What’s New in Windows Server 2016 Federation Services?

The corporate environment requires many collaboration application services to promote a seamless workflow environment. Windows Server 2016 represents major steps towards an environment that supports cloud features and an improved level of security and innovations. Some of the improvements found in Windows Server 2016 include:

  • Active Directory Federation Services (ADFS)
  • Microsoft IP Address Management (IPAM)
  • Conditional Access
  • Temporary group membership

Our main concern will be to highlight the new things Active Directory Federation Services (ADFS) bring into a Windows Server 2016 network environment.

Active Directory Federation Services gives access to single Logons across the entire network on a different application such as Office 365, SaaS applications, and other cloud-based applications.

In general, the IT department can enforce Logons and access controls to both modern and legacy software. The user benefits by accessing a seamless Login using the same account credential and the developers will also have an easy time managing running applications because the authentication process is handled by the federation services.

Here are some of the new features that came with Windows Server 2016 Federation Service:

Eliminate the Use of Passwords on A Private Network

Active Directory Federation Services gives three possibilities for Logons without passwords. This eliminates the risk of the network being compromised by leaked or stolen passwords.

Using Azure Authentication Features

Federation 2016 services are based on Multi-Factor Authentication (MFA) that allows signing in using an Azure MFA code without the need to key in the username and password. The user will be prompted for a username and a one-time password (OTP) code for authentication.

When the MFA code is used as an additional authentication method, the user will be prompted to give the usual authentication credentials and later on prompted for text, OTP, or a voice password before logging in.

Setting a Federation Service to work with Azure MFA is now simple because organizations will implement Azure without the need of having a physical Azure server location. Azure can be configured to work in both local and private networks or be incorporated within an access control policy of the organization.

Allowing Password-less Access

Active Directory Federation Services 2016 uses device configuration capabilities to allow access on network-based devices. Users log in using the devices and its validity tested for attribute changes to maintain the integrity of the device and network security. Use of accepted devices ensures that granted access is granted to specific devices, private network access is only accepted via managed devices, and authentication requires several steps for any non-compliant computer or devices.

Using Windows Hello for Business Credentials

Workstations using the Windows 10 Operating System have an inbuilt Windows Hello and Windows Hello for Business. The credentials used are protected by gestures such as fingerprints, facial recognition, voice recognition, etc. Using the Windows 10 capabilities means that users can sign in to a Federation Server 2016 without the need of a password.

Secure Access to Applications

Windows Server 2016 Federation Services works with the latest modem protocols to offer a better experience to Windows 10, Android, and iOS users.

Some access control policies can be changed without necessarily having the knowledge of the claim rules language. This made it almost impossible to configure and maintain policies. Using Federation Services, one can simply use built-in templates to be applied in common policies such as:

  • Limit access to Local Area Network only
  • Allow everyone to access the server and ask for an MFA from private networks
  • Allow everyone to access the server and ask for an MFA from a specific group

Using templates is recommended because they are easy to customize and add exceptions or additional policies that can be applied to one or many applications.

Allow Logons without Active Directory Lightweight Directory Access Protocol (LDAP) Directories

Most firms use Active Directories alongside third-party directories for Logons. The introduction of Federation Services allows for the authentication of users whose credentials are stored in LDAP. This further helps third-party users whose data are stored in LDAP v3 compliant directories, also works with users in a forest with an Active Directory that has its two-way trust not configured. Users found in Active Directory Lightweight Directory Services are able to sign in.

Flawless Sign-in Experience

All applications using Active Directory Federation Services give users ability to customize Login experience. This is more appropriate for organizations dealing with various companies and brands. In previous editions, there was a common sign-on experience with customization facility available only for a single application. The Windows Server 2016 gives you the ability to customize messages, images, web themes, and logos. Additional customized web pages can be created for every business platform.

Improved Management and System Operations

Streamlined Auditing

Auditing is streamlined in Active Directory Federation Services 2016, unlike the previous versions where every single vent necessitated an event log.

Improved Interoperability with Security Assertion Markup Language (SAML 2.0)

Additional SAML protocols that support trusts importation with multiple entries are found in Active Federation Services 2016. This allows for the configuration of Active Directory to be part of confederations and implementations that conform to the eGov 2.0 standard.

Simple Password Management for Office 365 Users

Active Directory Federation Services enable password configuration that allows sending of password expiry claims within protected applications. For instance, Office 365 users rely on updates implemented via Exchange and Outlook to get notifications on the expiry status of their passwords.

Migration from AD FS Windows Server 2012 to AD FS Windows Server 2016 Made Easier

Previous editions demanded that configurations be exported from the old farm and importing into the new farm. When moving from Windows Server 2012 to Windows Server 2016, adding a new Windows Server 2016 to Windows Server 2012 and eventually adding Windows Server 2012 to the farm by verifying functionalities and removing the old server from the load balancer. The new features are ready to use once Windows Server 2016 is running and upgraded to farm behavior level 2016.

Conclusion

Federation Services help in managing identities across different networks and as such forms the foundation of cybersecurity in the cloud world. With this information, it is time to optimize your Active Directory environment by giving it a new design and restructure it before migrating to the latest Windows Server 2016 Federation Services.

 

 

 

Unauthorized Access to Sensitve Data?

Analyze and Report Data Access on Windows Folders in Under 60 Seconds!

 

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Active Directory in Windows Server 2016

The latest addition to the Windows Server versions is the Windows Server 2016. Setting up an Active Directory may be something you have already done in the previous versions, but still, getting to know the steps needed to set up an Active Directory role for 2016 is important.

There are two important steps to consider before starting this process. If the Windows Server is to be used in a production environment, the IP addresses should be defined as static. The other thing to keep in mind is to rename the server to a suitable name because renaming the server after the AD has been defined may not be all that easy.

In this article, we will look at:

  • Installing the Active Directory
  • Setting up the Domain Controller

All these two activities need administrative privileges because they are the foundation of user and group management, policy, and security in a typical server environment.

