Playing around with doing some prep work on security profiles I will be implementing once I micro-segment my datacenter traffic some. It's pretty straight forward based on the IPS filtering options, to create a sensor to protect a DHCP or DNS server for example. It's not so "clear cut" to protect a Microsoft AD server. My AD servers are also DNS servers (so got the DNS portion of it locked down), so just wondering if anyone has correctly created a sensor to protect AD servers that could share?
My initial guess (and this is just taking a logical shot in the dark) was to filter signatures based on Server, varied degrees of severity, DNS and LDAP and RPC protocols, and Windows OS as my first signature list. Then add another signature list based on the keyword of Kerberos and add those as the second list. Doing the same again with the keyword SMB for my third list. Just feel like I am missing something or gone overboard with it..i.e..maybe something dealing with those AD servers also being global catalog servers, and/or overboard with the RPC, SMB, etc...
Hello,
There is no universal profile for AD servers, since different services/protocols can be running.
I understand. I implement mine as core installations so the attack surface is much smaller compared to that of a GUI install. Would the next step then be to treat it like tuning internal DoS policies...see how it operates in a monitoring situation under normal conditions and go from there in regards to implementing blocks and such?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.