Group Policy Best Practices for AD Bridge
Before taking any actions with AD Bridge Group Policies, review these best practices carefully.
Object Linking and Delegation
BeyondTrust recommends the same best practices for Group Policy Objects as Microsoft recommends.
For more information, see best practices from Microsoft Group Policy MVP Darren Mar-elia.
AD Bridge has an available Target Platform Filter to limit Group Policy to apply only to certain operating system types. This filter’s use should be minimized in the same way as any other filter listed in the Group Policy Design Best Practices article.
Settings
The Configuration wizard in the installation directory provides the initial best practices for all customers' AD Bridge settings. Those settings not enforced in this initial Group Policy Object have been optimized on the client by the BeyondTrust team for each version of AD Bridge. Some settings, however, are optimized for general use. These settings should be updated for different system times, as listed below.
General Recommended Policies
- AD Bridge Settings:
- Authorization:
- Enable use of the Event Log
- Disable user credential refreshing
- Authorization:
- Group Policy:
- Enable use of the Event Log
- Event Log:
- Keep a 90+ day history in the Event Log
- Set a maximum disk size at 120MB
- Remove events as needed
- Logging and Audit Settings:
- Enable AD Bridge Auditing in the Syslog settings
Systems Not Using User Policies
- Group Policy:
- Disable user logon Group Policy setting processing
Servers
- AD Bridge Settings:
- Logon
- Disable creation of home directory - if using NFS mounted home directories
- Disable creation of k5login - if using NFS mounted home directories
- Logon
- Event Log:
- Keep a 90+ day history in the Event Log
- Set a maximum disk size at 120MB
- Remove events as needed
Workstations or Laptops
- AD Bridge Settings:
- Logon
- Enable creation of home directory - except when using NFS mounted home directories
- Enable creation of k5login - except when using NFS mounted home directories
- Logon
- Event Log:
- Keep a 60+ day history in the Event Log
- Set a maximum disk size at 75MB
- Remove events as needed
Group Policy Creation
Many AD Bridge Policy settings control specific Unix files in their entirety. The sudoers and Automount policies are two examples.
In all cases when these polices are to be used, we strongly recommend that the files be created and tested on a Unix system, then transferred directly into Group Policy, by using the gp-admin tool from a Linux station, or binary transfer to a Windows computer to upload with Group Policy Management Console (GPMC).
Best practices would be to never modify these settings on a Windows computer directly.
Password Prompts
We do not recommend using the Password Prompts policy. If Password Prompts are in use, the expected account type is displayed. For example, Active Directory or Local Account. This policy setting may encourage brute force attacks.
Allow Logon Rights
Allow Logon rights groups should not be enabled in a cell. It is evaluated by lsass as a list of security identifiers (SIDs) to match against the SIDs provided in the Privilege Account Certificate (PAC) of the Kerberos ticket. Evaluation beyond the level of the SID is not required, and as such, groups don't need to be provisioned. Provisioning groups provides additional information to non-privileged users as to who can log into the Unix host.
Additionally, if AD Bridge is unable to determine authoritatively all groups the user is in, access is denied. This can occur if there are DENY access control lists (ACLs) in place. NFSv4 has DENY ACL functionality, so this can also apply to Unix systems.
Delegate either Domain Computers or to a Linux Computers group so the computers can see the information required to do the lookups.
Group Policy Best Practices Summary
- Use OU design and linking, as a preference to filtering.
- Use different settings for servers and workstations.
- Use the Unix gp-admin tool to manage Unix files.