Installing the Active Directory

  1. Click on the Start button then on the Server Manager icon.
  2. The Server Manager dashboard will load, giving access to the roles and features wizard. Click Next to proceed.
  3. Choose the installation type as the default (role-based or feature-based installation).
  4. The next step is to select the Installation Server from the already existing server based on the local server list.
  5. When you click on Next, a pop-up screen will appear. Check the Active Directory Domain Service box. The associated features specific to that role will pop up. Another pop-up wizard will show up that enables you to add the selected role(s).
  6. Click on the add featured followed by Next. The .NET 4.6 features should be checked on the following screen.
  7. On the Active Directory Services screen, click on Next. You will be given an overview of the roles of a Domain Controller and all the services that will be installed. All first Domain Controllers require that a DNS service be set up after this step.
  8. Click on Install to initiate the process.
  9. Once the installation is complete, click on the Promote this Server to a Domain Controller option.
  10. An Active Directory configuration wizard will open up with an option to:
  • Add a Domain Controller to an existing Domain
  • Add a new Domain to an existing Forest
  • Add a new Forest

Setting up the Domain Controller

To set up a new Domain Controller, select the option Add New Forest and type in the root Domain name.

  1. The next screen is for selecting the Domain and Forest functional levels. The Directory Service restore mode password should be entered if the first Domain Controller use Windows Server 2016 as the forest and functional. The DNS option should also be checked alongside the Global Catalog (GC). Click on Next.
  2. When configuring the first DNS server in a new Forest, an error message is bound to pop up. For now, no need to make any modification because the Domain Controller is using the Active Directory integrated DNS. Click on Next.
  3. Click on the NetBIOS Domain name (selected by default) and click on Next. For the NetBIOS name, the default is okay.
  4. Next wizard is the selection of paths in the Active Directory database, Log files folder, and SYSVOL folder. The default values are okay. Click on Next.
  5. Then we have the review wizard that contains all the selected configurations. Review everything and make necessary changes. If no change is needed, you can click on Next.
  6. Pre-requisite checks are needed to make sure everything falls into place. The install button will only be active once the pre-requisite check has passed. If the checks are successful, click on Install.
  7. The server will automatically reboot when the installation has finished.

Once the computer reboots, log in as the Domain administrator and head straight to the Administrative Tools. Open the Active Directory users and computers to confirm successful operation of the Active Directory and the DNS.

Other Things You Need to Know

Setting up Static IP addresses on Windows Server 2016.

  1. Open the Control Panel.
  2. Click on the View Network and Status Tasks found in the Network and Internet applet.
  3. Click on Change Adapter Settings.
  4. Right click on Network Connections and select Properties from the pop-up menu.
  5. Scroll down, select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
  6. Key in the IP address, the subnet mask, and the default gateway. The preferred and alternate DNS server addresses are also needed. Click OK.
  7. Reboot the server.

The new features made available in Windows Server 2016 should also make system administrators aware of the minimum system requirements to install and configure both Active Directory and Domain Controller.

Here are the minimum software and hardware requirements:

Processor

  • A 1.4 GHz 64-bit processor compatible with the x64 instruction set.
  • Support both NX (no execute) and DEP (Data Execution Prevention).
  • Supports second-level address translation such as EPT and NPT.

RAM

  • At least 512MB (if you are installing a server with a desktop environment, then a minimum of 2GB is needed).
  • RAM with ECC (error correcting code).

Storage Controllers and Disk Space

  • A computer designed to use the Windows Server 2016 Operating System should have storage adapters compliant with the PCI Express specifications. Hard disks or any permanent form of storage cannot be PATA since Windows Server 2016 does not allow ATA/ PATA/ IDE/ EIDE configurations.
  • Hard disks can have a minimum partition requirement of 32GB.

Network Adapter

  • Any adapter that can use gigabit throughput.
  • A card compliant with PCI Express architecture.
  • A card that supports Pre-Boot Execution Environment (PXE)
  • A network debugging enabled card is desirable, but not a requirement.

Conclusion

Installation of the Active Directory is almost standard across all Windows Server Operating Systems. Some people may use their experience to set up a new Active Directory without putting into focus the minimum hardware and software requirements needed. When handling an installation in an old system, you may be forced to confirm if all the requirements are met.

We hope that you find it helpful to have read this article.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Windows Server Optimization: Active Directory Auditing – Track User Logons

Tracking user logons gives system administrators an opportunity to identify active and inactive accounts and global access rights that could put the organization information at risk.

Active Directory auditing involves the collection of data on all Active Directory Objects and attributes that are helpful in analyzing and reporting the overall health of the Active Directory.

Audits are performed to secure the Active Directory from attacks and to keep the IT operations running. Tracking User Logons is needed to help in the following operations:

1. Track the logon activity on Domain Controllers.
2. Track user logon activities (logon failures, recent logons, last logon on workstations).
3. Track logon activities on Member Servers and Workstations.
4. Monitor RADIUS logon on computers.

In a busy working environment, Active Directory Auditing helps verify the number of users accessing the Active Directory at any given time, identify remote logon users, determine the peak logon sessions, monitor all critical logons, act on unauthorized attempts and access, and generate backup reports in case of any queries or investigations.

Why Using the Native Active Directory Auditing is Insufficient

1. The day-to-day logon information collected in the server logs may not be friendly to non-technical staff.
2. The logon information requires expertise to understand the specific events correlating to every logon activity.
3. The amount of data collected is voluminous due to the continuous activities on the Domain Controller. Dealing with such huge amount of data is tedious and time consuming.
4. The restrictive nature of the Domain Controllers means access to its logos are limited to specific personnel.
5. The inability of other Non-Administrative staff outside the IT department to access real time logon data also makes the Native Active Directory Auditing out of reach for managers, auditors, human resource staff, etc.

The Solution to Native Active Directory Auditing

The only possible way of tracking real time logon activities on a large scale for auditing is to use a software like Manage Engine ADAudit Plus that details all logon information into a single document that can be shared from a central server console.

The ADAudit Plus tool gives all information relating to successful and failed logon attempts.

Active Directory Logon Auditing

Real time auditing means tracking every logon activity as it happens to the entire Active Directory. The outcome of this audit is listing all logon activities that can be viewed on the central server in an instant.

The logon report contains information on failed logons, Domain Controller logon information, Member Server logon information, Workstation logon, recent and last logon activities.

