Any IT organization is liable to security threats; however, they can be prevented if appropriate policies, processes and controls are implemented. “Better safe than sorry” applies to this situation perfectly. It is better to secure your infrastructure from being compromised than counting losses after a leakage.
Active Directory is at risk in many different ways: gaps in antivirus / antimalware, mis-configuration, outdated service packs, hotfixes etc. More than others, privileged user accounts with elevated permissions are a popular target for attackers, who will try to gain access to the domain controller or other infrastructure services.
Ten simple ways given below will help you protect your computer against the most common attacks on Active Directory and reduce the attack damage.
1. Updated Operating System: Always keep an Operating System updated with the latest service packs, patches and hotfixes. This will help you to keep tabs on the loop holes in the Operating System. Install only the necessary patches on the Domain controller to keep them as light as possible. Enterprise configuration management software like SCCM can help you deploy the right patches to Domain controllers.
2. Update Antivirus and Antimalware: Any system without Antivirus / Antimalware or with outdated versions of this type of software can become a primary target.
3. Deploy AD Events Monitoring Solution: Always monitor the critical Active Directory events for any creations / modifications / deletions. It is also important to monitor administrator and elevated accounts for actions on the Domain controller and other configuration changes.
4. Build Baseline Domain Control Configuration: Use Microsoft Security Compliance Manager and Security Configuration Wizard to create a comprehensive configuration baseline for domain controllers, which can be deployed and enforced by GPOs deployed at the Domain controllers OU in Active Directory.
5. Implement Role Based Access Control Permission (RBAC): This is a good aid and it helps providing only necessary permissions to an administrator.
6. Administrator Permission Expiration Policy: Provide administrative permissions temporarily to perform the specific activity and revoke once the activity is completed. Avoid permanent or long-term permissions.
7. Remove/Decommission Legacy Domain Controller: It is very easy to hack legacy Domain controller; therefore, it needs to be upgraded to the latest version. Upgrading will help maintain more secured environment.
8. Block Internet Access on Domain Controller: In most cases of Internet browsing and downloading, various unauthorized and malicious software is likely to be installed. Such interferences can represent a huge threat when unauthorized / malicious software gets directly into the Domain controller.
9. Enable Windows Firewall: It is recommended to enable and configure Windows firewall to block outbound connection to Internet.
10. AppLocker and RDP Restriction: Restrict the applications / tools which need to be installed on the Domain controller via applocker. Include restrictions to establish Remote Desktop Protocol (RDP) connections. This will help use Remote Desktop Gateway (RD Gateway) jump servers to control access to domain controllers and other managed systems.
Since Active Directory is the back bone of an IT infrastructure and most of the enterprise applications depend on it, it is imperative and mandatory that we secure the Active Directory environment from incidents.