1 00:00:01,140 --> 00:00:04,040 Harden AD DS Domain Controllers. 2 00:00:04,040 --> 00:00:08,120 Next, let's take a look at four suggestions from Microsoft on 3 00:00:08,120 --> 00:00:12,320 how we can improve the security posture of our Active Directory 4 00:00:12,320 --> 00:00:15,840 Domain Services domain controllers. 5 00:00:15,840 --> 00:00:21,060 Now, this first suggestion ties into some things we learned in the first module. 6 00:00:21,060 --> 00:00:24,500 One benefit of having newer server hardware is that you 7 00:00:24,500 --> 00:00:28,320 can take advantage of hardware‑based security protections, 8 00:00:28,320 --> 00:00:32,220 like trusted platform module, UEFI firmware, 9 00:00:32,220 --> 00:00:36,400 Secure Boot, and this offers us the TPM protector options 10 00:00:36,400 --> 00:00:39,540 for BitLocker drive encryption as well. 11 00:00:39,540 --> 00:00:44,310 For virtualized domain controllers, you can consider enabling guarded 12 00:00:44,310 --> 00:00:49,930 fabric and shielded Hyper‑V VMs. This provides a nice separation of duties 13 00:00:49,930 --> 00:00:54,830 where you can delegate administration of the Hyper‑V VMs, but you're 14 00:00:54,830 --> 00:01:01,650 preventing those users from having any capability to sign into the VM or 15 00:01:01,650 --> 00:01:06,630 work with the disks outside of the context of the VM and so on, a 16 00:01:06,630 --> 00:01:11,480 separation between what we call the management plane and the data plane of 17 00:01:11,480 --> 00:01:13,540 a service or VM. 18 00:01:13,540 --> 00:01:16,450 You might want to consider deploying read‑only domain 19 00:01:16,450 --> 00:01:19,830 controllers to smaller branch office locations, 20 00:01:19,830 --> 00:01:24,480 particularly if they have intermittent connectivity to headquarters, and 21 00:01:24,480 --> 00:01:27,520 also particularly if they're staffed very lightly, 22 00:01:27,520 --> 00:01:32,040 you may not have a dedicated point of presence for IT there. 23 00:01:32,040 --> 00:01:35,240 And then again tying back to our previous lesson, 24 00:01:35,240 --> 00:01:39,810 configuring either AppLocker or Defender App Control to make sure 25 00:01:39,810 --> 00:01:42,460 that only trusted code is running on the servers, 26 00:01:42,460 --> 00:01:47,020 both through the boot process, as well as when the machine is in user mode 27 00:01:47,020 --> 00:01:52,430 and actually up and running. Some specific advice regarding read‑only 28 00:01:52,430 --> 00:01:56,720 domain controllers that you need to know for your AZ‑801 exam success 29 00:01:56,720 --> 00:02:00,240 include Administrator Role Separation. 30 00:02:00,240 --> 00:02:04,970 This is what Microsoft calls the technique of having a RODC dedicated 31 00:02:04,970 --> 00:02:10,510 administrator. That is, you may, in all likelihood, be in a situation where 32 00:02:10,510 --> 00:02:13,500 you've got a branch office with limited or very limited, 33 00:02:13,500 --> 00:02:17,720 let's say, connectivity to read/write domain controllers. And 34 00:02:17,720 --> 00:02:21,680 you may not have otherwise any administrative credential 35 00:02:21,680 --> 00:02:24,290 password hashes present on the RODC. 36 00:02:24,290 --> 00:02:27,550 So if you do have administration work to do, 37 00:02:27,550 --> 00:02:30,230 you're going to have to have at least some administrative 38 00:02:30,230 --> 00:02:33,940 credentials locally cached on the server. 39 00:02:33,940 --> 00:02:34,050 Now, 40 00:02:34,050 --> 00:02:39,550 Administrator Role Separation ensures that that delegated RODC administrator, 41 00:02:39,550 --> 00:02:42,780 if it's compromised, if that account is compromised, 42 00:02:42,780 --> 00:02:47,830 its blast radius, as Microsoft calls it, will be limited to that 43 00:02:47,830 --> 00:02:52,870 RODC or potentially to that remote site. But that RODC 44 00:02:52,870 --> 00:02:55,120 administrator would not have, for example, 45 00:02:55,120 --> 00:02:59,200 domain administrator, and certainly not enterprise admin privileges, 46 00:02:59,200 --> 00:03:02,530 you understand? Speaking of cached credentials, 47 00:03:02,530 --> 00:03:06,170 you have quite a bit of control about what gets replicated from a 48 00:03:06,170 --> 00:03:09,250 read/write domain controller to your RODCs. 49 00:03:09,250 --> 00:03:15,230 There's the local, RODC local, allowed RODC password replication, and 50 00:03:15,230 --> 00:03:21,630 corresponding denied RODC password replication groups where you can enforce 51 00:03:21,630 --> 00:03:26,200 which accounts will have their passwords cached on the RODC and which ones 52 00:03:26,200 --> 00:03:30,810 won't. Certainly any branch office non‑administrative users should have 53 00:03:30,810 --> 00:03:36,060 their credentials cached so that they can sign in to the RODC and not have a 54 00:03:36,060 --> 00:03:41,120 reliance upon a read/write domain controller. You want to have a separate 55 00:03:41,120 --> 00:03:46,120 Directory Services Restore Mode password configured on the RODC, such that 56 00:03:46,120 --> 00:03:50,340 if it were breached, it would not be breached across the domain or forest. 57 00:03:50,340 --> 00:03:54,380 The Filtered Attribute Set, or FAS, allows you to control the 58 00:03:54,380 --> 00:03:57,830 Active Directory schema attributes that are replicated from the 59 00:03:57,830 --> 00:04:00,940 read/write side to the read‑only side. Again, 60 00:04:00,940 --> 00:04:04,670 all in the name of trying to contain the scope of 61 00:04:04,670 --> 00:04:09,860 compromise if a malicious actor were to breach your RODC. 62 00:04:09,860 --> 00:04:13,020 And lastly, when you deploy the RODC, 63 00:04:13,020 --> 00:04:17,140 you can pre‑populate the password cache, and this would allow you to 64 00:04:17,140 --> 00:04:21,170 function both for your non‑administrative users and then with 65 00:04:21,170 --> 00:04:25,670 administrator role separation with one or more admin accounts in an air 66 00:04:25,670 --> 00:04:35,000 gapped environment where you may not connect the RODC to a read/write domain controller, either for a long, long time, or maybe indefinitely.