Best 30 Active Directory Security Best Practices Checklist
Best Active Directory Security Best Practices Checklist. Organizations with information technology (IT) infrastructure are not safe without security features. Credential theft attacks, malware attacks, ransomware and security breaches are a few methods that help attackers gain access to privileged accounts to a computer on a network. These techniques are used to gain access to vulnerabilities on your systems. As a result, your business operations will come to a complete shutdown with negative PR. Thus, to reduce the Active Directory Attack Surface and monitor signs of compromise, we have listed the best AD security practices with solutions both for infrastructure security and cloud security options.
In this post, we have listed the best Active Directory Security Best Practices checklist that will assist organizations in enhancing AD security. Further, these practices will enable administrators to discover malicious attempts, identify and prioritize security activities. Follow some of the below listed AD best practices to improve and secure your Windows AD domain environment.
1. Restrict the use of Domain Admins and other Privileged Groups
Domain Admins and other Privileged Groups in Active Directory have a few powerful members that can access an entire domain, system, or data. Apart from the default Domain Administrator account, avoid having day to day user accounts in Privileged Groups. Cracking user credentials has become easier for attackers. Thus, try to remove the account from the DA group once your work is done or ideally create a custom role group that only has permission to perform the required changes.
Domain Admin accounts are what attackers often try to seek out. If the attackers gain access to any single system, they can easily move within the network and seek higher permissions such as domain admin privileges. So, be careful and limit its use and other Privileged Groups. The same rule applies to Enterprise Admins, Backup Admins, and Schema Admin groups.
Review the privileged access with your IT team and shortlist the users with use-cases why they should be in this group. It can be challenging but is one of the best ways to reduce the attack surface. Click here to know how to limit the use of Domain Admins and other groups.
2. Use a minimum of two accounts (Regular and Administrator account)
Remember, getting away with Domain admin rights is not an easy thing. One cannot delegate rights to systems like DNS, DHCP, Exchange, Group Policy, etc so easily. This is the reason why most users have Domain Admin rights.
Hence, instead of having only one local admin with privileged access, try creating a separate regular account with no admin rights. Also, avoid adding the regular secondary account in the Domain Admins group on a permanent basis. Practice the least privileged administrative model under which all users with minimum permissions should log in to finish the work. We recommend using it for day to day tasks and removing it from the Domain Admins group once the work is done. Further, we recommend using the privileged Domain Admin account only to perform domain administrative tasks such as building domain controllers, DC authoritative restores, editing the AD schema etc.
Regular User Access Account
Users should NOT any have admin access to their desktop/laptop or to any systems within your network. They should have basic access to only use applications/systems in order to function in their day to day role, for example:
- Read / Send emails
- Browse the internet
- Access files / folders either locally or via file server / OneDrive
- Using applications they need for their job role
Administrator Account
In most cases the only person who would have an admin account will be IT staff. Even IT staff should have a regular user account and NEVER logon with their admin account. When a user needs to make a change on their laptop / desktop that requires admin level access to make a change, this is when they can use their admin account (privileged access) to make the change. The screenshot below shows this example.
Admins will generally need a domain admin account to perform the following in their role:
- Making network changes to laptop (WIFI / DNS / Adding to Domain)
- Adding users to Active Directory
- Editing DNS Server Records
- Adding Exchange email mailboxes
- Configuring GPOs
- Creating Hyper-V VMs
3. Secure the Domain Administrator Account (Admin)
Each domain has an Administrator account responsible for domain setup and disaster recovery called the ‘Domain administrator account‘. These accounts are, by default, important members of the Domain Admins group and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group.
What is Domain Administrator?
A domain administrator has the highest privileges within your Microsoft network and will be able to make the most changes on your Microsoft systems, if in the wrong hands it can cause the most damage. It can modify the configuration of your Active Directory servers and can modify any content stored in Active Directory. This includes creating new users, deleting users, and changing their permissions. This account should only be used for restoring Active Directory.
Thus, anyone who requests access to servers or AD must use their individual admin accounts. Those admin accounts should then be in a security group that has permissions to the servers / systems they need in order to do their job role.
For the domain admin account use long 20+ characters password. Ideally the domain admin accounts password should be locked away so only senior staff members know the password in emergencies.
Another way to keep your account secure is to enable the smart card, deny log on as a service, batch job, or through RDP. Apply these settings to the group policy and all computers for security purposes. Read this guide to secure the Domain Administrator account.
