Showing results for 
Search instead for 
Did you mean: 

Active Directory Best Practices

Iron II
Iron II

I've been pulling together some old project notes about have arrived at a reasonable start to maintain strong security and avoid configuration issues. Here's the list. Do you have any additional recommendations?

  • Change the default security settings: Attackers have a good understanding of the default security settings within AD, so it’s best to change these from their defaults.
    • Consider having administrative accounts exist within a separate forest (Red Forest model) from other users by implementing authentication policy silos. This may require external experts and add-on tools to enact.
    • Implement new Active Directory enhanced features such as protected groups, restricted RDP, time-based group membership and testing.
  • Utilize principles of least privilege in AD roles and groups: By giving employees the least amount of access that they need to do their jobs, you reduce the attack surface for intruders.
  • Control administration privileges and limit accounts in the Domain Admins group: Similar to the point above, you want to minimize who has superuser access. IT admins should ideally never run as super users except for time-based intervals where accounts are temporarily elevated to perform tasks. This requires either additional setup or third-party security hardware and software solutions.
  • Don’t use a domain controller like it’s a computer: In other words, don’t install software or applications on a domain controller. It is best if a domain controller is a server dedicated solely to this function. Generally, admins follow the concept of one server, one function. Supply chain management best practices should be followed.
  • Patch AD regularly: Attackers can also easily exploit unpatched applications, OS, and firmware on AD servers. Some Microsoft defects permit attackers to go from a user to an admin in mere minutes. Avoid giving them this foothold by regularly patching.
  • Monitor and audit AD health: Doing so will enable you to troubleshoot outages and other issues more quickly.
  • Define a naming convention at the beginning: This will go a long way in keeping AD organized as you scale.
  • Clean up AD regularly: Remove obsolete users, computers, and group accounts on a regular cadence. Doing so will help maintain security and organization. Active Directory has no automation to accomplish this.
  • Get your domain time right: Having the right time on all domain controllers, member servers, and machines is important for Kerberos authentication and for making sure changes are distributed correctly.
  • Maintain: These tasks help to ensure a healthy directory.
    • Upgrade domain function levels to supported versions of Windows Server.
    • Run Active Directory Health Checks.
  • Don’t Run Your CA on Your DC: Setup the Enterprise PKI role to separate your certificate authority from the primary domain controller. That may require standing up another server.
  • Set up Microsoft ATA (Advanced Threat Analytics): Do this to detect attacks against your server infrastructure that fall outside of typical system behavior(s).
  • Compliance: Create documentation and contingency plans.

These suggestions could take five to six full days of work to implement, but are worth the investment in view of the multitude of security risks that AD is vulnerable to when it’s not hardened. The only thing that "scares" me is that many SMEs probably lack the resources to pull this off without hiring a truckload of consultants.