Using Group Policy to Enhance Active Directory Security. Do you want to learn how to use Group Policy to enhance the security of your Active Directory network? This article discusses various policies you can configure to help improve the safety of your AD environment.
Moreover, I also cover best practices for implementing these security group policies.
Shall we start the article Using Group Policy to Enhance Active Directory Security
Standard Group Policies to Improve Active Directory Security
Group Policy offers 16 security policies. However, I discuss 5 that you need to lock down and secure your AD infrastructure.
The policies I discuss below are under the Computer Configuration -> Policies -> Windows Settings -> Security Settings node.
Furthermore, forcing users to use unique passwords secures your AD environment by ensuring users do not reuse the same password. If users are allowed to reuse the same password, their accounts may be more vulnerable to attacks.
By forcing AD users to use unique passwords when they reset, you enhance Active Directory security. Administrators use the Minimum password age policy to force AD users to keep their password for the number of days set in this policy.
That mitigates the risk of password vulnerability.
Furthermore, another policy that enhances AD security is Minimum password length, which determines the minimum number of characters a user’s password must contain.
This policy forces users to use longer passwords, making it more difficult for hackers to guess.
In addition, the Password must meet complexity requirements policy forces users to create complex passwords. That prevents them from using easily guessable passwords.
Account Lockout Policies
When an account is locked out, the threat to your AD infrastructure is averted.
Account Lockout Policies provide the policies you need to stop potential password vulnerability attacks. The most critical of all the policies in this category is the Account lockout threshold policy.
Specify failed login attempts to lock a user’s account using the Account lockout threshold policy. When AD locks an account that meets the threshold set in this policy, an Administrator must unlock the account. However, if the Account lockout duration security policy is set, the account unlocks automatically after the lockout duration.
Talking about the Account lockout duration security policy, it is another critical policy in this category. The Account lockout duration policy determines how long (in minutes) a locked out account remains locked before AD automatically unlocks it.
Finally, in the Account Lockout Policies is the Allow Administrator account lockout. By default, the built-in Administrator account is not subject to the account lockout policy.
When you enable the Allow Administrator account lockout policy, you force the built-in Administrator account to be subject to the account lockout policy discussed earlier.
Windows Domain Controllers use Kerberos authentication protocol to verify the identity of users, computers, and services within the domain. Once the identity is authenticated, they are granted access to resources.
The Kerberos Policies group policy controls the behaviour of the Kerberos protocol on domain joined computers. This group policy category offers 5 options to determine how Kerberos responds to and manages requests.
Kerberos issues a session ticket when granting access, which is used to access network resources. Moreover, when Kerberos gives access, it does not validate every session ticket request to a network resource.
However, enabling the Enforce user logon restrictions security policy changes this behaviour.
By validating every request with a session ticket, the policy improves Active Directory security by reducing the possibility of fake session tickets. The Maximum lifetime for service ticket policy controls the time a service holds onto a session ticket.
On the other hand, the Maximum lifetime for user ticket policy controls the maximum duration a user TGT lasts. Enabling the Maximum lifetime for user ticket renewal policy determines how long a user’s TGT is renewed.
The Maximum tolerance for computer clock synchronization policy establishes the acceptable difference between a client’s and a DC’s clock. If the time difference exceeds the value set in this policy, Kerberos V5 will not work.
As noted, enabling this policy mitigates “replay attacks.”
Furthermore, the Group policy Audit policy offers an Audit account logon events policy that generates log-on Success or Failure events. Administrators detect potential Brute-force attacks by monitoring account log on events.
As shown enabling the Audit account logon events policy generates log on Success or Failure events. If an administrator sees many Failure logs after enabling this policy, it could indicate a malicious user trying to sign in to AD.
The next policy in the Audit Policy category is the Audit account management policy. This policy determines whether Active Directory logs account management activities. Such as managing user accounts, for example, renaming or disabling an account. Other account management activities include deleting an account or changing its password.
There are more policies in the Audit Policy category. To read more about it visit the Microsoft Audit Policy page.
