Active Directory Security Checklist: Ensure Your System is Fortified. Active Directory (AD) is a common target during cybersecurity attacks for several compelling reasons. AD serves as a primary authentication and authorization service in Windows environments. Compromising AD allows attackers to gain control over user accounts, passwords, and access permissions, providing a gateway to the entire network.
Additionally, compromising AD provides attackers with a persistent presence within the network. As Active Directory is used for establishing trust relationships between domains compromising of one domain means compromising of all domains it has trust with.
Furthermore, many regulatory frameworks and industry standards, such as GDPR, HIPAA, and PCI DSS, require organizations to implement security measures to protect sensitive data.Ā
Therefore, securing domain controllers is critical element of the reliable cyber defence strategy. One of the methodsĀ is to apply a checklist. ā Create a list of items that should be configured the proper way to ensure the security of AD, then perform assessment of the existing configuration. As AD is a complex system, divide the list into several categories.
Account Security
As Active Directory Domain Services works as an identity provider, the security planning should have the prevention of the credential theft. During the security assessment, you should review2 areas related to the credential theft ā preventive measures and damage reduction measures. Preventive measures may include:
- Usage of separate administrative accounts. Usually applied for the personnel that have high system privileges, such as Domain Administrator or Enterprise Administrators. Users (usually from IT department) have two separate accounts ā the regular one, used for email access and other daily activities, and the privileged one, which is assigned administrative permissions. Since the privileged account is rarely used has many usage restrictions, the risk of credential theft is minimized.
- Usage of separate hosts for the administrative access. Usually used in addition for previous one. For the privileged accounts, log in to the regular workstations is forbidden, they are only used to login to a separate host which is highly protected, donāt have any unnecessary software and are carefully maintained. Typically, these hosts are monitored for any security-related events and require secure authentication methods, such as authentication using smart-cards. For more details about deploying secure administrative hosts, see Implementing Secure Administrative Hosts.
- Education of end users. This measure prevents credential theft of non-privileged accounts. Usually, it includes some formal awareness sessions and courses to teach users about tricks hackers used to steal the credentials. Accounts of users with executive roles within organization are most attractive and may become the victims of whaling attacks (more details about whaling is here What is a Whaling Attack?), therefore may require additional attention.
Damage reduction measures help to minimize the damage in the scenario of the credential are actually stolen. The measures may include:
- Enforcement of multi-factor authentication. In case login and password was stolen, MFA not only reduces the damage, it completely prevents any harm by preventing the login without the second factor. For securing Active Directory, it is highly recommended to adopt MFA and enforce its usage for all users.
- Following the principle of least privilege. Principle of least privilege (PoLP) should be followed during the provision of access to the systems and data.Ā
- Usage of Just-in-time access. One of the most common security misconfiguration is assignment of privileged permissions on the permanent basis. Admin permissions must be assigned temporarily, only for the period they are actually used. In this case, the account doesnāt have any privileges assigned for the most time, and in case of theft the damage is minimized.
Network Security
Domain controllers must be protected from the connections that can be used to get unauthorized access. Checklist must include but not limited to the following items:
- Inbound connections. No external inbound connections must be allowed to domain controllers. In case there is a need for authentication of external applications, additional tools like Active Directory Federation Services or Microsoft Entra ID must be used.
- Firewall configuration. No extra network traffic must be allowed to and from domain controllers. The list of ports required for proper DC communication is here How to configure a firewall for Active Directory domains and trusts, all other traffic must be blocked, especially access to Internet.
- Remote connections must be restricted. For most of the administrative tasks, there is no need for direct connection to the domain controller, they may be performed remotely. Remote Desktop Protocol must be allowed only from the trusted machines, such as jump servers, and only to the limited set of user accounts.
- LDAP traffic encryption. Enable LDAP over TLS ā that way server uses encrypted LDAP queries from the clients. To enforce the encryption you need to place the proper TLS certificate to the personal certificate store of the domain controller and enable policies that restrict the usage of unencrypted LDAP traffic. For more details, see Enable LDAP over SSL with a third-party certification authority.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Operating System Security
Operating System Patching
One of the mandatory items for Active Directory Security Checklist is to ensure whether all your domain controllers running on supported Operating System (OS). To check it, go to Search Product and Services Lifecycle Information webpage and find the OS you use.
