Tag Archive: DNS hardening


Some interesting sites:

Windows 10 security hardening:

https://www.asd.gov.au/publications/protect/Hardening_Win10.pdf

Delegate WMI access to domain controllers:

This post originally came about after several customers asked how to remove users accounts from Domain Admins and the Administrators group in the domain. These accounts are needed to monitor the systems, so we needed to find a way to get them to read the instrumentation of the system with non-elevated privilege.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

 

Reference articles to secure a Windows domain:

https://github.com/PaulSec/awesome-windows-domain-hardening

Microsoft audit Policy settings and recommendations:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Sysinternals sysmon:

https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

On ADsecurity.org:

Beyond domain admins: https://adsecurity.org/?p=3700

Gathering AD data with PowerShell: https://adsecurity.org/?p=3719

Hardening Windows computers, secure Baseline check list: https://adsecurity.org/?p=3299

Hardening Windows domain, secure Baseline check list:

Securing Domain Controllers to Improve Active Directory Security

Domain hardening in general:

 

List of items
Setting Up Jump server
Domain joining of all windows boxes
Proper account Management Based on privileges
Usage of service accounts to run application instead of local system accounts
Review of existing AD accounts/Deletion of Unnecessary Accounts/ Review Ou structuring/GPO etc
HoneyToken Account Creation in Local boxes as well domain
GPO changes for disabling guest accounts across system,restricted RDP mode,Password Policy changes,disabling internet in member servers
GPO for Jump server implementation based on PAW GPO settings
Rename existing builtin Administrator account and lockdown
Sysmon deployment and WEF setup (WEC for symon events)
Ping castle review to assess the AD security
FGPP implementation
LAPS Implementation
Process for proper cleanup of unused AD accounts
Reset of krbtgt account,domain admins account,It administrators account
Advertisements

How to improve Windows DNS security (hardening):

Resources:

DNS logging (audit and analytics): https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx

Secure DNS Deployment Guide: https://technet.microsoft.com/en-us/library/ee649266%28v=ws.10%29.aspx

DNS security part 1: http://www.windowsecurity.com/articles-tutorials/misc_network_security/DNS-Security-Part-1.html

DNS security part 2: http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html

Understand man in the middle attack: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part2.html

External DNS Server Hardening: https://technet.microsoft.com/en-us/library/ee649266%28v=ws.10%29.aspx

Note: Root hints are used to let the DNS server know where to start the recursion process. Root hints normally point to the Internet root DNS servers so that you can resolve public host names using recursion.

However, if you don’t need to resolve public host names, you can edit the root hints file so that it only contains DNS servers on your intranet. By doing this, you can avoid sending private information about possible internal host names to public DNS servers.

Securing DNS with DNSSEC: http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-DNS-Connections-Windows-Server-2008-R2-DNSSEC.html

 

Mitigating DNS security weakness :

Low-Level Security

Low-level security is a standard DNS deployment without any security precautions configured. You should deploy this level of DNS security only in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity:

  • The DNS infrastructure of your organization is fully exposed to the Internet.
  • Standard DNS resolution is performed by all DNS servers in your network.
  • All DNS servers are configured with root hints pointing to the root servers for the Internet.
  • All DNS servers permit zone transfers to any server.
  • All DNS servers are configured to listen on all of their IP addresses.
  • Cache pollution prevention is disabled on all DNS servers.
  • Dynamic update is allowed for all DNS zones.
  • User Datagram Protocol (UDP) and TCP/IP port 53 is open on the firewall for your network for both source and destination addresses.

Medium-Level Security

Medium-level security uses the DNS security features that are available without running DNS servers on domain controllers and storing DNS zones in Active Directory:

  • The DNS infrastructure of your organization has limited exposure to the Internet.
  • All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.
  • All DNS servers limit zone transfers to servers that are listed in the name server (NS) resource records in their zones.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Dynamic update that is not secure is not allowed for any DNS zones.
  • Internal DNS servers communicate with external DNS servers through a firewall with a limited list of allowed source addresses and destination addresses.
  • External DNS servers in front of the firewall are configured with root hints that point to the root servers for the Internet.
  • All Internet name resolution is performed by using proxy servers and gateways.

High-Level Security

High-level security uses the same configuration as medium-level security. It also uses the security features that are available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is not a typical configuration, but it is recommended whenever Internet connectivity is not required:

  • The DNS infrastructure of your organization has no Internet communication by means of internal DNS servers.
  • Your network uses an internal DNS root and namespace, where all authority for DNS zones is internal.
  • DNS servers that are configured with forwarders use internal DNS server IP addresses only.
  • All DNS servers limit zone transfers to specified IP addresses.
  • DNS servers are configured to listen on specified IP addresses.
  • Cache pollution prevention is enabled on all DNS servers.
  • Internal DNS servers are configured with root hints that point to the internal DNS servers that host the root zone for your internal namespace.
  • All DNS servers are running on domain controllers. A discretionary access control list (DACL) is configured on the DNS Server service to allow only specific individuals to perform administrative tasks on the DNS server.
  • All DNS zones are stored in Active Directory. A DACL is configured to allow only specific individuals to create, delete, or modify DNS zones.
  • DACLs are configured on DNS resource records to allow only specific individuals to create, delete, or modify DNS data.
  • Secure dynamic update is configured for DNS zones except the top-level zones and root zones, which do not allow dynamic updates at all.