Active Directory How-To
10 Tips for Managing Active Directory
Implementing these simple steps will help you secure and manage Active Directory.
- By Troy Thompson
In this article we will look at some important tips that will help you secure and manage Active Directory. There are literally hundreds of items that you could deem important, but we will focus on ten.
How many administrators do you have? Controlling the access to administration is probably the most important tip. Giving too many people full access rights can lead to disaster. The old saying, "too many cooks in the kitchen spoil the broth" can also apply to network administration. Make sure that each administrator is thoroughly trained and understands the importance of the position. An administrator should have a separate account from their normal day-to-day account that allows them to perform administrative tasks. Remember that you should delegate control to the lowest level that is needed for someone to perform their job. Not everyone needs to be a domain administrator.
Generic accounts. In order for you to have accountability in your system, each administrator needs to have their own admin account. It is not wise to have a generic account that has full control rights where multiple people know the password. If someone decides to perform malicious activities on your network, you want to be able to identify him.
Documentation. Documentation is truly the key to success as a network administrator. It is extremely important to keep track of the activities you perform as an administrator. This is not the most exciting or rewarding part of your job, but it can really save your skin when things go south. Below is a list of some things you should document:
- Forest and domain configuration
- Organizational unit (OU)
- Trust relationships
- Group Policy Objects (GPOs)
- Password and audit policies
- Changes as they occur to the Active Directory schema.
- Document server names, roles and IP addresses
- Create a network topology diagram
- Create a change log for each server
- Document your backup procedures
Disable guest accounts and rename the default Administrator account. Problems arising from having guest accounts on domain controllers and using the default Administrator account have been widely publicized; and for a good reason. These are some of the easiest accounts for hackers to exploit. There is no need to make it easy to break into your network.
Physical security. A lot of emphasis is placed on cyber security these days, but more important is physical security. If someone has physical access to your servers, they can do great damage. An intruder can remove drives, processors, or destroy items. In addition, he may be able to boot from a flash drive or CD to install viruses or malware. Some of the worse cases of espionage have been by those who are not hackers but social engineers.
Enforce strong password rules. It is important to have password policies that require users to change passwords frequently and one that enforces strong passwords. You can require that users have a minimum password length which requires certain capital letters, numbers and special characters. It is recommended that administrators have an even more complex password requirement than a normal user. You can setup password policies in the Group Policy to ensure that all users within specific OUs have the same requirements.
Service accounts. Changing passwords for service accounts can be difficult because the account controls an important service on servers and devices. There are some things you can do to minimize the risk of attack. The accounts should be given names that identify them as service accounts and placed into a common group. From there you can apply a policy to your servers to deny the "Log on Locally" policy but allow "Log on as a Service."
Event Auditing. When you configure auditing for computers on your network, there are numerous options from which to choose. Using these tools, you can target specific activities. Some of the events you should consider auditing are listed below.
- Audit account management
- Audit directory service access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit process tracking
- Audit system events
Backup. Performing a Full Server Backup includes the System State, the Active Directory database, the SYSVOL data, the registry, system files, and the COM+ database. If the domain controller performs additional roles, the system state could include even more elements. In the event of a domain controller failure, you will want to restore all of these elements. A System State Backup is not intended to help restore the accidental deletion of a single user account.
Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is firstname.lastname@example.org.