Active Directory Logon Auditing also helps in reporting on specific logon events by listing all Logon related actions. All this information is presented on a web interface displaying data in statistical format via charts, lists, and graphs. Due to the insufficient nature of Active Directory, using the ADAudit Plus relays more information some of which are explained below:

Logon Activities on Domain Controllers
Domain Controllers from the critical element in Active Directory because all changes taking place in the Active Directory takes place here. Such logons are restricted to network administrators or privileged users. Any attempts by other users should be a wake up call for administrators to take corrective action.

ADAudit Plus give details such as user’s location, time of logon, success or failed logon attempts, and the reason for failure if any.

Tracker User Logon Activities (logon failures, recent logons, last logon on workstations)
Logon failure report gives information on reasons why a failure occurred and the number of failed attempts reported for a particular user. This information could be useful for system administrators on possible external attacks.

Some common reasons for logon attempts could be related to bad name or wrong password. Other reasons such as errors due to time restrictions, replication delays, and different workstation OS version can also be reported.

Reports on user logon give all the information needed for auditing the entire logon history on the server and the clients end. This information is only accessible to specific domain users. User’s logon history is used to draw a logon pattern and used to show system auditors proof of activities on the network.

Recent activities are used by administrators to ascertain whether every past logon was used as intended. An analysis of past logon can be used to measure levels of irregularities. ADAudit Plus gives details of both successful and failed logons alongside reasons for unsuccessful attempts. The unsuccessful logs are used for planning any corrective measures.

The last logon on workstations has all the information on the time of last successful logon attempts. The report of this audit can be used to show absenteeism or availability of a user.

Track Logon Activities on Member Servers and Workstations
Tracking logon activities on member servers and workstations help administrators tracks the logon activities of users with authority to access selected servers and workstations. The type of information displayed here are times of access, location of the user, including the workstation details, successful or failed logins, and the reason behind the logon failure.

Monitor RADIUS Logon on Computers
Users accessing the Domain server from a remote location need to use the Remote Authentication Dial-in User Service (RADIUS). Getting reports on remote users in the form of logon failures, authentication through the Active Directory and logon history. Only RADIUS logon activities running through Network Policy Servers can be reported.

Conclusion

Since the aim of any server optimization is to speed up operations and in the case of logon auditing, speed up reporting. Native Active Directory Auditing may give comprehensive information, but is weighed down by the reporting time.

System administrators should take advantage of Active Directory auditing tools such as ADAudit Plus to help in carrying Active Directory audit. An Active Directory Reporting tool should be able to filter out information by marking out WHEN a change in the Active Directory was made, WHERE the change took place, WHAT is the nature of the change, and WHO is responsible for the change.

All these identifiers in a report are to facilitate easier understanding when reviewing the summarized information.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Audit Active Directory Using ‘Netwrix’

Auditing Active Directory in any environment has become a critical task in the IT department. Small and large organizations are using Windows Active Directory Auditing Software to pass compliance tests and overcome security challenges.

At the heart of a Windows-based Enterprise Network, the mechanisms used by administrators to organize and control the resources and objects in can Active Directory determine how the structural framework, securities, and database operations take place from authentication to authorization.

Therefore, this means that it is important to keep track of all the activities taking place within the Active Directory to make sure network activity is at its best at all times.

Netwrix Auditor for Active Directory gives a report of what is going on inside the Active Directory and Group Policy. The software is supposed to audit the changes made to the directory and Logons credentials to reduce the possible risk of abuse, streamline troubleshooting while at the same time enforcing IT Governance and compliance. Netwrix Auditor can be deployed on the premises, on a Windows Server, or on a Virtual Server.

Getting Started

The installation for the first run needs the configuration of the SQL server instance because of the SQL Server Reporting Services (SSRS) in addition to the database engine. Features such as the .NET Framework 3.5 and above must be installed prior to installing the auditing software. Netwrix Software runs in two modes:

  1. The Administrator console, which configures the auditing environment.
  2. The Auditor client, which handles the query and reporting tool.

The two modes have other nodes within the consoles with specific tasks:

Managed Objects – for defining supported applications.
AuditArchive – connects to the database providing for the long-term audit storage options.
Settings – handles all credentials via SMTP protocols, licenses, and email addresses.

Netwrix Expected Output

Active Directory is the home of several objects that generate many logs, however, after defining what objects to audit in the Netwrix console, here are some of the expected results:

1. Listing all Changes
All changes made in the Active Directory will be detected and information such as WHO, WHAT, WHEN, and WHERE also form part of the report.

Login activities in the critical systems will be reported and all failed and successful attempts will be displayed. The Logon history of any particular user is also available.

2. Current Configuration Reports
The current state of users and groups, including properties such as permissions and other common user settings can be compared against a particularly known standard for consistencies.

The software will also look at the compliance levels of the Active Directory by testing compliance with set standards. Any changes to the audit policy settings or modifications of the group policy are also displayed.

3. Active Directory Risk Assessment
Any risk associated with wrong privilege assessment and management of user account is assessed. This assessment helps in closing security gaps early enough. All the threat patterns are indicated, Netwrix gives you an opportunity to react within minutes of the threat alert.

4. Behavior Anomaly Reporting
Any malicious attempt from insiders and hacked accounts can be detected early enough to help system administrators take action to save critical systems and cloud applications. Any internet searches within the Active Directory can be customized to look like the one on your preferred browser.

Your search history can be saved and retrieved on demand. Low profile threat such as unusual logons such as identity theft can also be reported as a possible threat to the Active Directory.

5. Detailed Reports on All Dashboards
The IT and business users are able to get Active Directory audit reports in the format that they need by sorting, exporting, filtering, drilling, use of web and email subscriptions.

6. Gives Additional Controls
By enforcing effective control permissions, streaming access management through reports of who is supposed to access what resource in the network. The format followed in assigning the rights is also indicated.

7. Interactive User Tracking and Password Expiration Alerts
All inactive user accounts are deactivated as the remaining Active Directory users are given password change alerts before expiration. All issues relating security lockouts can be resolved by analyzing data on the report.

8. Rolling Back Changes
In an event that there is a system breakdown, Netwrix Auditing Software enables the system to revert to changes made when the system was in an OK state without the need of using a backup.

Netwrix Software works in the background and thus, it does not reduce system performance or cause downtime.

Defining Managed Objects

A managed object is the target (AD objects) Netwrix will audit. Things like the details of the database, the scope of the audit and real-time alert settings should be set up when defining objects, after object definition running a data collection job will help to gather the overall overview of the Active Directory.

