Last Updated on June 16, 2020 by Ajit Singh
Active Directory is the backbone of an enterprise IT infrastructure. Organizations are ready to invest heavily on its security but administrators can ensure the security of Active Directory simply by following some best practices. Here are some tips that can help you:
1. Follow a lean model for AD administration
Too many cooks spoil the broth. This is especially true in the case of AD administration so you should keep your network architecture simple, elegant, and lean. Microsoft recommends implementing a least-privilege administrative model so Active Directory administrative powers are bestowed on only a few people. The same approach should be followed in the Domain Administration too. AD administrators need not be a part of domain admin groups. No accounts, especially service accounts, should be given more privileges than required. Rights should be assigned only through group policy memberships and they should be withdrawn after the requirements are over. Also, one can remove all the trusts that are not required.
2. Create a security policy and implement it
A secure Active Directory environment can be achieved only by creating and implementing a security policy. Before forming a policy, go through the best practices recommended by Microsoft, understand the organization’s regulatory compliance requirements, and assess how critical the IT assets of the organization are. The organization needs to create a security policy that is realistic. A very strict security policy may hamper the employee productivity and hike the implementation costs. While forming a security policy, there should be a fine balance between the security considerations and the productivity requirements. Once the policy is finalized in consultation with the HR department and the higher management, convey it to the employees and enforce it with the aid of technology. For implementation, one can rely on the inbuilt AD features, or on freely available Microsoft tools. Recently, more and more organizations are making use of professional third-party solutions for the effortless management of Active Directory and implementation of the security policy.
3. Audit Active Directory
Always expect security threats in the AD environment and audit it regularly. Monitor the computers and users of the AD to identify any security breaches. Group policy changes, permission changes, and group membership additions need to be monitored particularly closely. Also be careful when user accounts are added to the Admin group, and when actions are performed by privileged accounts. You can think of auditing account logon events, object accesses, policy changes, and privilege uses too. An audit helps to find out the loopholes in the security preparations and is essential for meeting security compliances. In normal situations, you can rely on the inbuilt Windows Server auditing features but think of using professional auditing solutions when the auditing requirements are complex.
4. Document the way you construct Active Directory
Documenting a few things about the construction of Active Directory can help you keep the AD healthy and secure. It will help in disaster recovery situations too. Forest and domain information, AD configurations, settings, options, OU Structures, Sites, Group Policy settings and links, and other important information need to be documented. Also you can note the details of DNS configuration, naming conventions, OU hierarchy, Server roles, firewall exceptions, and third-party installations. Documentation is also helpful while delegating and handing over responsibilities to others.
5. Stay updated with the software
Legacy systems and applications need to be replaced to improve the security in Active Directory. Use the newest version of Windows Server OS for your Domain Controllers. An outdated version of OS will be ill-equipped to deal with the newest security threats. Apply patches properly on Domain Controllers and workstations. Also, remember to have latest security updates.
6. Have some precautionary measures in place
Some precautionary measures are essential to keep the AD out of reach of the attackers. Isolate critical servers such as those for domain controllers from other servers and ensure their physical security by controlling access to them. No unnecessary programs, services, and applications should be run from the Domain Controllers. Critical database servers should be accessible only from selected computers. Review forest and domain trusts and remove the unwanted trusts. Administrative accounts should not be used for normal activities like surfing and all servers and systems should be secured with the latest version of the antivirus software.
7. Cleanup regularly
Inactive accounts—computer and user accounts that stay docile—can be dangerous to the AD network. Attackers can use them to intrude in to a network and to access the resources. Find them and disable them immediately. Remove them from all group memberships and move them all to a separate OU then put them in the watch list for a limited period and delete them after. It’s good to include some guidelines in the security policy regarding the procedure to deal with the inactive accounts.
8. Have powerful passwords everywhere
Be extremely careful with passwords. Long alpha-numeric passwords that are not formed from dictionary words and familiar words are highly recommended. Service account passwords ideally should have a minimum of twenty characters and repetition of passwords should be avoided. Do not use the same password for local Administrator accounts on more than one computer. Also, it is recommended to force domain users to change the default passwords in the first login itself although make sure that your password policies do not make life difficult for the end users.
9. Use professional Active Directory auditing tools
Do not worry if you find the tasks described above as complex. There are many professional solutions that can aid you in Active Directory auditing, Active Directory health check-ups, Active Directory cleanup, and Active Directory self-service. There are solutions that automate most of the points in this article and provide you with detailed reports. They help organizations meet regulatory compliances and increase data security. These tools are mostly available as trial versions so you can try them for free before purchasing.
It’s not reasonable to think that Active Directory is secure by itself. Administrators need to protect it with the help of all the resources available. If you focus on a few simple things, you can increase your Active Directory security and the overall security of AD resources substantially.