Active Directory Security Best Practices: Protect Your Environment. Active Directory (AD) is a vital and critical component of most enterprise IT environments, providing authentication, authorization, and access control services to a wide range of applications and services. As such, ensuring the security of the Active Directory environment is paramount to protect the confidentiality, integrity, and availability of sensitive data and resources. To achieve this goal, administrators must implement a range of security best practices that mitigate the risks of cyberattacks, insider threats, and other security incidents.
By following some of the best practices presented in this article, administrators reduce the attack surface of their Active Directory environment, minimize the impact of security breaches, and ensure the ongoing availability and integrity of their IT systems and data.
Active Directory Security Best Practices: Protect Your Environment
Active Directory has been around for a while and the are ways to exploit its flaws and vulnerabilities. In addition to vulnerabilities, it becomes straightforward for hackers to steal or obtain user credentials, giving them access to our data. They may gain full access to Active Directory and our network, if they access our computer or our login.
Now, let’s explore some best practices for securing our AD environment.
Practice the Principle of Least Privilege
Members of Domain Admins (DA) and other privileged groups are very powerful. They access the entire domain, all systems, all data, computers, laptops, etc.
But the domain Admins are what the bad perpetrators try to seek out. Therefore, Microsoft recommends that when DA access is needed, we temporarily place the account in the DA group. Then, when we have finished the necessary work, we remove the account again from the Domain Admins group.
Microsoft recommends the same practice for the Enterprise Admins, Backup Admins, and Schema Admin groups. The screenshot below shows a bad example of delegating users inside the AD Domain Admins group:
The Problem Statement
Attackers now need help to steal or hack user credentials. Attackers migrate laterally inside a network to look for greater rights like DA once they have access to one machine.
An attacker takes over a network with just one compromised computer or user account. Therefore, cleaning up the Domain Admins group is a significant first step to increasing our network security. This way we slow down an attacker.
Using Two Accounts or More
To enhance our infrastructure security, it is advisable to create two separate accounts, one for daily activities without admin rights and another for administrative tasks with privileged access, such as modifying servers. Logging in with an account with privileged access should be limited to specific days. However, do not put the secondary account in the Domain Admins group, at least permanently.
Instead, follow the least privileged administrative model. This model means all users should log on with an account with minimum permissions to complete their work.
To minimize risks, we recommend delegating some everyday tasks to a secondary admin account, including managing Active Directory Users and Computers, DNS, DHCP, Group Policy, Exchange, and local admin rights on servers and workstations. Additionally, some organizations opt for a tiered approach that involves using more than two accounts for greater security. This process is defiantly more secure but may be an inconvenience to some.
- Regular account
- Account for Server Administration
- Account for Network Administration
- Account for Workstation Administration
Use Local Administrator Password Solution (LAPS)
Microsoft’s LAPS application allows for the management of local account credentials on domain-joined PCs. Every local administrator account receives a special password stored in Active Directory for convenient access. This tool is one of the best free options for mitigation against attacks and lateral movement from computer to computer.
Commonly, organizations deploy Windows using a single image based system. This procedure frequently results in every computer having the same local administrator account. All it takes for a hacker to gain access to all the systems is for one of the local Administrator accounts to become hacked because it has complete access to everything on the computer.
There is no need to set up different servers because we can construct LAPS onto the Active Directory infrastructure. The system uses the group policy client-side extension to handle all workstations. For example, if we need to use the local admin account on a computer, we retrieve the password from Active Directory, which is unique to that single computer.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Use a Secure Admin Workstation
A secure admin workstation (SAW) is a dedicated system that we only use to perform administrative tasks with our privileged account.
Usually, it doesn’t have access to the internet but only inside the internal network or intranet.
Active Directory administration, Group Policy management, DNS & DHCP server management, tasks requiring admin rights on servers and management systems like VMware, Hyper-V, and Citrix, and Office 365 administration are among the functions typically carried out on a Secure Admin Workstation (SAW). As a result, our elevated account is substantially more protected from those attack avenues when using a secure workstation. But because both internal and external attacks are possible, it is best to presume that there has been a security breach.
Deploying a SAW Workbench
Due to the continuous threats and technological changes, the methodology for deploying a SAW keeps changing. However, here are some of the steps that we follow to deploy a SAW workbench:
Determine the requirements: Before deploying a SAW, it is important to determine the specific requirements for the workstation, including hardware specifications, software requirements, and security configurations.
Acquire the necessary hardware and software: Once the requirements is established, acquire the necessary hardware and software. This may include a new computer, a secure operating system, and additional security software such as antivirus, firewall, and encryption tools.