Viewing Audit Data

The Netwrix auditor home page has several icons that offer a one-click access to many tasks. Upon clicking on the relevant test, a table with results will pop up based on the search criteria. Viewing specific audit outcome that answers pertinent security questions like WHO, WHAT, WHEN, and WHERE system administrators should use the search feature for creating custom queries.

Generating Reports

Netwrix Audit Software runs on top of Windows Server built-in security services. Instead of worrying about how to create queries to generate reports, Netwrix Auditing Software has pre-built reports that cover several aspects of the Active Directory.

The good thing about the pre-built reports is that they have been pre-formatted to comply with known industry standards; therefore passing compliance tests with Netwrix is faster and more accurate. The final report can be exported to other formats such as text, PDF, or HTML.

Conclusion

Many organizations today find themselves subjected to compliance regulation and testing. Auditing changes in the Active Directory are considered a mandatory as part of the organization’s security strategy.

Plenty of tools and packages can help make this work easier with some still facing limitations and others offer a comprehensive outlook when used on a complex network. Netwrix strikes a balance giving almost all the information needed without having to worry too much.

How to Set Up Azure Active Directory Account

Microsoft is always dedicated to ensuring that individuals can access their computers and perform various tasks. The company established the Windows system to enable its users to launch and run various programs.

As such, it is designed to accommodate other minor programs which perform specified tasks, enabling the use of Microsoft and computers become friendly to several users.

This article focuses on Azure Active Directory Connect and its functions. Also, this article will enlighten the user on how to set up Azure AD connect in a computer, or any other device designed to use Windows system to run.

But first, one must understand Azure AD Connect, thereby understand its function. By understanding the primary functions, one will automatically be able to understand the various installation steps and their essentially to smooth running of the program.

BACKGROUND

Azure AD Connect is one of the main components of Microsoft, dedicated to synchronization of identities data between a device and the entire Microsoft environment. The program is designed to enable the user to configure and deploy the pre-requisites required for connection such as including synchronization and sign on.

Also, it has incorporated functionalities such as Dirsyn and AAD sync which were initially released as individual programs. Once installed by an administrator, the program will install a few essential programs such as .NET Framework and Microsoft Online Service Sign-in assistant, which are necessary for its functioning.

Thereafter, it installs and configures AAD sync, then necessitate sync in the Azure AD tenant. Lastly, it sets up the password harsh sync to create a sign-on option as selected by the administrator.

MODES OF INSTALLATION

Azure AD Connect may be installed in two primary ways, custom installation and express installation, depending on the preferences of the user.

Express installation is the default setting found in a newly-acquired program. This form of installation is designed for new users that are not yet conversant with the program. It provides the user with the basic installation tools.

Custom installation, on the other hand, is mainly implemented by users who are accustomed to the program and require certain functions that may not be accessible via express installation. Custom installation enables the user to implement various options that are not readily accommodated by the usual installation.

Express Installation

1. Sign in as the local administrator on the server where you will be installing Azure AD Connect on. The administrator authorizes installation of all programs on the computer. One then allows the installation of the program, particularly on the server that one wishes to be the main sync server.
2. Navigate and locate AzureADConnect.msi then double click on it. This will display a welcome home screen bearing the terms and conditions clause. Check off the Agree option, and select Continue.
3. At the bottom of the window, you’ll be presented with two options: customize and use express setting. Since we are using the Express option, hit the use express setting button.
4. A window will pop up, prompting for the username and password of the global administrator for your company’s Azure AD. Key in the correct details then hit Next.
5. The AD DS screen window will then pop up, prompting for the username and password of the organization’s admin account. For the username text field, enter the domain in either FQDN or NetBIOS format (i.e. pnl.co.uk\administrator or PNL\administrator). Ensure that every domain present in the next page is verified and once they are, hit Next.
6. Next up with be install screen. Click on install and commence the synchronization process till every element is fully configured. In case there is exchange on-premise, one must enable the Exchange Hybrid Employment. Lastly, click on the Install option and hit Exit once everything is installed.
7. Sign off, then sign back in again prior to using the Synchronization Manager.

Custom Installation

The initial process to custom install this program is not so different from the express installation. A user may opt to use custom install setting when the options provided by the express settings are not satisfactory to the user.

1. Follow steps 1 & 2 for express installation, then for step 3, select the customize option.
2. Proceed to install required components for the optional configurations. There are four options provided on this screen.
a. Password Hash synchronization
b. Passthrough authentication
c. Federation with AD DS
d. Do not configure
For the first three, users have the ability to sign in to Microsoft cloud services, such as Office 365, with the same password they use for signing in to their on-premise accounts. Select your preferred option and proceed to check off the Enable single sign-on box.
3. Next, you’ll see the Connect to Azure AD screen and be prompted for the global Azure AD admins username and password. In case the administrative account has multi-factor authentication enabled, ensure to verify it using a verification code that is sent either via a phone call or message.
4. Once the option is enabled, a connect to directory screen will pop up. Select the Active Directory option and add a forest name necessary credentials.
5. After this, an option for add directory will appear with two choices — create a new account and use an existing account. One then uses the necessary credentials for the account and proceeds to the Azure AD sign-in configuration. All the options presented on this screen must be verified. If not, one would have to verify them then just refresh the screen. Then select a suitable under principal name then click on Next.
6. Other options such as the domain and OU filtering must also be filled. This option allows the user to either synchronize all domains or synchronize only selected domains.
7. Select uniquely the user for the program. There are two options present here — users are represented only once across all directories or the user identities exist across multiple directories. Also, one must select how the users need to be identified.
8. Proceed with synchronization of data for various users and devices then hit Next.
9. An option feature screen will pop up. Select the appropriate options according to the desired preference.
10. Then, an option for available apps within the Azure AD will pop up. Just choose all the suitable apps then hit Next.
11. Select the necessary directory extension, then move on to configure and install the program. Just like for express installation, just put in the proper forest credentials to enable the sign on option.

Best Practices to Secure Active Directory

First of many questions of any server administrator is how to protect and make less vulnerable your Active Directory domain.

In this article, we will bring you the best practices for securing Active Directory domains from any type of attacks and for maximizing your server security.

Account Hierarchy

Hierarchy in every server system is one of the things worth thinking about. All of the users should have their roles and on top of all those roles is Administrator.

