“Developing an AD backup and recovery strategy” (5 days)
Data collection using specialized tools (infrastructure configuration, performance, SLA/OLA requirements).
Aligning backup and recovery strategy with SLA.
Generation of a test environment to simulate emergency situations.
Conducting disaster recovery exercises for key disaster scenarios (damage to individual objects, loss of data, etc.).
Develop recommendations for backup and recovery strategy (backup methods and schedule taking into account business requirements and infrastructure capabilities).
Development of a disaster recovery document (service passport, step-by-step recovery instructions for each scenario).
Working with customer documentation (taking into account the specifics of third-party backup software, instructions from backup/recovery software administrators and other documents).
Data recovery/copying speed measurements and logging.
The work includes the development of the following recovery scenarios:
Restoring after the complete loss of all domain controllers and starting ordinary domain members to work after recovery.
Recovering accidentally or maliciously modified or logically corrupted data in an Active Directory database using backup copies.
Authoritative and non-authoritative restoration and alignment of DFS-R replicas.
Access to archived data in Active Directory and to the state of domain controllers in the archived copy, as part of a security incident investigation.
Restore custom values or selected group policies.
Compiling a list of changes that have occurred in the Active Directory database since the backup copy.
Assist in testing in production environments.
Windows Infrastructure Security Survey (5 days)
Collection of data using specialized tools from domain controllers, the Active Directory database and from some important servers and administrator workstations (OS configuration, rights and privileges in the Active Directory database and in the OS, data on the hygiene of privileged credentials, checking for common configuration problems systems, logs, operational questionnaire).
Automatic analysis of collected data for compliance with global information security practices and vendor best practices.
Conducting an in-depth interview with company specialists to identify existing administration processes in the organization being surveyed.
Analysis of the results by an engineer and additional in-depth analysis.
Prepare and conduct an Executive presentation, detailed technical report and remediation plan.
Transfer of knowledge to customer specialists during systems inspection.
“Pilot implementation and adaptation of MFA and Windows Hello for Business” (5 days)
Transfer of knowledge in the form of a mini-seminar on the following topics:
Main attack vectors using examples from real practice.
Privileged accounts and ways to inventory and protect them.
Windows authentication basics and weaknesses exploited by attackers.
Windows ADFS Server and its role in multi-factor authentication.
MFA adapter from Noventiq for Windows ADFS Server, principles of operation, its configuration and implementation.
Windows Hello for Business as a method of multi-factor authentication and deployment scenarios for Windows Hello For Business in an enterprise.
How to use Microsoft knowledge and technology to build a more secure environment for privileged accounts.
Preliminary examination before implementing multi-factor authentication solutions:
An operational questionnaire that will show how current administration processes are structured and who is involved in them. It is carried out with the involvement of both system administrators and users with high privileges, as well as employees of the information security department.
Using technical means (PowerShell scripts), additional information is collected from the following sources:
AD Database.
Security settings from the registry.
Privilege and audit settings.
Event log from domain controllers.
Information from the resulting Group Policy.
Information from the domain group policy repository.
If available, configuration information from ADFS servers.
If there is no ADFS server, then discuss and create an ADFS deployment plan.
Implementation of Windows Hello For Business authentication on a pilot group of systems (up to 5 systems):
Deploying and configuring an ADFS server:
ADFS installation.
Checking functionality after installation.
Installation and configuration of MFA adapter from Noventiq.
If a specific channel for user confirmation of the “second factor” is required, the customer is trained on how to write an extension for the MFA adapter. The system is configured to run Windows Hello for business in accordance with the selected implementation scenario.
Configuring the system to run Windows Hello for business in accordance with the selected deployment scenario.
Launch of a pilot group of systems for authentication via Windows Hello for Business (up to 5 systems).
Development of a technical description of the implemented system describing all the steps that were performed, and what settings and systems were deployed.
"Restricted runspaces (5 days)"
A set of measures to counter Ransomware and limit the launch of other unwanted applications.
Countering the “horizontal spread” of an attacker, when due to security flaws, after a compromise, the attacker can easily compromise an entire layer of workstations.
Develop a process for quickly changing the configuration of a limited workstation to respond to updates to the software used on the stations.
Implementation of a local administrator password system (LAPS) and modification of the process of working with this system to eliminate the main shortcomings of LAPS