Sommaier

___________________________________________________________________________________

NovoCall
Introdcation
Microsoft Active Directory est un service d'annuaire qui permet aux administrateurs de réduire le
coût et les efforts de l'administration d'un réseau basé sur un domaine Windows. AD facilite la
centralisation des ressources et la gestion , ainsi que l'authentification et l'autorisation des utilisateurs.
Vous pouvez utiliser un environnement Active Directory pour les réseaux petits et grands.

Avantage
• Single sign-on using Kerberos - users sign in once, get access to all
Windows-integrated services.

• One place to manage users rather than having a username and

password in every application database.

• Use group memberships to provide a role-based access control model for

applications and for directory management. Simplifies access rights
management.

• Easily scalable. Supports millions of objects in a single domain.

Disvantage
• If the Active Directory goes down so does your network

• It also has a complex infrastructure for the user.

• It is prone to being hacked.

• High maintenance costs.

NovoCall
How to Slove thos Problme

AD crashes lead to network downtime.

Active Directory servers often play the role of DNS and DHCP servers. In that case, while AD
is o ine, computers will have trouble accessing the internet and even the local network
itself. To avoid these issues, best practices recommend having at least two network carte to use to
loade the traffique beetwen them ,

NIC Teaming, also known in the Microsoft world as Load Balancing/Failover allows you to install
additional physical Ethernet network adapters (NICs) into your server and “team” or combine them
together to make one virtual NIC that provides better performance and fault tolerance.

Hacking :

Because Active Directory is the most popular directory service, there are a lot of techniques and
strategies to hack it. Since it cannot be located in a DMZ, the AD server usually has an internet
connection, which gives attackers the opportunity to get at the keys to your kingdom remotely. One
particular weakness is that Active Directory uses the Kerberos authentication protocol with
symmetrical cryptography architecture; Microsoft has already patched many of its vulnerabilities,
but new ones continue to be discovered and exploited.

Here are security tips to help you improve your web server security , Use rewalls on all endpoints ,
Maintain backups, Use VPN when available.

single point of failure

Single point of failure. A single point of failure, also known as SPOF, is any component of a system
that causes the whole system to stop working if it fails.

In computing, SPOFs are identified and resolved through redundant and high-availability clusters

A failover cluster is a group of servers that work together to maintain high availability of applications
and services. If one of the servers, or nodes, fails, another node in the cluster can take over its workload
without any downtime (this process is known as failover).

NovoCall
Important steps after deploying Active Directoey

1. Set static IPs for servers. This ensures you are reaching the right server when making
connections.

2. install the last update version

3. Document the administrator password

4. check the Drivers and patches

5. Modify Time and Date and Configure Time Synchronization

6. turn of Firewall to allow the trafic

7. install Anti-Virus like kaspersky or avg

8. Change Computer Name

9. install licence « activation « of system

10. optomize the srever hardware

11. utlise deux catr réseau pour utlise pius en deployment de Nic

12. use more then tow hard disque to use diifrnt storage tsoulation as LVM and RAID

13. Minimum Requirement

Processor 2 GHz or faster

Memory 2 GB RAM or greater

Available Disk Space 40 GB or greater

NovoCall
Baseline Security Hardening
Here are recommended baseline security hardening considerations the-new-for your Windows Server .
Your individual server setup may vary and require additional security considerations.
These ten steps provide a baseline security setup and serve as a starting point for additional security
hardening.

Network Security

• Segment your network. Hosts that are on the same subnet/Vlan will have an easier time
masquerading as the server. Segmentation helps address that.

• Add a network firewall. Be sure to disable any services you are not using, such as IPv6

• Also disable any inbound tra c on ports that are not in use.

• Use secondary DNS servers for load-balancing and redundancy

Configure Time Synchronization

• Sync time on domain controllers to a stratum-one external time server.

• Relying on an external NTP server protects against NTP-based DDoS attacks

Ensure Windows Server is up to date with all patches spotlight-obrian-goriel-

installed

• Be sure to update any other Microsoft products in use, such as Exchange Server and SQL
Server.

• Critical updates should be applied as soon as possible. Apply these updates in test
environments to confrm proper function, then in production if there are no compatibility
issues

NovoCall
Secure and Encrypt Remote Access

• Telnet and other unencrypted management protocols should be disabled across the whole
environments
• Use only encrypted remote access ( SSH or VPN access)

Disable unnecessary services.

• Set up speci c service accounts, locally or in Active Directory, for application and user
services.

• This way if applications are compromised, the attacker has limited user rights, not full
system or privileged user rights.

Disable local administrators and secure administrator

• At the very least, make a secure password for local admins.

• Do not re-use admin passwords throughout the environment.

• Change administrator passwords regularly to prevent password leaks from resulting in new
breaches.

• Enforce a strong password ( Complexity and length ) policy using these considerations

Implement Activity Logging

• Consolidate logs by collection logs to a central location.

• Back up logs to prevent data loss.

• Monitor and analyze logs to identify attackers, rogue devices, and suspicious usage patterns.

NovoCall
Most Important Group Policy Settings

Choose who can access your control panel

t’s important to set limits for your Control Panel in a business environment. This provides you the
master control over all aspects of your system. You can block total access to the Control Panel or allow
limited access.

Control Windows Update

Windows 10 has caused a lot of controversy because of its forced updates. However, Group
Policy allows you to delay major upgrades and updates by almost a year or pause them entirely,

Disable forced system restarts

You can use the Group Policy settings to permanently disable these forced restarts. As soon as you’ve
enabled the settings, you’ll have to reboot your system one last time.

Do not allow removable media drives

Removable media drives are handy, aren’t they? But unfortunately, they can also be dangerous,
especially if they contain virus and malware. If you plug one of these infected drives into your system,
it could affect the whole network. This is why it’s best if you disable the removable drives entirely,
especially when you’re dealing with a business office environment. You’ll also find options for
disabling DVDs, CDs, even floppy drives. You can disable these, too, if you want, but the primary
concern is removable drives.

Switching Windows Defender off

Windows Defender is the built-in security suite offered by Microsoft. However, you aren’t allowed to
uninstall it. You can only disable it by installing a compatible security suite from a third-party provider.
Changing Group Policy settings, however, allows you to disable it minus the need to install anything
else. Your security will finally be in your hands, for better or worse.

NovoCall