Users should not have any more rights than they need. And administrators should use their rights as fitted per situation.

It is recommended for Administrators or other staff with elevated privileges to use two accounts – one for logging in on their workstations when no admin tasks are needed and the other solely for admin work.

The way of account usage will lower the risks of any potential attacks (virus or account hacking).

Group Policies for Restricted Groups

Group policies is an outstanding tool choice for securing pretty much everything. For security practices, especially when users are local administrator of any organization’s computer, Group Policies should be used to keep them local admins, but restrict them from adding new users as admins.

It can be done by creating a “Restricted Group” and applying GPO on that group. You may do this by following these steps:

  • Edit the Group Policy applied to the scope of wanted computers.
  • In the Group Policy Management Editor, create a new Local Group by navigating to:
    • Computer
    • Configuration
    • Preferences
    • Control Panel Settings
    • Local Users and Groups
    • Select Administrator
  • Tick the box that says “Delete all member users” and “Delete all member groups” for all users.
  • Be sure you added back the Domain Admins and Local Admin Groups to prevent restricting yourself. If not, you can use the “Add Local Group Member” option and “BuiltIn\Administrator”.
  • Recommendation: Add DOMAINNAME\Domain Admins. It’s a good practice to have Domain Admin accounts in a local group which can be added through Domain Name variables.

Users can be added as usual and be seated as local admins but they will be restricted by GPO from adding other users as admins.

Server Login Limits

Logging directly to the server should not be common practice to anyone, even Administrators. Most of the administrative operations can be made through remote admin tools so the server can be reachable from a workstation or terminal server.

This can be achieved by applying GPO as following:

  • Access GPO in the console tree, which can be found on the path: Forest name/Domains/Domain name/Group Policy objects.
  • Click add in the Scope tab
  • Type the name of a group that needs security filter in “Enter the object name”.
  • Remove Authenticated Users in the Security Filtering section of the Scope tab.

The settings in a GPO will apply only to users and computers that are contained in the domain, unit, or organizational units where the GPO is linked to.

Domain Controllers Security

Security of servers can be disturbed both via software and hardware.

If the Domain Controller Servers are physical, it is strongly recommended to lock them away so no one can access them. If the Domain Controller Servers are remote, it is recommended to configure them as read-only domain controllers (RODC) and to set up the DCs as Core with GUI. Of course,

it is recommended to apply all practices mentioned as well as closing all unnecessary ports between DC and the workstation.

There are a lot more practices for keeping servers secure and it is a constant, on-going process and admins should always be on the watch. This article gives an overview of some major practices but threats, same as security practices are developing and changing day to day.

 

 

 

Secure Your Windows Folder, too!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

AD Domain Services Overview

A directory in non-technical terms is a hierarchical structure that stores data and objects found within a computer network. An Active Directory is an organizational structure comprising user accounts for authentication, addresses, security groups, group policies, file shares, and physical resources such computers and printers.

All users in an Active Directory must be given permission to access all this information upon request. In this article, we’ll dive deeper and have a glance at what makes up AD Domain services.

Features of an Active Directory

An Active Directory is implemented by building structures that store data based on the logical and hierarchical organization of information. The data stored in the directory has all the information about the Active Directory objects such as network printers, servers, shared volumes, and individual computer accounts.

The basic element of security that is integrated into an Active Directory is implementation of log-on authentication and access controls. Only system administration can use a single network log-on to manage the entire directory and organization in the network.

Active Directory Domain Services uses policy-based administration to make the work of system administrators easier, especially in a more complex network infrastructure. Implementing policy-based authorization revolves around the following settings:

  • Schema
    These sets of rules used to define objects and attributes within the Active Directory. Schemas also define the limits of instances and how they are represented in the directory.
  • Global Catalog
    This catalog has all the information on every object defined in the directory. This enables both users and administrators to locate information even if the data is on a different domain.
  • Query and Index Mechanism
    Query indexing enables users or applications, locate objects and their properties. They come in handy when looking for specific information in the directory structure.
  • Replication Service
    This dedicated service distributes data all over the network. The domain controllers help in the replication process by containing a complete copy of all data and directory information stored in the domain. All changes made in the Active Directory Domain Service are usually replicated to all domain controllers in the domain.
  • Understanding Active Directory Domain Service
    Some of the core concepts within the Active Directory that give a clear understanding of what the Active Directory is are briefly highlighted below:
  1. Active Directory Structure and Storage Technologies
    The Active Directory storage design comprises four features namely:

    1. The Active Directory, domain, and forests. Domain and other organization units define the Active Directory logical structure.
    2. Domain Name Systems (DNS) that is responsible for resolving names for the domain controller to help the Active Directory reflect its organization structure.
    3. A Schema that holds the definitions of all objects stored in the directory.
    4. Data Store that manages the storage and retrieval of data from the domain controllers.
  2. Domain Controller Roles
    A domain controller is a configured Windows server with an Active Directory service installed. The system administrator has the responsibilities of setting up different roles. Any new server configuration is complete when a specific role is assigned to a domain controller by installing Active Directory Domain Service. Within the Active Directory, there are specialized roles that perform specific functions in an Active Directory environment. Such specialized roles include global catalog servers and operations masters.
  3. Active Directory Schema
    This schema defines the blueprint that describes all rules and objects that are stored in the Active Directory and all the attributed related to that particular object. Therefore, an Active Directory Schema defines the content and structure of objects and the attributes used when creating the object.
  1. Understanding Trusts
    Raising the Domain and Forest functional levels means that no forests and domains running earlier versions of operating systems can be integrated into the new level. For example, using a Windows Server 2016 means that you cannot add domain controller or a forest running Windows Server 2008. Each domain functional level has their corresponding enabled feature that also corresponds to the version of the Windows Server Operating System used.
  2. Active Directory Replication Technologies
    The directory replication model uses mechanisms that enable the Active Directory update capabilities. The domain controllers will track changes received and will only implement the updates that have taken place since the last replication. The update tracker has two roles:

    1. Changing what has not been received or need to be replicated at the destination.
    2. Resolving conflicts arising from simultaneous changes to an object.
  3. Active Directory Search and Publication Technologies
    The reason behind having an Active Directory is to enable users, objects, applications, services search, and publish any useful information. Such operations include:

    1. Searching and comparing data.
    2. Finding information relating to available service.

The component used by the Active Directory in its search function is the LDAP (Lightweight Directory Access Protocol) while the one responsible for service publication is the Key Distribution Center.

