the Windows Server 2003 family of operating systems.
Active Directory is mainly used in IT networks running primarily with Microsoft components. Active Directory stores information on the objects in an IT network, for example information on users or computers, and makes it easier for users and administrators to provide, organise, use, and monitor this information. Since Active Directory is an object-based directory service, it allows the administration of objects and their mutual relationships, which is exactly what forms the actual network environment. Active Directory provides central control and monitoring capabilities for the corresponding network. This type of directory service is especially useful in networks where the number of clients used in the network makes local administration difficult, for example. Without a directory service, it is impossible to guarantee the reliability of the settings to be specified locally, for example to implement the specifications of the security policies, because it would require too many personnel. Administration tasks in the network such as password changes, creating accounts, and specifying access rights can be performed more efficiently through the use of a directory service.
Scope of the module
This module examines the threats and safeguards which apply specifically to an Active Directory. General security recommendations for directory services can be found in module M 5.15 General directory service. The general safeguards described there are explained in detail and expanded upon in this module.
Threat scenario
The following typical threats to the IT-Grundschutz of an Active Directory are assumed to exist:
Force Majeure
| T 1.2 | Failure of the IT system |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.7 | Unauthorised use of rights |
| T 2.22 | Lack of or insufficient evaluation of auditing data |
| T 2.68 | Lack of, or inadequate, planning of Active Directory |
| T 2.126 | Inadequate logging of changes to an Active Directory |
| T 2.127 | Inadequate planning of data backup methods for domain controllers |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.13 | Passing on false or internal information |
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.49 | Incorrect configuration of Active Directory |
| T 3.88 | Errors in the assignment of access rights |
| T 3.89 | Errors in the configuration of LDAP access to directory services |
Technical Failure
| T 4.10 | Complexity of access possibilities to networked IT systems |
| T 4.13 | Loss of stored data |
| T 4.33 | Poor-quality or missing authentication |
| T 4.67 | Failure of directory services |
| T 4.68 | Disruptions in an Active Directory due to unnecessary file replication |
Deliberate Acts
| T 5.16 | Threat during maintenance/administration work |
| T 5.18 | Systematic trying-out of passwords |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.65 | Denial of services in a database system |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.78 | DNS spoofing |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.144 | Compromising of directory services due to unauthorised access |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process. However, module M 5.15 General directory service, which contains general recommendations for the overall security of directory services, also needs to be applied.
One prerequisite for providing appropriate protection of the data processed in the Active Directory is the corresponding protection of the underlying server operating system. Protection of the Microsoft Windows Server operating systems is not covered in this module and is handled in the corresponding modules in Layer 3 instead. Depending on the operating system selected, for the secure operation of an Active Directory it is necessary to take into account module M 3.8 Windows Server 2003 or M 3.9 Windows 2008 Server.
A series of safeguards need to be implemented to set up an Active Directory successfully, starting with the design and installation and continuing through operation of the server. The steps to be taken to accomplish this as well as the safeguards to be considered in each of the steps are listed in the following.
Planning and design
Safeguard S 3.64 Introduction to Active Directory is recommended as an introduction and should be considered first. It contains an overview of the structure of an Active Directory and the associated terminology.
The structure of the organisation must be determined before actually configuring the Active Directory so that the best possible configuration for the Active Directory can be derived from the organisational structure. Safeguard S 2.229 Planning Active Directory explains the approach to take in the planning phase as well as the domain concept of Active Directory.
S 2.230 Planning of Active Directory Administration deals with the basic administrative structure for a domain and contains the tasks to be performed and applications to be used by each administrative role.
Safeguard S 2.231 Planning of group policy under Windows covers the group policies for Windows operating systems that can be administered using Active Directory. Furthermore, the organisational structure and how to change the rights of administrative user accounts are explained in safeguard S 2.411 Separation of the administration of services and data of an Active Directory. The recommendations in S 2.412 Authentication protection when using Active Directory, which presents the changes to make to secure the directory service, are also derived from this safeguard.