4. Deactivate the Local Administrator Account on all Computers
You do not require a local administrator account. So it recommended to disable the local administrator account. Firstly, even if you change its details, attackers can track the well known account via the SID. Secondly, the account is often configured with the same password and credentials on each computer.
It is easy for attackers to track and crack the account. Thus, if you have to perform admin tasks, we recommend creating an individual account and using it for safety reasons. You can always boot the local administrator account into safe mode even if it is disabled. Also, if due to any reason, you cant disable the local admin account, try applying the following GPO settings for denying the admin account to perform the following or alternativley try using the Microsoft LAPS tool.
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on through RDP
Create GPO to Deny local admin account on all domain computers
Within Group Policy Management, right click and select New on the OU that has your computers you want to apply the GPO to:
The GPO setting to apply this is as follows:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments
Configure the user rights to prevent the local Administrator account from accessing members servers and workstations over the network by doing the following:
- Double-click Deny access to this computer from the network and select Define these policy settings.
- Click Add User or Group, type the user name of the local Administrator account, and click OK. This user name will be Administrator, the default when Windows is installed.
- Click OK
Apply the same setting to:
- Deny log on as a batch job
- Deny log on as a service
- Deny log on through Remote Desktop Services
5. Install Local Administrator Password Solution (LAPS)
Most administrators are switching to Local Administrator Password Solution (LAPS) for managing the local admin passwords. LAPS is a popular Microsoft tool with in built Active Directory infrastructure. The trusted tool helps set a unique password for each local admin account and stores it in Active Directory. Also, there is no requirement to install additional servers for LAPS tool to run. It performs all the management tasks by using the group policy client side extension.
If you use an image creation tool like Packer to create OS images, LAPs is great as it sets a random password for every new computer build.
LAPS Benefits
- Unique password for local administrator per computer
- Password available from Active Directory, if needed to use local administrator account
- Remotly change the local administrator password
- Ability to use a custom administrator account
The following guide explains the steps to install LAPs and apply via GPO
6. Try Using a Secure Admin Workstation (SAW)
A secure admin workstation must be practiced only by privileged accounts to perform administrative tasks like group policy, AD administration, management of DNS & DHCP Servers, Office 365 Administration, etc. These are not used for the purpose of checking email or internet browsing. Using daily use workstations can be very risky for doing admin level tasks on your network. Thus, try using a Secure Admin Workstation (SAW) to protect accounts from attackers. One can additionally use Privileged Access Workstation (PAW) and jump servers to make it more confusing for attackers to crack. Also, you can enable full disk encryption, block the internet, use a personal firewall, etc.
To be extra careful use a computer that has a minimal OS like Windows Core Server in the cloud to be used as your secure admin workstation with the following configurations:
- Constantly updated with latest the OS Patches
- No internet access
- AV / Malware detection installed
- Firewall enabled
- Apply any
- Enable disk encryption
- Enable 2 factor authentication (2MFA)
- Automatically delete any OS Windows profiles at least once a day
Can You Benefit from Implementing a Secure Admin Workstation ?
All domain users and computer operators benefit from using a secure workstation. An attacker or hacker who compromises a PC or device can impersonate or steal credentials/tokens for all accounts that use it, undermining many or all other security assurances. For administrators or sensitive accounts, this allows attackers to escalate privileges and increase the access they have in your organization, often dramatically to domain, global, or enterprise administrator privileges.
Secure Device Roles and Profiles
The following examples show hardened Windows 10 devices that you can use as your secure workstations depending on how secure you want your workstation. This solution uses Device Health Attestation. These are recommend profiles as part of your privileged access device strategy
Enterprise Device
This role is ideal for general users who need general access to do their day to day tasks. For example using email, internet and applications. It uses an anti-malware and endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint is required. A policy-based approach to increase the security posture is taken. It provides a secure means to work with customer data while also using productivity tools like email and web browsing. Audit policies and Intune allow you to monitor an Enterprise workstation for user behavior and profile usage.
Specialized Device
This device is the next level up with an enhanced security profile with no local admin privileges and only allows approved applications to run. Users are blocked from installing any applications or running any programs from un approved locations. The Specialized security user demands a more controlled environment while still being able to do activities such as email and web browsing in a simple-to-use experience. These users expect features such as cookies, favorites, and other shortcuts to work but do not require the ability to modify or debug their device operating system, install drivers, or similar.
Privileged Access Workstation (PAW)
This device profile is the most secure with the highest restrictions. This device will have no local admin access no internet access and will have restricted applications. No productivity apps. This role is designed for extremely sensitive roles that would have a significant or material impact on the organization if their account was compromised. The attack surface is very low.