  1. Understanding Schema
    A Schema is an Active Directory service used to define objects and attributes that are used by the directory service to store data. A combination of complex definitions may be used to define objects that need more complexity. New definitions to the schema can be used to define new objects in the Active Directory. A schema is preferably stored in its own partition within the directory and replicated among all existing domain in the forest.

Conclusion

With so many changes that have taken place in the configuration of Active Directory Domain Services, it is important to note that the article defines the general overview of a functioning Active Directory Domain Service and server role.

An Active Directory network infrastructure provides a centralized storage and management of objects. The system administrator through group policies can manage access and availability of resources securely when sharing network resources.

An Active Directory Domain Service acts as a foundation of windows servers identify and provides a central basis for authentication and authorization for all the server roles in a typical Windows Server Operating System.

Some of the distinct features found in the latest Active Directory configurations include system auditing, password, and account lockout policies, read-only domain controllers, the ability to restart domain services, and an Active Directory Database Mounting Tool.

Performance Tuning for Windows Server Active Directory 2016

The Active Directory is a standardized and central database for Windows Server systems that houses user accounts used for authentication, file shares, printers, computers, and other settings such as security groups. The main purpose of Active Directory is to allow only authorized users to logon to the network and act as a central management for network resources.

Once you have set up a Windows Server in your environment, you might have business requirements that are not supported by your server’s default settings. For instance, you may desire to scale down on your power/energy consumption, maximize your server’s output and have the lowest server latency. It’s for this reason that we must always ensure that our AD is running optimally. And one way to ensure that is by performance tuning.

We are going to give you a few tips on how you can tweak your server settings and scale up your AD’s performance and energy efficiency, especially when you have varied workload.

For performance turning to reap maximum impact, tuning should be centered around server hardware, workload, energy budget, as well as performance objectives of the server. We are going to describe crucial tuning considerations that can yield improved systems’ performance coupled with optimal energy consumption.

We’ll break down each setting and outline its benefits to help you make an informed decision and achieve your goals as far as workload, system’s performance, and energy utilization is concerned.

Hardware Considerations

This encompasses the RAM, Processor, storage, and Network Card.

RAM

To increase scalability of the server, the least possible amount of required RAM is calculated as follows:

Current size of database + Total size of SYSVOL + Recommended RAM by OS + Vendor Recommendations

Any additional RAM can be added in anticipation of the database’s growth and workload in the server’s lifetime. For remote sites with few users, these requirements can be relaxed as they will not require much RAM to cache much information to service requests.

In virtualization scenarios, avoid committing too much memory to the host machine. In some cases, memory overcommit happens where more memory is allocated to the guest machines than the underlying host machine. This is not such a big deal, but it becomes a huge mountain if the total size of memory collectively allocated to guest machines exceeds that of the host machine and the host begins paging. Remember, the objective of RAM optimization is to minimize time required going back to the disk.

16GB RAM is a reasonable amount of memory for a physical server. For virtual machines, though, an estimated size of 12GB would be considered decent enough with anticipation of future upgrade and growth of the database and resources.

Cache Memory

This is a type of RAM that is easily and quickly accessible by the microprocessor more than the ordinary RAM. The cache performance of an Active Directory depends on the memory space allocated for caching. Data access done at the memory level is faster than access instructions on physical volumes.

To make this processing highly efficient, more memory must be added to minimize disk input / output requests. The viable option is to have enough RAM installed to handle all operations of the operating system and the installed applications. Therefore, system logs and databases should be placed on separate volumes to offer more flexibility in storage layout.

To improve the I/O request on a hard disk, the Active Directory should implement the following hardware configurations:

  1.     Use of RAID controllers
  2.     Increase the number of disks handling log files
  3.     Support write cache on disk controllers

The subsystem performance of each volume should be reviewed; the idea is to have enough room for sudden changes in load to avoid client request non-responsiveness. Data consistency will only be guaranteed when all changes are written to logs.

Non-critical tasks such as system scans, backups, and activities taking place when the system is not overloaded should be scheduled. Backup procedures and scanning programs with low I/O requests should be used because they reduce competition with critical services in the Active Directory.

Network

To investigate the degree of traffic which should be supported, it’s prudent to make a mention of 2 broad categories of network capacity planning for Active Directory Domain Services.

Firstly, we have replication traffic which passes back and forth across Domain controllers. Then, we have client-to-server network traffic also known as intra-site traffic. Client-server traffic is much simpler to plan for since it involves minimal client requests to the Active Directory in contrast to the huge volumes of data sent back by the Active Directory Domain Services.

A bandwidth of 100Mbps will be adequate in environments serving close to 5,000 users sharing a server. A 1GB Network Card is recommended for environments where users exceed 5,000 per server.

In virtualized environments, the network adapter should be in a position to support the Domain Controller load and the rest of the guests or virtual machines which are sharing the virtual switch which is attached to the physical network card.

Storage

Planning storage on the server entails two things: storage size and performance.

For Active Directory, sizing is only a consideration for large environments. This is because even for a 180GB hard drive, SYSVOL and NTDS.DIT can fit quite easily. It’s therefore not prudent to allocate so much disk space in this area.

However, you should ensure that 110% of the NTDS.DIT size is available for defragmentation. From there henceforth, one should plan for growth over a 3-to-5-year lifespan of the Hardware. An estimate of about 300% the size of NTDS.DIT database file will be satisfactory to accommodate growth over time and allow for offline defragmentation.

Processors

Processors with limited free cycles increase the wait times leading to execution. Server optimization should ensure that enough room is available to handle workload surges and in the long run minimize response time to client requests. Reducing the workload on the processors involve, selecting the best processors, directing client requests to available processors, and using processor information to gauge system performance.

Performance Tuning

Performance tuning on the Active Directory has two objectives:

  • The optimal configuration and performance of the Active Directory to balance the load efficiently
  • All work sent to the Active Directory have to be efficient

For the objectives above to work, three areas need to be looked at

Capacity Planning

This means having enough number of domains that can handle redundancy and client requests within a short time. All the server hardware must be able to handle existing load. Capacity planning involves scaling up operations across multiple servers. Adding more resources like RAM to the server is essential in preventing possible failures by ensuring that every aspect of the server is working as intended.