To be able to guarantee integrity protection of a productive Active Directory environment by securing the DNS components, it is necessary to take the safeguard S 2.413 Secure use of DNS for Active Directory into account. Furthermore, S 2.414 Computer virus protection for domain controllers must be taken into account in terms of the specific differences when using virus protection programmes on domain controllers.
Purchasing
After completing the conceptional planning tasks and defining the purchasing criteria for the servers, a suitable licence model should be selected depending on the number of servers to be purchased and the selected operating system. If Windows Server 2003 is selected, then Resources for IT-Grundschutz will provide some support (see Selection of suitable licensing methods for Windows XP/Server 2003 in Resources for Windows Server 2003).
Implementation
Safeguard S 4.318 Implementation of secure administration methods for Active Directory must be considered in order to obtain a uniform security standard. Furthermore, the people responsible for the administration of the directory service must be familiarised with the tasks assigned to them based on the information provided in S 3.27 Training to Active Directory administration.
Due to their primary importance to the entire network environment, adequate physical protection of the domain controllers should be ensured by the organisation (see S 4.313 Provision of secure domain controllers). Furthermore, to be able to maintain the security standard in the network and prevent manipulation of the domain structure and its domain controllers, the policies mentioned in S 4.314 Secure policy settings for domains and domain controllers need to be implemented accordingly.
Under some circumstances, it will be necessary during the implementation phase to simultaneously migrate existing Windows directory services. Safeguard S 4.317 Secure migration of Windows directory services deals with the migration of these directory services, and especially with the migration of directory services from existing Windows NT Server systems.
Operation
Safeguards S 4.315 Maintenance of the operational reliability of an Active Directory and S 4.316 Monitoring the Active Directory infrastructure are intended to ensure that the corresponding systems in the information system are kept up to date in terms of their security. Furthermore, there are special requirements for the system settings due to the importance of domain controllers. These requirements are described in safeguard S 4.138 Configuration of Windows Server as a domain controller.
It is also necessary to carefully administer the Active Directory itself in addition to careful administration of the underlying operating system (see S 4.315 Maintenance of the operational reliability of an Active Directory). To be able to react promptly when problems arise, safeguard S 4.316 Monitoring the Active Directory infrastructure should be taken into account accordingly. This safeguard not only deals with the response when certain thresholds are exceeded, but also with the logging of all changes made to the system.
Disposal
The aspects to be taken into account for the proper disposal of domain controllers are described in detail in safeguard S 2.410 Orderly withdrawal of a directory service from operation.
Contingency Planning
Aspects relating to contingency planning for Active Directory are covered in safeguard S 6.108 Data backup for domain controllers.
The bundle of security safeguards for the "Active Directory" module is presented in the following:
Planning and design
| S 2.229 | (A) | Planning Active Directory |
| S 2.230 | (A) | Planning of Active Directory administration |
| S 2.231 | (A) | Planning of group policy under Windows |
| S 2.411 | (A) | Separation of the administration of services and data of an Active Directory |
| S 2.412 | (B) | Authentication protection when using Active Directory |
| S 2.413 | (C) | Secure use of DNS for Active Directory |
| S 2.414 | (B) | Computer virus protection for domain controllers |
| S 3.64 | (W) | Introduction to Active Directory |
Implementation
| S 3.27 | (A) | Training to Active Directory administration |
| S 4.313 | (A) | Provision of secure domain controllers |
| S 4.314 | (A) | Secure policy settings for domains and domain controllers |
| S 4.317 | (Z) | Secure migration of Windows directory services |
| S 4.318 | (A) | Implementation of secure administration methods for Active Directory |
| S 5.89 | (A) | Configuration of the Secure Channel under Windows |
Operation
| S 4.138 | (A) | Configuration of Windows Server as a domain controller |
| S 4.315 | (A) | Maintenance of the operational reliability of an Active Directory |
| S 4.316 | (B) | Monitoring the Active Directory infrastructure |
Disposal
| S 2.410 | (B) | Orderly withdrawal of a directory service from operation |
Contingency Planning
| S 6.108 | (C) | Data backup for domain controllers |