Group Policy Best Practices for AD Bridge Enterprise

Object Linking and Delegation

BeyondTrust recommends the same best practices for Group Policy Objects as Microsoft recommends.

For more information, please see best practices from Microsoft Group Policy MVP Darren Mar-elia.

AD Bridge Enterprise has an available Target Platform Filter to limit Group Policy to apply only to certain operating system types. This filter’s use should be minimized in the same way as any other filter listed in the Group Policy Design Best Practices article.

Settings

The New Cell wizard in the BeyondTrust Management Console provides the initial best practices for all customers' AD Bridge Enterprise settings. Those settings not enforced in this initial Group Policy Object have been optimized on the client by the BeyondTrust team for each version of AD Bridge Enterprise. Some settings, however, are optimized for general use. These settings should be updated for different system times, as listed below.

  • AD Bridge Settings:
    • Authorization:
      • Enable use of the Event Log
      • Disable user credential refreshing
    • Logon
      • Disable creation of home directory if using NFS mounted home directories
      • Disable creation of k5login if using NFS mounted home directories
  • Group Policy:
    • Enable use of the Event Log
  • Event Log:
    • Keep a 90+ day history in the Event Log
    • Set a maximum disk size at 120MB
    • Remove events as needed
  • Logging and Audit Settings:
    • Enable AD Bridge Auditing in the Syslog settings
  • AD Bridge Settings:
    • Authorization:
      • Enable use of the Event Log
      • Enable user credential refreshing
    • Logon
      • Enable creation of home directory except when using NFS mounted home directories
      • Enable creation of k5login except when using NFS mounted home directories
  • Group Policy:
    • Enable use of the Event Log
  • Event Log:
    • Keep a 60+ day history in the Event Log
    • Set a maximum disk size at 75MB
    • Remove events as needed
  • Logging and Audit Settings
    • Enable AD Bridge Auditing in the Syslog settings
  • Group Policy:
    • Disable user logon Group Policy setting processing

Group Policy Creation

Many AD Bridge Enterprise Policy settings control specific Unix files in their entirety. The sudoers and Automount policies are two examples. In all cases when these polices are to be used, we strongly recommend that the files be created and tested on a Unix system, then transferred directly into Group Policy, by using the gp-admin tool from a Linux station, or binary transfer to a Windows computer to upload with Group Policy Management Console (GPMC). Best practices would be to never modify these settings on a Windows computer directly.

We do not recommend using the Password Prompts policy. If Password Prompts are in use, the expected account type is displayed. For example, Active Directory or Local Account. This policy setting may encourage brute force attacks.

Logon Rights groups should not be enabled in a cell. It is evaluated by lsass as a list of security identifiers (SIDs) to match against the SIDs provided in the Privilege Account Certificate (PAC) of the Kerberos ticket. Evaluation beyond the level of the SID is not required, and as such, groups don't need to be provisioned. Provisioning groups provides additional information to non-privileged users as to who can log into the Unix host.

Additionally, if AD Bridge is unable to determine authoritatively all groups the user is in, access is denied. This can occur if there are DENY access control lists (ACLs) in place. NFSv4 has DENY ACL functionality, so this can also apply to Unix systems.

Delegate either Domain Computers or to a Linux Computers group so the computers can see the information required to do the lookups.

Group Policy Best Practices Summary

  • Use OU design and linking, as a preference to filtering.
  • Use different settings for servers and workstations.
  • Use the Unix gp-admin tool to manage Unix files.