A Privileged workstation provides a hardened workstation that has clear application control and application guard. The workstation uses credential guard, device guard, app guard, and exploit guard to protect the host from malicious behavior. All local disks are encrypted with BitLocker and web traffic is restricted to a limit set of permitted destinations (Deny all).
7. Setup / Enable Audit Policy Settings with Group Policy (GPO)
Workstations are common for malicious activities. Thus, if you do not run a proper auditing and logging setting on your computers and servers, you may miss early signs of an attack. Thus, to avoid a security breach, one must Configure Audit Policy settings to the group policy, computers, and all servers.
For Windows 10 and Windows Servers Advanced security audit policy settings they can be setup via Group Policy or through the local security snap-in (MMC) on your Computer Configuration, and click on Policies. Select Windows Settings, then Security Settings, and choose Advanced Audit Policy Configuration to make changes to the settings.
You should apply the following Audit Policy settings:
- Account Logon
- Account Management
- Detailed tracking
- DS Access (Only for Domain controllers)
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
Full instructions for setting up these GPOS can be found on this link
8. Monitor Active Directory for Signs of Compromise
There are various events and objects that can indicate attempts to compromise which is why you should constantly monitor Active Directory. As a result, an organization can prevent breaches from occurring or stop attacks at the initial stages. The abnormal behavior indicates a potential or in progress attack. A proactive approach to detecting any abnormal behavior on the network or compromise can save from major losses. Make sure to monitor these listed Active Directory events every week.
- Account lockouts
- Any changes made to the Domain Admins, Enterprise Admins, and Schema Admins
- A spike in bad password attempts or locked out accounts
- Disabled antivirus software
- Privileged account activities
- Logon/Logoff events
- Use of local administrator accounts
Collect all logs in one place and run log analyzing software. This method will help monitor all the above listed points at once, quickly spot suspicious activity and help generate reports. You should also setup audit policy to monitor the following:
- Account Logon Events
- Account Management
- Directory Service Access
- Logon Events
- Object Access
- Policy Change
- Privilege Use
- Process Tracking
- System Events
9. Enforce Password Complexity with Passphrases
Having an 8 character long password is no more secure. Instead, we recommend using passphrases (two or more random words put together) and a minimum of 16 characters.
You can also include numbers and characters in the password. It is not mandatory but can be helpful. Also, always remember, the longer your password will be, the more the attackers will find it hard to crack. Avoid using a sentence where the attacker can easily guess the next word and crack the code.
Avoid passwords like Summer2022!, March2022$, etc. These are quite easy to crack. Long passwords with passphrase techniques are a great combination and can save your system from attackers.
Password Policy Best Practice
Use pass phrases instead of an 8 character complex password. Research has shown that long password phrases are much more secure because they are very random and harder for hackers to guess.
Some points to consider to improve your user password security:
- Long password length of at least 16 characters
- Enable multi-factor authentication (MFA)
- Enforce password complexity
- Remember 8 password history
- Use passphrases
- Enforce lockout policy after 4 attempts
- Try using a password manager
Domain Password Policy GPO Settings
To configure your domain password policy, you will find the Default Domain Policy within your Group Policy Management console as can be seen in our our domain::
Right click on the Default Domain Policy and select Edit.
Browse to the following password setting:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
10. Use Security Group Naming Conventions
For easy management, add permissions to resources with security groups. Secondly, avoid the use of generic names for security groups. For example, HR_Local. Generic names can be used on all types of resources and have high chances of getting tracked. Prefer going for descriptive group names to save your information from attackers and maintain all control of security.
Descriptive security group names help to determine what the group is used for such as ‘K Net Drive HR_Training_Room7‘. In this example users in this group are get mapped network drives when doing HR training in Training Room 7. After training, users can be taking out of the group who no longer need access to the network drive, making managing your group membership in Active Directory much easier and secure.
You can take it even further an automate this process using a powershell script or automation tool like Cloud Ad Manager
Security Group Best Practices
When you need to give users access to any resource within Active Directory, ALWAYS create a security group, add users who need access to the resource and apply permissions to this group. This way you can easily track which users have access to your resources (e.g files, folders, printers, network shares, devices, systems, etc)
- Create a security group
- Give the group a descriptive naming convention detailing what the group will be used for
- Apply the group to the resource you want to give permissions (e.g a file, folder, application, etc)
- Add / remove users to this group who need or no longer need access
11. Delete Inactive Users and Computer Accounts
There is no point in having a bunch of unused accounts in Active Directory. Also, they can work against you, and hackers can discover and misuse them. This may also result in slowdown of group policy being applied slowing down logon times, patching, and reporting issues. So, to resolve this issue, its recommended to find and remove such unused accounts.
