Active Directory controls access to your critical systems and data, so is the ultimate target for hackers because it holds the keys to your entire kingdom. Here are 10 steps you can take to ensure that your business stays protected.
Domain controllers (DCs) should be placed in a physically secure location. Once physical access is gained, protections you have in place can potentially be overridden.
2.Deploy RODCs where physical security cannot be guaranteed
Branch offices often pose a problem for domain controller security because servers cannot be physically protected. Microsoft’s solution to the problem is Read-Only Domain Controllers (RODCs), which contain a subset of information needed to service a branch office. Read-only access provides damage limitation in the case of a breach. All disk volumes on RODCs should be encrypted using BitLocker.
3.Put virtual DCs on their own physical host
Microsoft recommends that DCs running in virtual machines should not be placed on the same physical host as other servers. If that’s not possible, then the DCs should be RODCs.
4.Restrict use of domain admin accounts
Domain and enterprise admin accounts should be restricted to use on domain controllers. Domain admin privileges are often given to IT staff for everyday computing use, for managing AD and supporting domain-joined devices. This practice considerably increases the likelihood that an attacker will gain privileged access to your systems.
5.Use LAPS to randomize local admin account passwords
The Local Administrator Password Solution (LAPS) is a free tool from Microsoft that can be used to regularly randomize local administrator account passwords on domain-joined devices and store the passwords securely in AD. Because attacks against AD usually start on domain-joined devices, preventing hackers from moving laterally across the network, using Pass-the-Hash or Token style attacks, is critical.
6.Use least privilege to administer AD
Related to point 4, it’s important that IT staff are not assigned domain admin privileges as a matter of course. Everyday AD administrative tasks, such as user, group, and password management, can be delegated so that special privileges are not required. But delegation should be used wisely. If you must permanently delegate ‘admin-type’ privileges, make sure those accounts are carefully audited. LepideAuditor includes the ability to audit and analyze permission changes in Active Directory.
7.Administer DCs from secure administrative workstations
Use secure administrative (jump) workstations that are specially secured for the purposes of administering DCs. For instance, jump workstations shouldn’t be connected to the Internet and should be locked down as much as possible. DCs should be configured to restrict access to RDP to authorized users and jump workstations.
8.Deploy security baseline settings
Create a Group Policy Object (GPO) to deploy baseline security settings using the built-in Security Configuration Wizard (SCW) and Microsoft’s security baseline setting for DCs from the Security Compliance Manager, which include recommended audit settings. Microsoft has a list of events that should be monitored for DCs here. LepideAuditor can be used to alert on these events and other changes in AD that might indicate malicious activity.
9.Block outbound Internet access for DCs at the perimeter
Hopefully it goes without saying that DCs should never be used for Internet browsing. Nevertheless, you should ensure that perimeter firewalls are configured to block outbound Internet access from DCs.
10.Turn on application control
To guard against malicious processes, enable AppLocker and/or Device Guard on DCs so that only authorized process can run, including scripts, executables, and Windows Installer (MSI) files.