A typical capacity planning takes place in three stages:

  1.     Evaluating the existing environment by determining the current challenges.
  2.     Determining the hardware needed according to the findings in the step above.
  3.     Validating the employed system to ensure that it works within the defined specifications.

Server-side Tuning

The domain controllers in the Active Directory are configured to handle loads efficiently. The System Administrator is supposed to balance the demands of individual users against available resources. Add-on products that manage bandwidth and port usage may be implemented to restrict network resource uses.

Active Directory Client/Application Tuning

The Active Directory has to be set up so that the client and application requests use the Active Directory to achieve maximum efficiency.

Domain Controllers and Site Considerations

Placing domain controllers and site considerations revolve around optimization for referrals and optimizations with trusts in mind.

A well-defined site definition is central to the performance of servers. Clients not getting requested services may report poor performance when querying the Active Directory. Since client requests can come from IPv4 or IPv6, an Active Directory is supposed to be configured to get data from IPv6 addresses. By default, the operating system usually picks IPv6 over IPv4 if both are configured to send/receive data.

Most domain controllers use name resolution for reverse lookup when determining the client’s site. When this happens, delays in the thread pool are inevitable leading to unresponsiveness from the domain controller. By optimizing the name resolution framework, quick response is assured from the domain controllers.

An alternative is to locate read/written domain controllers where read-only domain controllers are used. Optimizing this scenario means:

  • Using an application code change to contact writable domain controllers when read-only domain controller would be sufficient.
  • Placing the read/write domain controller at the center of operations to reduce latency.

Optimization for Referrals

Referrals define how Lightweight Direct Access Protocol (LDAP) requests are processed when domain controllers do not have a copy of the requested partition. When the output of a referral request is found, it has the name of the partition, port number, and DNS name.

This information is used by the client to send requests to the server hosting the partition. The recommendation is to make sure that the Active Directory that has the site definitions and domain controllers are in place to reflect the client’s needs. Implementing domain controllers from multiple domains in a single site and relocation the applications may also help fine-tuning the domain controllers.

Optimization with Trusts in Mind

In a domain with multiple forests, trusts have to be defined depending on the domain hierarchy. All secure channels at the root of the forest may be overloaded due to increasing authentication requests between the domain controllers. This will cause delays in far-flung Active Directories and this overload in inter-forest and low-level trust scenarios. Some of the recommendations to help reduce forest trust overload.

  • Using MacConcurrentAPI to help distribute load across a secure channel.
  • Create shortcut links to trusts as needed depending on available load.
  • All domain controllers within a domain should be able to handle name resolutions and communicate trusted domain controllers.
  • All trust should be based on locality considerations.
  • Reduce the chances of running into MaxConcurrentAPI challenges by enabling Kerberos as needed as well as reducing the use of secure channels.

Name resolution taking place over firewalls takes a toll on the system and will, in turn, impact the clients negatively. To overcome this, access to trusted domains need to be optimized through the following steps:

  1.     The WINS and DNS should resolve names within the trusting domain controllers by listing the domains. This step is to counter the problem of static records which tend to cause connectivity problems over time. A manual maintenance of all the forwarders and secondary copies of the resource environment needed by the clients need to be maintained.
  2.     Converging all site names shared between trusted domains reflecting domain controllers that re on the same location by ensuring IP and subnet addresses are linked to sites within the forest.
  3.     Ensure all ports are open and firewalls configured to accommodate all trusts. Closed or restricted ports will lead to several failed communication attempts, forcing the client to experience timeouts and hung threads or applications.
  4.     Domain controllers forming a trusting domain should be installed on the same physical location.

When no domain is specified disabling trust checks on the availability domain, trust checks are recommended.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

Setting Up Honey Pots for Active Directory 

The world of computing is replete with threats which, at any time, can compromise the security of your system. Unauthorized users may try to gain access to client machines and perform malicious activities using existing loopholes. A honey pot is a decoy network. It masquerades itself as a real or genuine network.

Honey Pots are used to trick intruders and give them the impression that they are attacking the right network. The activity of the attacker is then logged and studied. In a nutshell, a honeypot protects your system.

A Honey Pot is a computer system set up to lure would-be attackers and deflect their attempts to gain unauthorized access to the network. It is a system installed on a computer in order to simulate the behavior of the real system. The decoy system is isolated and monitored by system administrators.

Setting Up the Honey Pot Account

Securing an Active Directory is an important organizational policy that helps system auditors track relevant events and changes taking place in the network. Everyday threats are becoming more elusive which calls for the need to have several security measures to better handle threats, including those coming from insider attacks.

One way of implementing this is through the use of Honey Pot accounts to trick the attacker that they have full access to the system.

Within the Active Directory context, a Honey Pot administrator account can be set up because most attackers look for this account. The administrator account gives them the impression of having uncontrolled access to all resources of the Active Directory.

Advanced hackers may not fall for this trick, but using Honey Pots in your network is the best way of detecting malicious activity. System administrators need to realize that Honey Pots are not foolproof because some hackers will immediately know the legitimacy of the Honey Pot account. For the Honey Pot account to thwart the most sophisticated attacks, here is what the administrator needs to do:

  • Renaming the Built-in Administrator Account
    This account has to be renamed and the default decryption removed. Naming the account means creating a username that matches the Active Directory naming conventions.
  • Create Another User Account with Username “Administrator”
    The default description for this account should be “Built-in account for registering the computer/domain”. The idea is to create a proxy Administrator with a similar description to the default account.
  • Enable Auditing
    Auditing for activities such as failed and successful Logon Attempts for the account just created in step two above. The configuration of Auditing may be used alongside a tool that enables searches and alerts whenever this account is accessed. The Microsoft built-in tool may not give details of searches and alerts promptly. Therefore, downloading third-party tools such as the Active Directory Audit Plus can be helpful in monitoring, searching, analyzing, and giving live alerts when a login attempt is made at the Honey Pot account.
  • Monitor the Honey Pot Activities
    Using an appropriate account auditing solution, all live activities on the account should be logged and monitored.