This can be down with Powershell Scripts or using a find inactive AD Users tools.
Find User Accounts Password not changed in 6 months via Powershell Script
The following Powershell script queries Active Directory for user accounts where the password age is over 180 days (6 months). In Active Directory Module for Windows PowerShell, run the following script to list the user accounts where the password has not changed in the last six months.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
With the list of users, its recommended to disable these accounts, wait several weeks and then delete the accounts.
Example solution to manage these in active users:
- Run Powershell script or AD reporting software to find in active users
- Move to separate OU called (In-Active Users)
- Wait 6 weeks, if no users complain of being able to login, delete these accounts
12. Delete Users from the Local Administrator Group
If a user has a local admin right, he/she will have complete access to the Windows Operating system. Thus, such a user must not be added as a member to the local administrator group on computers. It can be risky and cause security problems, such as downloading and installing malware, data stealing, disabling antivirus, hacking passwords, etc. By deleting users with local admin rights from the local administrator group, you can reduce threats and opportunities for attackers.
Use group policy to control the local administrator group. With the help of restricted groups and group policy, only trusted users have the access to manage and control the computer.
Remove Users from Local Administrators Group using Group Policy (GPO)
Within Group Policy Management, you can create a new GPO or edit an existing policy.
Within the GPO editor navigate to the following settings:
Computer Configuration -> Preferences -> Control Panel Settings -> Local users and Groups
Right click in the window and select New > Local Group
In the New Local Group Properties apply the following settings:
Action: Update
Group name: Administrators (built-in)
Delete all member users: Yes
Delete all member groups: Yes
Members: Click add and select the members you want to be added to the local administrator group. You most likely will want to keep the local administrator account and domain admins group as local admins, that depends on your internal security policies.
13. Domain Controllers (DCs) Best Practices
Domain Controllers are vital for an enterprise as they help enforce security policies and manage user security and access controls. You should never install any additional software or server roles onto DC’s. If you do you are indirectly increasing security risks. If you need to run more server roles, install these onto separate servers.
DC’s should also have no internet access, no external access should be allowed.
Avoid Logging into DC's
Ideally no one should also be logging into DC’s via RDP. All Active Directory administration should be done using Remote Server Administration Tools (RSAT) for Windows. Any admin should be done remotely.
Run Domain Controllers on Secure OS
You can use Windows Server Core as a secure OS to run the DC roles because it doesn’t have a GUI there are less security patches with a smaller footprint. If you have other server roles you can also run them on Windows Server core for example DHCP, DNS Servers, print servers, and file servers. You can also build your domain controllers with Active Directory Hardening using a AD Hardened image from CIS
Domain Controller Location
Ideally domain controllers should be on physical servers locked away in a cage with TPM chips and BitLocker Drive Encryption for all server volumes. Virtual domain controllers are ok or in the cloud.
If you have small remote sites that are only running 1 domain controller, for best practice run this on Hyper-V and configure the DC as Read Only Domain Controller (RODC)
14. Patch Management and Vulnerability Scanning
Make sure to scan and recover discovered vulnerabilities on a regular basis (once in a month or more frequently). If you do not scan these vulnerabilities and fix them, attackers can exploit them. As a result, you will be at a greater risk. Find some of the best vulnerability and scanning tools online. Scan to identify all potential vulnerabilities and prioritize them based on the degree of risk. Also, deploy automated software updates to operating systems or third party software. If you discover any software is out of date and no longer supported, get it updated.
Patch Management Best Practice
Every device and application must be updated with the latest security patches in order to reduce the risk of attack. Here are recommended patch management processes to apply to your environment:
- Update to date inventory of all your systems and applications. This is critical to understand what you have in your environment and understand which systems are most vulnerable. You can use inventory tools like SCCM or Microsoft Assessment Planning Tool Kit
- Stay up-to date with security patches from your application and hardware vendors making sure your fully up-to date and aware of any new vulnerabilities being published from your vendors. Most vendors publicly advertise new vulnerabilities, so its wise to subscribe to these updates so your fully aware of new threats.
- Create a patch management policy. Define a schedule when to deploy the latest patches, ideally as soon as vendors release new updates.
- Create a patch deployment test group. Have a test set of users from each department to deploy new patches to. This way you can monitor if any issues arise for any department users, you can easily roll back minimizing any disruption to users if you deploy company wide, deploy to small set of users and monitor.
- Deploy to all users/applications. If no issues from your test users, deploy patches company wide, department by department. When deploying to servers, try to minimize disruption as possible, if you have multiple servers in a cluster, update one at a time.
- Have a roll back plan. Its important to have a roll back plan in the event a patch causes a problem to your systems/applications.
Patching tools available are WSUS, Azure Automation Update Management, AWS Systems Manager Patch Manager, Google GCP OS Patch Management with VM Manager
Vulnerability Management
Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. With Microsoft Defender ATP’s Threat & Vulnerability Management, customers benefit from:
- Continuous discovery of vulnerabilities and misconfigurations
- Prioritization based on business context and dynamic threat landscape
- Correlation of vulnerabilities with endpoint detection and response (EDR) alerts to expose breach insights
- Machine-level vulnerability context during incident investigations
- Built-in remediation processes through unique integration with Microsoft Intune and Microsoft System Center Configuration Manager
15. Block Malicious Domains Using a Secure DNS Service
Computers use an IP address to communicate with each other. Every time you need to access the internet, they use a domain name to map with an IP address. With the help of a secure DNS service, you can block a lot of malicious traffic from entering the network.
These services use public and private sources to collect information about malicious domains. As and when, a query for a domain is flagged maliciously, the DNS services block them. DNS service is one of the easy and secure ways to block attackers. Quad9 is one of the free DNS services. For Azure customers Microsoft have a service called Microsoft Defender for DNS, which provides an additional layer of protection for resources that use Azure DNS’s Azure-provided name resolution capability.
Image Source: Cisco Umbrella
Microsoft Defender for DNS Features
Microsoft Defender for DNS detects suspicious and anomalous activities such as:
- Data exfiltration from your Azure resources using DNS tunneling
- Malware communicating with command and control servers
- DNS attacks – communication with malicious DNS resolvers
- Communication with domains used for malicious activities such as phishing and crypto mining
16. Run Supported Operating Systems
Microsoft Windows OS’s latest versions comprise in built security features and enhancements. For example, Windows Server 2022 built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: Security, Azure hybrid integration , management, and application platform. These new features help track the system and update on any issue. Any Unsupported Operating system will not receive security updates.
As mentioned earlier ideally domain controllers should be run on Windows Server Core OS if possible as the core OS has a smaller footprint as the OS has no GUI/Desktop.
Security Features in Windows Server 2019
- New Shielded VM Improvements
- Device Guard Policy Updates without Reboot
- Kernel Control Flow Guard (CFG)
- System Guard Runtime Monitor
- Virtual Network Encryption
- Windows Defender ATP Agent Included OOB
Security Features in Windows Server 2022
- New Secured-Core Server OS option with Hardware-based device identity. Capable of enforcing system integrity. Stays up to date and is remotely manageable. Provides protection for data at rest and data in transit. Built-in security agent and hardening.
- Hardware root-of-trust
- Firmware protection
- UEFI secure boot
- Virtualization-based security (VBS) – Secured-Core supports VBS and hypervisor-assisted code integrity checks (HVCI). Customers can also use Credential Guard.
- Secure DNS. DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol.
- Azure hybrid capabilities
- Advanced multi-layer security
- Windows Defender System Guard
- SMB Hardening
- Guarded fabric and shielded VMs
17. For Office 365 and Remote Access Use Two Factor Authentication
Nowadays, attackers can easily access your systems using a VPN, Citrix, and other remote access systems. For example, if you cross check your Office 365 or ADFS logs, you may find various login attempts from different countries. Thus, the best way to keep your account secure against compromised accounts is to implment two factor authentication (2MFA).
With the help of MFA, hackers will find it hard to compromise your AD logins. Even if the attacker gets access to the system, he will require a second set of credentials to log in. Two factor authentication is also advantageous in keeping accounts safe from password spraying attacks. DUO, RSA, Microsoft MFA are a few trusted two factor authentication solutions.
- If you’re currently using Active Directory Federation Services consider implementing multi-factor authentication with a PKI – Certificate Authentication for user certificate authentication
- Turn on Office 365 multi factor authentication with conditional access polices
- Azure also provides Azure Active Directory MFA
- Consider implementing a RADIUS Server for remote access clients
18. Monitor DHCP Logs for Connected Devices
Do you have multiple branches? In that case, it can be very challenging to track users and computers and understand what network is connected to multiple locations. However, there are ways to connect only the authorized devices, but it can be time consuming. Another method that is cost effective and will be highly beneficial is monitoring DHCP logs for connected devices.
