Best Practices: Active Directory Security

Active Directory is large and complex, but following some basic security best practices can make it easier to keep secure. Here are five steps to making your systems more robust. FIrstly we’d like to recommend you using Active Directory tools for sysadmins to make sure that all changes and configuration settings are under control.

1.  Implement a Secure Active Directory Administration Model

Failure to follow basic security best practices, such as restricting the use of domain administrator accounts to domain controllers, increases the likelihood of privileged AD credentials being compromised. But keeping your house in order requires some advanced planning, and I recommend taking a look at 4 Steps to a Secure Active Directory Administration Model to get an idea of how you might best manage Active Directory while following security best practices outlined by Microsoft and industry experts.

2. Physical Security

An easy way to get access to privileged Active Directory credentials, especially in cases where full disk encryption isn’t deployed, is to pick up a domain controller and walk away with it in your hands. Once you’ve got hold of the physical disk that holds the AD database, accessing user credentials becomes a simpler task.

In situations where providing adequate physical security is difficult, such as in branch offices, consider deploying Read-Only Domain Controllers (RODCs). RODCs don’t store user credentials but make a referral to a full DC when a user needs to log in. Although it is possible to configure RODCs to cache passwords, and control which users will have credentials cached on RODCs, helping organizations prevent sensitive passwords being cached on devices that might be vulnerable to physical compromise.

3. Security hardening

The Protected Users group, which first appeared in Windows Server 2012, adds restrictions designed to reduce the likelihood of compromise, such as blocking the use of Microsoft’s legacy NTLM authentication protocol, among a list of other sensible defenses. Authentication policies and silos can also be used to restrict the devices from which users can authenticate.

You might additionally consider developing a security policy created by the Security Configuration Wizard (SCW), which using sets of predefined questions and by analyzing your current environment, can automatically generate Group Policy Objects (GPO) that can be used to secure your domain controllers.

4. Encryption, signing and authentication

Windows Firewall includes the ability to create IPsec policies for encrypting traffic between endpoints. While this can be tricky to implement without careful planning, at the very least consider implementing encryption between DCs. It also goes without saying that Windows Firewall should never be disabled.

It’s also worth checking that the Microsoft network server: Digitally sign communications (always) Group Policy setting is enabled to ensure that SMB signing is turned on to prevent spoofing. Another important setting is Network security: Do not store LAN Manager hash value on next password change, which again should always be set to Enabled.

5. Auditing

Failed logons, account management, object access, and policy change events should all be logged and monitored on every device in your environment. Set a domain-level policy that cannot be overridden to ensure that auditing is enabled on every device. For more effective log management and auditing, deploy a third-party solution, such as Netwrix Auditor, to get real-time alerting and better insight into your environment.

IT consultant and author specializing in management and security technologies. Russell has more than 15 years of experience in IT, he has written a book on Windows security, and he coauthored a text for Microsoft’s Official Academic Course (MOAC) series.