Here Mainstream End Date means the date when the OS stops receiving new features ā this one is safe to skip. Extended End Date defines the date when OS stops receiving the security patches ā this date is the critical one. Ensure you upgrade all your domain controllers before this date. In case the upgrade is impossible, purchase the extended security updates or deploy Azure Arc.
After ensuring all your servers get the new security patches, examine whether patches are installed in time. Patches are released on the 2nd Tuesday of each month. Patch deployment must be documented in the patch management procedure and should be strictly followed.
Attack Surface Reduction
No extra softwareĀ to be presented on server running Active Directory Domain Controller role. Ideally, the server must only have the following components:
- Windows Server Core edition. Desktop environment is unnecessary, it increases the attack surface, requires extra resources and encourages administrator to connect to the server using RDP to perform tasks they could easily do remotely.
- Only Active Directory Domain Controller role installed. DC servers should be single-purpose machines, presence of other roles is not recommended.
- Only antivirus software is installed. Presence of third-party software is not recommended, because vulnerabilities in installed applications can be used by attackers to access the server. Antivirus is the only acceptable exclusion from this rule.
Malware Protection
- Antivirus presence. Antivirus software must be installed and reliable. Additionally, install threat detection system (for example Microsoft Defender for Identity)
- Antivirus maintenance. Ensure, antivirus is properly maintained and receives feature and signature updates in time, is properly configured, etc. For example, it is recommended by Microsoft (in the Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server) to exclude SYSVOL and NTDS database from antivirus scanning.
Monitoring
Security event log of all domain controllers must be monitored for the specific events. Configure audit policy to log the events related to identity-related activities (e.g. enable policies for Audit Security Group Management, Audit User Account Management, Audit Logon, etc., the full list is found in Audit Policy Recommendations) and to directory-related activities (Audit Directory Service, Audit Directory Service Changes).
Also ReadĀ Securing Remote Access to Active Directory
Server Security
Servers that have the domain controller role must be protected no matter you use physical or virtual servers. Include the following items to the Active Directory security checklist:
- Datacenter/Server Room physical security. Does the physical location where domain controllers are placed have proper physical security measures? If proper physical security cannot be provided in some locations (remote/branch offices), ensure only read-only domain controllers are located there.
- Disk drive encryption. Ensure all domain controllers have proper BitLocker Drive Encryption configuration and all the data is encrypted at rest. Since encryption is not possible for SAN/NAS storages, for domain controllers locally attached storages are preferable.
- Virtual infrastructure security. In case domain controllers are running on virtual machines, ensure that virtual infrastructure is secured. PoLP must be applied to the accounts used for virtualization administration, host machines must be patched regularly, and the vendorās security best practices must be followed.
- Backup infrastructure security. Ensure that the used backup solution supports encryption at both rest and transition, and that the backup storage room has the proper physical security.
I hope you found Active Directory Security Checklist: Ensure Your System is Fortified article very useful. Let’s conclude this article’s thought’s.
Active Directory Security Checklist: Ensure Your System is Fortified Conclusion
In conclusion, safeguarding AD is critical for ensuring the overall security and resilience of an organization’s IT infrastructure. The provided checklist covers key aspects of AD security, emphasizing the implementation of measures to protect against various cyber threats.
The checklist begins with a focus on Account Security, recognizing that AD’s role as an identity provider makes credential theft a significant concern. Preventive measures, such as using separate administrative accounts and hosts, educating end-users, and enforcing multi-factor authentication, are vital for minimizing the risk of unauthorized access.
Network Security is addressed through measures like restricting inbound connections, configuring firewalls, and implementing secure LDAP traffic encryption. These actions help safeguard domain controllers from unauthorized access and ensure the integrity of communication within the network.
Operating System Security is critical, emphasizing the importance of keeping the domain controller up to date by regular patching of OS and third-party components, and recommendations for keeping the attack surface as small as possible. The checklist also underscores the significance of monitoring security event logs to detect and respond to identity-related activities effectively.
Server Security considerations include physical security, disk drive encryption, and securing virtual and backup infrastructures. Attention to these aspects ensures that domain controllers, whether physical or virtual, are resilient against various attack vectors.
Additionally, each IT engineer should understand that no matter how comprehensive your checklist is, there is always a possibility for the Active Directory compromise, and you should be ready for it. It is considered as a good practice to have a detailed incident response plan that can be used in scenario of successful cyber-attack. To create a plan, you can use Microsoft article Planning for Compromise as a baseline.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