User Rights Assignments Policies
User Rights Assignment policies allow admins to specify which Active Directory users or groups have permission to perform some sensitive system level tasks on a domain joined or a local computer.
There are over 40 policies in User Rights Assignment policy. However, I focus on the most relevant for securing Active Directory. Specifically Take Ownership of Files or Other Objects, and Act as Part of the Operating System policies.
Additionally, we also learn about Logon as a Batch Job, Logon as a Service, and Logon Locally policies.
Security Options Policies
The most relevant Security Options policies for enhancing the security of AD are Interactive logon, User Account Control (UAC), Network access, and Domain controller security policies.
They protect Active Directory against attacks already mentioned in this article, like Pass-the-Hash, and Brute-force attacks. Additionally, some of the group policy settings here may also prevent SMB relay attacks.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Up next with Using Group Policy to Enhance Active Directory Security we learn about Windows Defender Firewall.
Windows Defender Firewall with Advanced Security Policies
If you support Windows Operating System, you should know about the Windows Defender Firewall with Advanced Security (WDFAS). WDFAS a built in firewall tool that controls inbound and outbound traffic on Windows PCs.
Hence, admins use it with Advanced Security snap in on Windows computers to configure firewall policies for individual PCs.
However, Network admins that want to deploy unified inbound and outbound policies across domain-joined computers use the Windows Defender Firewall with Advanced Security Policy in the group policy management console.
Inbound and Outbound Firewall Rules
Consequently, admins create inbound firewall rules that control network traffic. Inbound firewall rules govern the behaviour of traffic coming into a computer, while outbound determines traffic allowed or disallowed out of a computer.
Connection Security Rules
For instance, an admin creates a connection security rule that requires traffic encryption using IPSec. Additionally, a connection security rule may require digital certificates to authenticate traffic.
Wired (IEEE 802.3) and Wireless (IEEE 802.11) Network Policies
Wired (IEEE 802.3) Network Policies
The screenshot above shows the Security tab of a Wired Network policy. It allows you to configure a Wired Connection Profile with one of the following authentication methods: Protected EAP (PEAP), EAP-SIM, EAP-TTLS, or EAP-AKA.
When configuring you deploy it to all computers joined to your AD domain.
Forcing all domain joined computers to use a wired connection authentication protects against Address Resolution Protocol (ARP) Spoofing, DHCP Snooping, MAC Spoofing, or Network Eavesdropping attacks.
Wireless (IEEE 802.11) Network Policies
The wireless (IEEE 802.11) network policies permit admins to configure domain joined computers using wireless connections to authenticate with one of the methods I listed in the last subsection.
Software Restriction Policies
The greatest threats to Active Directory domain is the distribution of malware or viruses. So, to secure it against malicious software, an admin deploys software restriction policies. They define software installation rules in an AD domain.
For example, an admin defines a Hash Rule specifying a file’s cryptographic hash value. This hash value is then used to identify files, and the policy allows or denies the file from executing, depending on the settings in the policy.
Moreover, admins define Path Rules that specify a file, folder, or registry key path. The Software Restriction policy then evaluates files on users’ computers based on the path rule and decides whether to allow or deny software from running.
Software Restriction Policies offer an effective tool for controlling software allowed to run on domain-joined computers. This policy protects computers in an AD domain against Malware infections, Zero-day, Trojan horse, or Privilege escalation attacks.
Best Practices for Implementing Active Directory Security Group Policies
First section of article Using Group Policy to Enhance Active Directory Security, we discussed extensively the top 5 security group policies admins use to improve the security of their AD infrastructure. Next section discusses the best practice for implementing all the securities.
Password Policy Best Practices
Set a maximum password age: Microsoft recommends setting a maximum password age between 30 and 90 days.
Use the Maximum password age policy to set the maximum number of days your users are required to change (reset) their passwords. This policy is set to 42 days by default.
Enforce password complexity requirements: to require users to create passwords of at least 8 characters.