To use DHCP, you will require all end user devices setup to use DHCP to obtain an IP address. This will help you locate which IP is trying to track or log in to your system and from what location. You should have a naming convention configured on all your devices, this way it makes it easier to identify unauthorized devices in your DHCP logs.
DHCP Server Best Practice
- Never run DHCP on a Domain Controller
- Enable DHCP Logging
- Use DHCP Failover
- If using Azure Sentinel, use DHCP Server Activity monitoring
- Run DHCP Best Practices Analyzer Scanner
- Use an IPAM to document and manage your IP Addresses.
- Prevent Rouge DHCP Servers
19. Monitor DNS Logs for Malicious Network Activity
When using a local Windows DNS server, its recommend to enable auditing and logging. This setup will help track all internal and external DNS. For example, if your device connects with a malicious site, the site name will display in the DNS logs. Also, make sure to enable DNS debug logs on the Windows Servers to view DNS lookups.
Go to the DNS Management Console, then Right click and choose properties. From the dialog box, select Debug Logging Tab and tick the checkbox “Log packets for debugging“. Once the setup is complete, import all logs into a log analyzer to discover and spot any malicious activity.
Common Threats to DNS Servers
DNS monitoring is very important, in part, because it helps you identify vulnerabilities before they are exploited. There are many types of DNS attacks. These include:
- DNS cache poisoning
- Denial-of-service (DoS) attacks
- Distributed denial-of-service (DDos) attacks
- Domain hijacking
- Distributed reflection denial-of-service (DRDoS) attacks
- DNS flood attacks
- DNS tunneling
- DNS spoofing
- Random subdomain attacks
- NXDOMAIN attacks
- Phantom domain attacks
How to Monitor DNS Server
By monitoring your DNS server entries and monitoring for any changes, you can quickly identify issues that may pose a security risk to your system. To monitor DNS effectively, you should focus on the following components:
- IP Addresses. Set a monitor for any mismatches between IP addresses resolving to A records.
- SOA Records. The SOA record needs to be monitored to see if the serial number has been altered, if it has been changed then you know an attack has happened.
- MX and SRV Records. Keep these records monitored as these control your communication routes and email systems.
- NS Records and Root Servers. These should be monitored if any rogue DNS servers have been added as your DNS replication partners.
20. Implement ADFS and Azure AD / Office 365 Security Features
ADFS and Azure AD/ Office 365 security features are highly advantageous as they can protect your system against password spraying, compromised accounts, phishing, etc. One can also switch to premium subscriptions with advanced security features. Here are some of the features provided by ADFS and Azure AD:
ADFS / Azure AD Security Features
21. Use Office 365 Secure Score to Improve Security Posture
Microsoft Secure Score is a value indicating an organization’s security posture. It tracks the office 365 organization security depending on the activities and security settings. Firstly, it analyzes your Office 365 services. Once done, it analyzes the security settings, activities, and then concludes a security score. Based on this measurement, a list of actions will be provided to fix these issues.
In order to access all these features, we recommend you switch to a Premium or Enterprise subscription. Also, you will require to assign custom roles or a global admin.
Secure Score helps organizations:
- Report on the current state of the organization’s security posture.
- Improve their security posture by providing discoverability, visibility, guidance, and control.
- Compare with benchmarks and establish key performance indicators (KPIs).
22. Implement a Disaster Recovery Plan (DR)
Do you have a solution for a RansomWare attack or what would you do if the network was compromised? Have you trained your staff on how to deal with such situations? Do you follow any response policy?
Cyber attacks are too common, and they have the power to shut down your systems and cause disruption and a negative reputation for your business. As a result, your business operations will come to a halt. However, with a response plan, you can limit this impact. Make sure to plan an incident response policy, conduct incident handling, and report procedures. Also, you can appoint a response team and establish procedures for communicating with third parties. Also, prioritize your critical servers and train your staff with DR planning.
Domain Controller Disaster Recovery
Your domain controllers are your most critical servers in Active Directory. If these servers become corrupt or fail, your users will be greatly affected. Users cant login to devices and email will stop working, so its important you have fault tolerance and a DR plan in place for your AD domain controllers.
This is what i recommend to safe guard your AD:
- Replicate domain controllers between sites. If 1 site/branch goes down you can run off the other DCs
- Setup hybrid AD, with DC’s on prem and Active Directory in the cloud.
- Run frequent backups of your domain controllers
- Implement Azure Site Recovery. In the event of a disaster, your domain controllers fail over to Azure as VMs
- Hyper-v Replication to the cloud. If you’re running DCs on Hyper-V, consider having Hyper-v on Azure and enabling Hyper-v replication
Refer to the Active Directory Forest Recovery Guide
23. Delegation for Active Directory Permissions
Use Security Groups to control access to Active Directory and associated resources. Delegating rights to individual users will in a way make you lose control of who has access. Thus, create custom groups and document who has rights to what with the reason behind why they need access and from what date access was given. Do not give permission to admin staff to be able to add any user in these custom groups without any consent and tracking with an approval process of when users request access to be in a group. Keep track of which groups are delegated to what resources and document them.
One idea is to request users to submit a ticket via your helpdesk software so you can monitor and approve permission requests.
Best Practices for Granting AD Access
- Create Custom Groups for Roles with Assign Responsibilities: Create a set of roles that require different types of access for all your resources for each department for example within your IT team:
- Exchange Administrators
- Server Admins: Administrators who need to do server specific tasks (backups, server os management, configuration of transport settings, Unified Messaging, client access, and mailbox features such as database copies, certificates, transport queues and Send connectors, virtual directories, and client access protocols etc.
- Help Desk: Permissions to create a mailbox, add a user to a distribution list, give permissions to a user to access a shared mailbox.
- Compliance: Access to run reports on email activity about users, emails, auditing, logging, data loss prevention. This would be ideal for security teams.
- Active Directory Administrators
- Domain admins: Responsible for top-level service administration across the domain. Should contain only a small, manageable number of trusted administrators.
- GPO admins: Responsible managing and creating group policies. These will most probably be senior engineers.
- IT Helpdesk: Mainly responsible for resetting passwords, updating user profile attributes.
- HR: Responsible for creating new users as part of the on boarding process for new joiners
- Exchange Administrators
Define OU Security Model
You need to plan your OU structure and hierarchy in order to probably and securely manage your resources. Microsoft recommends that you ensure simplicity and adaptability while planning your OU design. So, prepare a layout of your Active Directory OU structure keeping Group Policy Object (GPO) linkage and delegation in mind to avoid creating OUs at random in the long run.
Administration and management of AD objects becomes easier when the OUs mirror your organization’s structure. Different OU models examples can be as follows:
- The geographic model separates your OUs based on the location of your offices
- The department model divides OUs corresponding to the departments in your organization
- The type-based model classifies OUs based on object types
Choose an Organizational Unit model that best fits your administrative needs.
Separate users and computers. In Active Directory, when you create a user and computer objects, they are added to their respective containers by default. However, GPOs cannot be linked to containers; instead, create separate OUs for users and computers that require GPO application. This practice can be followed irrespective of the OU model you choose for your organization. This makes it much easier to manage your Group Policy management.
Automate Joiners Movers Leavers Process
Its important to audit and manage what new users have access to and to disable their accounts when they leave a company or perhaps a user is moving department and shouldn’t have access to resources they used to have. You want this to be automated. If you have other applications that rely on Active Directory user accounts, you also want these accounts to be restricted on your other applications that perform sso authentication.
Typical flow would be as follows:
24. Lock Down and Restrict Service Accounts
Service accounts are privileged accounts that allow the execution of applications and run automated services. The accounts are used for Active Directory authentication and usually have local admin privileges on virtual machine instances or worse members of domain admin group. The service accounts usually have a set password that never expires. If this account gets in the wrong hands you can imagine the damage and vulnerabilities it could open up.
To lock down service accounts try the following:
- Use long complex passwords
- Avoid giving local admin rights
- Deny logon locally
- Deny logon as a batch
- Use Managed Service Accounts
- Grant only the required permissions
- Do not grant local administrator rights and request vendors to create software without domain admin rights.
- Do not add account to domain admins
Lock Down via GPO
You can apply the above settings via the following Group Policy:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments
25. Try Using Security Baselines and Benchmark Tools
Windows Operating system comprises various features and enabled ports that are not secure. They also include default settings that must be reviewed against known security benchmarks.
It is vital to have a secure configuration to maintain functionality and protect all systems against attacks.
Check out the following bench mark tools to scan and analyze and test against security configuration baselines. These tools also help scan systems and report failures.
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
Safeguard IT systems against cyber threats with more than 100 configuration guidelines across more than 25 vendor product families. Windows, Linux, Cloud, Cisco, Vmware, IBM and much more.
26. Protect Default AD Security Groups
When you install an Active Directory domain, a few default security groups are created. These groups hold extensive permissions. These groups include the following:
Account Operators, Administrators, DNS Admins, Domain Admins, Guests, Users, Protected Users, Server Operators and many more..
