To that end, here are nine ways to secure Active Directory:
1. Document Your Active Directory
In order to keep a clean and secure AD, it’s essential that everyone on the team is on the same page. This means documenting things like naming conventions and key security policies. Here’s a good checklist to start with:
- Identify all of your computers, users, domain, and OU naming conventions.
- Describe your OU hierarchy, DNS configuration, network numbering conventions, and DHCP configuration.
- List main functions of your GPOs and the process of organization.
- Take note of the locations of AD’s Flexible Single Master Operation Roles (FSMO) roles.
- Identify the organization’s policy when adding new user accounts or when revoking user accounts.
- Describe the organizations’ policy for user restrictions.
2. Control Your Administration
Attackers are notorious for exploiting power accounts – local admins, privileged users, domain admins, etc. These accounts are often used by sysadmins to manage and deploy IT systems. So make sure only legitimate people have access to AD and only on the appropriate OUs. Many security teams have real-time alerts setup to report on any changes/additions to these groups, since they should happen very infrequently.
3. Limit the Number of Administrators
Don’t hand out admin privileges like Halloween candy, you’ll regret it. Adding admins exponentially increases the risk. Once one is attacked, it potentially exposes all the other. Why? Each admin may belong to groups others do not. If one is attacked, it can lead to two, two may lead to three, and so on. So make an effort to limit the number of admins and review periodically who has admin rights. To make this process easier, try DataPrivilege where you can review an admin’s access, auto-expire access, and grant temporary access for both domain and local admin accounts.
4. Use Separate Administrative Accounts
Administrators responsible for IT operations should use separate admin accounts. This makes approved admin access easier to track and document, and unusual admin access easier to spot. These accounts should be in their own OU – perhaps by the roles they perform – so that you can apply specified GPOs to them.
5. Restrict Elevated Built-In Groups
There are plenty of built-in groups to choose from, so make sure you restrict built-in groups. Here’s a complete list of all the groups so you can review and decide what groups should disable based on company policy. Our suggestion: Disable “Guest” and then rename “Administrator” so attackers won’t gain more momentum on a default attack.
6. Enforce Strong Password Rules
Don’t let convenience and short passwords tempt you! Protect the Service Account’s password. Watch the Directory Services Restore Mode(DSRM) password and update the DSRM password regularly – don’t let unauthorized accounts get a hold of it!
7. Test Group Policy Settings
One way to make your environment more secure is to set and configure security settings using Group Policy. Just make sure your GPOs are set, activated and don’t conflict with each other.
8. Audit Important Events
A searchable audit trail of AD changes is a necessity. Whether it is GPO, user, or group membership changes, keep track of changes for forensic purposes.
9. Monitor AD for Signs of Compromise
In order to monitor risk on your domain, you need to make sure to have the tools and rules that can detect AD changes and that will alert you when abnormal behaviors are happening. Try UBA.
Check out other related blog posts on: