If an attacker enters Active Directory as a privileged user, or somehow manages to escalate their privilege after entering, they can do anything within the organization. An attacker then will have access to all user identities and can go undetected for days, months or in some cases years. When detected, the attacker can collapse the entire Active Directory, leaving the organization helpless, which could lead to a significant business loss.
How to protect Active Directory
1. Monitor Active Directory in real-time
Continuously monitoring Active Directory changes helps ensure that no unauthorized changes that could negatively affect the organization go undetected. The sooner such changes are noticed and reversed, the fewer risks associated with the breach.
Monitor Active Directory in real time with alerts, pre-defined reports, and compliance-ready reports. You should also be able to rollback unwanted changes in Active Directory and restore tombstoned, cycled and physically deleted objects. Manage account lockouts, send password expiry and other valuable notifications. There are third-party Active Directory monitoring tools, like Lepide Active Directory Auditor, that can help you in this regard.
2. Prevent credential theft
If an attacker gets hold of credentials that have privileged access, they can easily enter and move throughout Active Directory, causing potentially untold damage to the organization. Some common and effective methods to stop credential theft are two-factor or multi-factor authentication (2FA/MFA), one-time generated passwords, third-party password managers, user training and others.
3. Minimize the attack surface
If you have an excessive number of users with privileged access, it makes it more likely that someone will either abuse their privilege or have their account hacked. Minimize the Active Directory attack surface by implementing the least access privilege model, securing administrative hosts, securing Domain Controllers (DCs), securing privileged accounts and taking other steps.
Design an Active Directory solution through a combination of Group Policy Objects to grant users limited rights without elevating them to Domain Admins. You cannot hand over the keys of your Active Directory servers to too many employees with insufficient qualifications.
4. Keep admin accounts in different OUs and apply different GPO
After limiting the number of administrators, the next task is to ensure that all privileged users use separate administrative accounts. These accounts should have different naming conventions to identify them quickly. They should also be categorized and kept in separate OUs so that you can apply unique GP settings to them.
5. Setup a devoted server for administration
Service administrators who run services like DCs, sites, and schemas should do so from dedicated Terminal Server Administration Points (TSAPs), and not use their desktops. This is a relatively safe practice that diminishes malware attacks’ chances, and provides a locked-down, customized administration point.
6. Implement a strong password policy
We all know the benefits of strong passwords, but you cannot expect all users to use them on their own, and you do not want to leave anything to chance. Enforce a strong password policy right from the top for compliance and security purposes. You can achieve this by applying strong password rules in your domain; such as complex combinations of numbers and characters and frequent password changes.
7. Maintain enough free disk space on Domain Controllers (DCs)
Denial of service attacks can fill the available disk space with unnecessary files, ultimately crashing the DC. Don’t allow this to happen by continually monitoring disk space and erasing the unnecessary files from the disk.
8. Use Group Policy’s restricted group feature
Place all elevated built-in groups into ‘Restricted Groups’. It strictly enforces group membership rules, limiting the chance that an unwanted account is present in these groups. Use ‘Restricted Groups’ to keep groups like ‘Enterprise Admins’ very small.
9. Use Group Policy Settings to apply strong security policy
Group Policy is a powerful way to control your domain’s security. Test these policies in a lab before rolling them out in real project. You can also implement these policies in stages, for example, first link them to individual OUs, and if useful link them to the entire domain.
10. Make Domain Controllers time secure
To run with accurate time, all Domain Controllers in the forest, by default, refer to the primary Domain Controller (PDC) in the root domain. Work to secure the time source of the PDC, which will ensure that all DCs are correctly synchronized.
11. How to protect Active Directory services
To protect ‘Active Directory Domain Services’ (AD DS) and avoid any issues, you will have to do exhaustive planning to carefully architect a highly available AD DS. If an object or attribute is deleted by mistake, you should be quickly and easily able to restore it.
To protect ‘Active Directory Federation Services’ (AD FS), include ‘extended protection for authentication’ and ‘congestion control’ in your security plan.
The above mentioned two services, and ‘Active Directory Certificate Services’, ‘Active Directory Rights Management Services’, and ‘Active Directory Lightweight Directory Services’ should be current with all the available security updates.