Install and configure the operating system: on the SAW, ensuring that all security features are enabled and configured properly. This includes configuring firewall rules, disabling unnecessary services and features, and configuring network settings.
Install necessary security software: if required on the SAW, install antivirus software, encryption tools, and other security utilities.
Establish remote access: If SAW is used for remote administration, establish secure remote access protocols such as VPN or Remote Desktop Protocol (RDP), and configure the necessary security settings.
Test the SAW: Before deploying the SAW into production, thoroughly test it to ensure that all security features and software are working as expected and that all necessary applications and tools are accessible.
Deploy the SAW: Once SAW has been tested and verified, deploy it into the production environment and configure it for administrators who require elevated access rights. Ensure that all users who require access to the SAW are properly trained in its use and security policies.
Enforce Password Policies
Avoid typing out a statement where we the following word is predicted, which is the key to employing passphrases. To know more about increasing password complexity and enforcing password policies, we have created an article discussing that topic.
Patch Management and Vulnerability Scanning
Patch management and vulnerability scanning are critical components of Active Directory security. In a constantly evolving threat landscape, keeping systems and software up to date with the latest security patches and fixes is essential to protecting against known vulnerabilities and exploits. Vulnerability scanning helps to identify areas of weakness within the environment, allowing organizations to prioritize and remediate potential security risks before attackers exploit them.
Recommendations for Continuous Vulnerability Management
- Conduct system scans at least once a month to detect potential vulnerabilities, preferably more frequently, if possible.
- Prioritize the identified vulnerabilities based on their severity and prevalence in the wild, and address them accordingly.
- Automate the deployment of software updates for operating systems and third-party applications.
- Identify outdated software no longer supported, and update it to the latest version.
Monitor DHCP Logs For Connected Devices
Be aware what devices are in our network; having multiple locations with many users and computers is challenging. There are techniques to ensure that only authorized devices connect, but doing so is expensive and time consuming to set up.
Another method already available to us is to monitor the DHCP logs for connected devices. Have all end user devices set up to use DHCP. Look at the logs to see what is connecting. Again, it is best if we had a naming convention for our equipment, making it easy to spot possible unauthorized devices.
We can easily spot a device that does not follow the computer naming convention in the screenshot below.
Monitor DNS Logs for Malicious Network Activity
These malicious domains typically have strange, random characters and an unusual appearance.
We must first enable the DNS to debug logs on the Windows Servers to observe the DNS lookups.
Enable DNS Debug Logs on Windows Server
Enabling DNS Debug logs on a Windows Server is a useful tool for troubleshooting DNS issues, as it provides more detailed information about DNS queries and responses. Here are some steps that we follow to enable the DNS Debug logs:
1. Open the DNS Management Console.
2. Right click and select properties.
3. Click Debug Logging Tab.
4. Check the box named Log packets for debugging.
Once we have the debug logs set up, we import those logs into an analyser to quickly spot malicious activity. To make the log file easier to read and filter, we also convert it to a CSV format.
Use the Latest ADFS Security Features
- Smart Lockout: Utilizes algorithms to identify and prevent unusual sign on activities.
- IP Lockout: Blocks sign ins from known malicious IP addresses using Microsoft’s database.
- Attack Simulations: Regular phishing tests to train end-users; Microsoft sets to release phish simulator software soon.
- MFA Authentication: Microsoft’s two factor solution to enhance login security.
- Banned Passwords: Checks passwords against a custom made known list to prevent the use of standard, easily guessable passwords.
- Azure AD Connect Health: Offers several useful reports for monitoring Active Directory health and security.
- Custom Banned Passwords: Ability to add custom banned passwords to the list to check against.
Document Delegation to AD
Security Groups are the best way to regulate access to Active Directory and related resources. However, if we are delegating rights to individuals, we are losing control of who has access.
Create custom groups with particular names, then note down who has rights, and a process for adding new users. Only add the users to these custom groups with an approval process. This process is just another way permissions can get out of control.
Know what groups we delegate to what resources, document it, and ensure our team is on the same page.
Active Directory Security Best Practices: Protect Your Environment Conclusion
In summary, implementing Active Directory security best practices is essential to safeguarding sensitive data and resources, mitigating risks of cyber attacks and insider threats, and maintaining the integrity and availability of IT systems. Following these best practices requires ongoing diligence, attention to detail, and monitoring of the effectiveness of security measures. Ultimately, organizations prioritizing Active Directory security better protect their environment and maintain the trust of their customers and stakeholders.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free