See full list of these default groups
You should have AD monitoring and auditing setup to detect when users have been added to your admin groups so you can track if a security breach could potentially happen
27. Forcing RDP to use TLS Encryption
Remote Desktop Protocol is a great way for attackers to scan for endpoints. Tools like Massscan, Nmap help them discover system ports. They can also penetrate your RDP logins if you’re using weak credentials. Once successful, they have access to a compromised system. So, avoid directly exposing RDP to the public internet without multi factor authentication enabled.
The RDP connection does not use strong encryption by default.
Enable RDP TLS Encryption via GPO
To force your RDP connections to use TLS encryption, you can apply the following Group Policy settings:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Set Client Connection > Encryption Level > Highest
28. Enable Windows Firewall on All Systems
There are high chances that attackers or malware can make a move through the inbound network traffic to your Windows computers and servers. Thus, to protect all your systems, its best to configure Windows Firewall rules. The purpose of enabling Windows Firewall is to limit any inbound or outbound network traffic for applications, protocols, or ports.
Windows firewall should be managed by Active Directory GPO and users should be blocked from disabling their firewall.
Here is the Group Policy settings for enabling Windows Firewall with Advanced Security.
Windows Defender Firewall with Advanced Security GPO
Within your Group Policy management editior, here is the path to crate your Windows firewall GPO and apply settings for inbound / outbound traffic and specify which profiles to enable the firewall for. (Domain / Private / Public). Ideally all profiles should be enabled.
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security - LDAP://cn
And also the following GPO setting to specify the type of traffic that will be allow for your network connection profiles:
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Defender Firewall
29. Implement Application Whitelisting
Without the consent of an administrator, if a program is installed and left unpatched or publicly disclosed, attackers may enter and exploit the system. It is important to make sure any unpatched application or program must not run unless they are secure. Only approved programs are allowed to run under Application whitelisting by using Windows Defender Application Control and AppLocker.
As a result, any unpatched program will be blocked by default using Application whitelisting. It restricts any unauthorized programs from running to protect your Windows environment. It is one of the best practices to protect your systems from emerging threats. Save time and money with Application whitelisting.
Windows Defender Application Control has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run.
Windows Defender Application Control Features
WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the servicing criteria, defined by the Microsoft Security Response Center (MSRC).
WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
- Attributes of the codesigning certificate(s) used to sign an app and its binaries
- Attributes of the app’s binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
- The reputation of the app as determined by Microsoft’s Intelligent Security Graph
- The identity of the process that initiated the installation of the app and its binaries (managed installer)
- The path from which the app or file is launched (beginning with Windows 10 version 1903)
- The process that launched the app or binary
If you’re using SCCM you can deploy WDAC via Configuration Manager
30. Disable PowerShell for Users (non admins)
PowerShell is great for task automation and configuration management but it can also be used by malware to spread through your network and infect your systems if not carefully managed. PowerShell is a source of more than a third of critical security threats. Ransomware is often spread through your network via PowerShell, checkout the article from CIS
I would recommend disabling PowerShell on all your computers, users don’t need PowerShell. If an admin requires PowerShell for their day to day job, they can run PowerShell from a dedicated Jump box vs Bastion Host.
Disable PowerShell with Group Policy (GPO)
First is to find out the default path of where PowerShell.exe is located, its normally in: C:\Windows\System32\WindowsPowerShell\v1.0
To check this on your computer, open PowerShell, then open task manager, go to the details tab, scroll down to find powershell.exe, right click and select “open file location”.
Within your Group Policy Management Editor, browse to the following setting:
User Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
Right click “Software Restriction Policies” select “New Software Restriction Policies”
Select “Additional Rules”, then right click and select “New Path Rule”
Next click browse and select the powershell.exe file from the path -> C:\Windows\System32\WindowsPowerShell\v1.0.
Set the security level to “Disallowed” Click OK.
Active Directory Security Best Practices Checklist Conclusion
IT organizations are no more immune from cyber attacks. Attacks against computing infrastructures and networks have been in the business for too long. Cybercrime record rates have increased with organizations expanding and growing in size. Thus, there are high chances of being attacked and compromised in ways epsecially Active Directory attacks. Thus, one needs to stay more alert and implement Active Directory security. These AD and cloud security solutions and advancements will keep ransomeware attacks and malware away from your server systems and operate smoothly.
Let me know if there is anything else i’ve missed of our AD security checklist?. We have put together a set of practical techniques and solutions that will help IT experts protect an enterprise Active Directory domain environment. If you can’t prevent attacks, at least reduce your Active Directory attack surface possibilities.