Enabling this policy also forces AD users to use a combination of lowercase, and uppercase letters, numbers, and special characters. Microsoft enables this policy by default.
Stop AD users from reusing passwords: to prevent it enable the “Enforce password history” policy.
Then, enter the number of times a user must use a unique password before Active Directory allows the user to reuse a previous password. The value must be between 0 and 24 unique passwords.
Account Lockout Policy Best Practices
Set suitable thresholds for lockouts: Microsoft recommends setting it to zero (0) so that user accounts are never locked out. Also, setting the value of the “Account lockout threshold” to 0 mitigates against Denial of Service (DoS) attacks.
Alternatively, set the value of this policy to a high value to allow users to mistype their passwords several times without being locked out. However, ensure it is not too high to expose your AD environment to brute force password attacks.
Enable the Account lockout duration policy: Furthermore, when an account is locked out, it cannot be used until an administrator manually unlocks the account or the account lockout duration expires.
Certainly, Microsoft recommends setting it to a relatively low value of about 15 minutes.
Kerberos Policies Best Practices
Enable Maximum tolerance for computer clock synchronization policy: setting this policy reduces the possibility of “replay attacks.” Microsoft recommends setting this value to 5 minutes.
Use the “Maximum lifetime for service ticket” to set appropriate ticket lifetimes: According to Microsoft, the best practice value for this policy is 600 minutes. This value balances user convenience and productivity with compromising security.
Setting the value longer than the recommended 600 minutes may improve productivity by reducing how often users need to request new Ticket Granting Tickets (TGT). However, this may increase the possibility of compromised tickets being used by attackers.
Best Practices for Implementing Local Policies
The Local Policy node of the group policy management console (GPMC) allows admins to set Audit, User Rights Assignments, and Security Options policies
Audit Policies Best Practices
Define the scope of your Audit Policy: firstly, define the scope of the auditing to determine whether to place your audit policy GPO at the domain level or individual OUs.
For example, to configure auditing for your Domain Controllers, you may decide to place the audit policy GPO at the “Domain Controllers” OU. Additionally, you may have a different GPO for all member servers.
Then decide which events to audit: logon events, privilege use, and object access for Domain Controllers.
All in all, this informs what audit policy you enable.
Configure and secure audit logs: the next step to implementing the auditing policy best practice is to secure the audit logs. This is to protect it from unauthorized access.
As an illustration, to learn how to use group policy to set the application and system log security for domains, OUs, or Sites, open the How to set event log security locally or by using Group Policy page.
Security Options Policies Best Practices
Rename administrator and guest accounts: one source of vulnerability for any AD infrastructure is the local administrator and guest accounts. This is because hackers know that Windows computers use these login names, and use them to try to log in to your domain.
As a result, to safeguard against this, enable the Accounts: Rename administrator account and Accounts: Rename guest account policies and use them to rename the accounts.
Limit local account use of blank passwords to console logon only: to limit the risk of password less local accounts, enable the “Accounts: Limit local account use of blank passwords to console logon only” policy.
When you enable this policy, local accounts with blank passwords can only log on at the computer’s keyboard.
User Rights Assignments Policies Best Practices
Observe the principle of least privilege: it is best practice never to grant users and groups access beyond what they need to do their job.
Basically, Microsoft recommends login in with a non-admin account and using “Run as administrator” when required to perform admin tasks.
Allow only admins to logon locally: to allow only domain administrators to log in locally, enable the Log on locally policy; then define the administrators group as the only account allowed.
Best Practices for Implementing Windows Defender Firewall with Advanced Security Policies
Keep the Default Firewall Settings
Albeit, Microsoft recommends retaining the default policies set on the PCs. So, it is important to replicate these local policies in your GPO.
Review local inbound and outbound rules to determine group policy settings for Windows Defender Firewall with Advanced Security.
All in all, the most reliable way to replicate the settings from a local computer is to open Windows Defender Firewall with Advanced Security on a local computer. Then, right-click it and select Export Policy.