The four steps above should enable the Honey Pot account. It is also a good idea to have logging and monitoring activities on the renamed administrator account. The organization’s security policy should be that the renamed account should not be used unless it is a case of an emergency.

Tracking all Logon activities of all users is important in keeping the system security tight. The two accounts should now give an immediate alert when a Login attempt is made and thus the network is deemed secure and prepared for external intrusions.

Decisions to be Made When Deploying a Honey Pot

Before any consideration is made to deploy a Honey Pot account, here are some of the critical decisions system administrators are faced with:

  1. Reason of the Account
    Two primary reasons determine whether deploying a Honey Pot account is necessary. One of the need for an early security warning, the second reason being for forensic analysis. Honey Pots address both reasons by giving out the information needed for immediate follow-up.
  2. What Needs Protecting
    The most valuable objects in an Active Directory will determine the type of fake account to be used as a Honey Pot. In most cases, Honey Pot accounts are used to mimic web servers, file servers, application servers, database servers, and Logon servers. There is an option of deploying a Honey Pot that mimics open ports or having several ports with each one dedicated to a particular server type.
  3. The Active Directory Interaction Levels
    Three levels of interactions define Honey Pot accounts thus:
  • Low level
  • Medium level
  • High level

The low-level accounts give early warning signs of malicious activities; the medium level accounts may have basic file structures to give the hacker a “true” reflection of the system content, while the high-level accounts may contain a complete copy of the server they emulate.

  1. The Location of the Honey Pot
    Location of the Honey Pot should be near the resources that they are trying to protect. For example, a web server decoy account should share the same IP address where the real server is located.
  2. Real or Emulation Software
    Using real systems is a good idea because it becomes difficult for the most advanced hacker to know if they are dealing with a Honey Pot or not. Using an emulation software means having access to built-in signature detection tool useful for monitoring.
  3. Monitoring and Alert Tools to Use
    A Honey Pot will only be of value when logging takes place. The tool used for monitoring should be able to report on all activities in a real time.
  4. How to Administer the Honey Pot
    Once a Honey Pot account is set up, it should continue running throughout the life of the services it is mimicking. At least one person (or more if necessary) should be given control of the decoy accounts. His responsibility will be the installation, planning, configuration, monitoring, and updating the Honey Pot.

All communications coming through a Honey Pot are considered hostile. Therefore, the system administrators should use all these activities as an insight into the level and types of threats the network is prone to. A Honey Pot account should be treated as an added security setup and not a replacement of security measures already in place.

Active Directory Federation Services in Windows Server 2016 

.When we look at IT businesses today, the most common spoken word is the “cloud”. Cloud computing made a huge impact in a way of functioning and business organization. 

But with more possibilities, usually we get more problems. And one of biggest challenges with doing business in the cloud is security and access control, especially in organizations with the need of extranet access. 

With that in mind, Microsoft has introduced an improvement to the Microsoft Windows Server 2016 system. 

Active Directory Federation Services  (ADFS)  

Active Directory Federation Services (ADFS) provides access control and single sign-in across a wide variety of applications like Office 365, cloud-based SaaS applications, and other applications on the corporate network. 

It enables organizations to provide a sign-in and access control to both modern and legacy applications — on-premises and in the cloud — with the unified set of credentials and policies. 

ADFS was first presented as an additional download in Windows Server 2003 R2 edition. But in the Windows Server 2016 edition, it became one of the most significant components of the system. 

ADFS 2016 has numerous improvements to offer. But the two most important ones are the three new options for signing in without using passwords and support for any LDAPv3 directory. 

Azure Multi-Factor Authentication  

The first option is the use of the Azure Multi-Factor Authentication (MFA) adapter for ADFS. Azure MFA can be configured for intranet or extranet, or as part of any access control policy. 

In the past, the Azure MFA server on premise was the only way of eliminating passwords as authentication methods. Now, with a configuration on the MFA adapter, the primary authentication method is the username and the OTP (One Time Password) code from the Azure Authenticator app. 

With MFA as the additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication — username and password, smart card, or user/device certificate), then comes a prompt for text, voice, or OTP based Azure MFA login. 

 Access from Compliant Devices

ADFS 2016 upgraded device registration capabilities and enabled sign-on and access control based on the device compliance status. Sign-in is now possible with device credentials. And if/when device attributes change, compliance is re-evaluated, which brings certainty in enforcing policies. 

This can be allowed by enabling the following policies:  

  • Enable Access only from devices that are managed and/or compliant. 
  • Enable Extranet Access only from devices that are managed and/or compliant.  
  • Multi-factor authentication for computers that are neither managed nor compliant.

Windows Hello for Business  

The Windows Hello for Business (formerly known as Microsoft Passport for Work) feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. ADFS 2016 supports this way of authentication and enables user sign-in on all ADFS applications without the need for a password. 

LDAPv3 Support  

Another improvement in ADFS 2016 is support for a combination of Active Directory and third-party directories. With the addition of ADFS support for authenticating users stored in LDAP v3-compliant directories, ADFS can now be used for:  

  • Third party, LDAP v3-compliant directories.
  • Active Directory forests where an Active Directory two-way trust is not configured. 
  • Active Directory Lightweight Directory Services (AD LDS).

New and Improved Migration Procedure 

Earlier, this operation was pretty painful for administrators. It required building completely new parallel server farm and export of configuration from old one which will then be imported into a new one. 

In ADFS 2016, Microsoft took a different approach, and simplified the process by a lot.  

Now, moving from ADFS (on Windows Server 2012 R2) to ADFS 2016 requires adding new Windows Server 2016 to an existing Windows Server 2012 R2 farm. This will completely run as 2012 R2, but with adding more servers to the farm and removing old ones from the load balancer, the system will allow upgrade and usage of new features.  

More Features

Other than these, some more important new options and interesting features of ADFS 2016 are:

  • Supports the latest modern protocols which will provide a better user experience on the most relevant platforms (Windows, iOS, Android).
  • Ability to add industry standard OpenID Connect and OAuth 2.0-based authentication and authorization to applications in development.
  • A way to customize messages, images, logos, and web themes per application.
  • Streamlined auditing for easier administrative management and configuration to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard. 

ADFS 2016 provided the best improvements in the development of the Windows Server systems, especially in the extranet access situation. Most experts agree that listening to user feedback made a significant impact.