Create Custom Inbound Firewall Rules
After importing the default firewall rule, the next step is to define custom firewall rules to accommodate your organization’s needs. However, to successfully create custom inbound rules, you need to understand rule precedence for inbound firewall rules.
Before admins create custom Firewall rules via group policy, they should bear the following rule precedence in mind:
- When you define an explicit Allow rule, it takes precedence over the default block rule settings.
- Defining explicit Block rules takes precedence over any conflicting Allow rules.
- Rules that are more specific take precedence over rules that are less specific. The only exception is if there are explicit Block rules as mentioned in 2 above.
Create Custom Outbound Rules
Before you create your outbound rules, bear the following best practices in mind:
- Consider using the default configuration of Blocked for Outbound rules if you manage a highly secure environment.
- Admins should keep an inventory of all apps used in the environment. The recorded information in the inventory should include each app’s network connectivity and port requirement.
- Admins should create Outbound Allow rules for approved applications. Once an administrator has created all the Allow Outbound rules for approved applications, she can set the default Outbound rule to Block so that only the explicitly allowed apps operate in the network.
Best Practices for Implementing Wired and Wireless Networks Policies
Define a Topology of Trusted and Untrusted Devices and Networks
In order to implement a robust wired and wireless access policy, define trusted and untrusted networks and devices. A typical example of a trusted device could be a domain-joined computer that meets certain defined criteria like having the latest patch, and antivirus software.
Similarly, an untrusted network could be a wireless network that guests connect to.
Based on this topology, an admin decides what network access policies to define for individual network segments and devices.
Use Strong Encryption Method
When admins are implementing wired and wireless access policies, it is best to use strong encryption to secure network traffic. This includes encrypting traffic between domain controllers and client computers using IPsec or SSL/TLS.
Use a Dedicated Wireless Network for Guests
Create a separate wireless network for visitors or guests.
Since this network will fall under your “untrusted networks,” you apply a stronger lockdown to the guest wireless network to reduce the security risk to your AD domain. For example, the “guest only” network should have limited access to your corporate network.
Best Practices for Implementing Software Restriction Policies
Create a Separate Group Policy Object for Software Restriction Policy
Creating a separate group policy object for your Software Restriction Policy allows you to disable the policy without disabling all other policies in your domain.
Expand the Group Policy Objects node in Group Policy Management Console (GPMC) to make a copy of the Default Domain Policy. Then, right-click the Default Domain Policy GPO and select Copy.
Then, right click the Group Policy Objects node and click Paste. GPMC displays a Copy GPO dialogue box, click OK.
Finally, rename the copied GPO, then drag and drop it to the container you want to apply the GPO. In this example, I want to apply the Software Restriction Policy to the domain’s root, corp.itechguides.com.
Test the Policies Before Deployment
Earlier, I mentioned that applying your Software Restriction Policy may cause some problems that might require you to disable the GPO. One way to avoid this is to test your policy on an AD container with a few computers.
When you’re happy with the outcome of the test, deploy the policy domain-wide.
Use Windows Safe Mode to Troubleshoot Problems
In the event that your new Software Restriction Policy accidentally locks down a computer, modify the policy. Then, restart the computer in safe mode. When you start a computer in safe mode, Software Restriction Policy does not apply.
After restarting the PC in safe mode, sign in with your administrator account and run gpupdate to apply the new policy immediately. Finally, restart the PC normally.
Thank you for reading Using Group Policy to Enhance Active Directory Security. We shall conclude the article now.
Using Group Policy to Enhance Active Directory Security Conclusion
Finally, Group policy offers admins a means to enhance the security of Active Directory. In this article, I have discussed the top 5 policies admins can use to lock down and secure their AD environment.
In addition to that, I also provided best practices that SysAdmins to follow to define an AD security strategy with Group Policy. Specifically, I explained how to use the following policies to improve the security of an Active Directory Infrastructure:
- Account Policies
- Local Policies
- Windows Defender Firewall with Advanced Security
- Wired and Wireless Network
- Software restriction policies
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free