Active Directory How-To
10 Tips for Securing Active Directory Environments
Managing accounts with a security-first approach will help to avoid costly incursions.
- By Troy Thompson
In this article, we will look at a few items that will help you secure your Active Directory Environment. There are many books and white papers written on this topic that go into each topic extensively. This article will discuss some of the basic concepts of securing Active Directory.
Updates and Patches
Applying the most current Microsoft updates to your servers is essential to protecting them against vulnerabilities. Most organizations will use Windows Server Update Services (WSUS) to enable administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. The WSUS server allows you to fully manage the distribution of updates that are released through Microsoft Update to computers in your network. Servers that do not have the latest updates can be a liability on your network.
There are many different antivirus software manufacturers in the marketplace. Some of the more familiar names are McAfee, Norton and AVG. The important thing is to have antivirus software installed and be up to date on all PCs and servers on your network. When your network gets hit by a virus as damaging as CryptoLocker, you need to have the safeguards in place so that your data is protected.
Monitor Active Directory for Compromise
Most compromised systems go unnoticed for weeks or longer. To prevent this from happening on your network, you should consider enabling the audit policy for the following categories.
- Account Logon Events
- Account Management
- Directory Service Access
- Logon Events
- Object Access
- Policy Change
- Privilege Use
- Process Tracking
- System Events
Monitor User Privileged Accounts
Accounts that have not been made members of any of the groups that have the highest levels of privilege in Active Directory, but have instead been granted high levels of privilege on many servers and workstations in the environment are called Privilege-attached. Even though these accounts have no privileges in Active Directory, if they are granted high privilege on large numbers of systems, they can be used to compromise or even destroy large segments of the infrastructure. This type of event achieves the same effect as compromise of a privileged Active Directory account. Privileged accounts can include administrator accounts, embedded accounts used by one system to connect to another and accounts used to run service programs
Only Use Admin Accounts When Needed
Controlling the access to network administration is very important. You have to ensure that each administrator is thoroughly trained and understands the importance of the position. Administrators should not be logged in with their administrator account if not performing administrative functions. These users should have a non-administrative account that is used for doing non-administrative tasks. It is recommended that you delegate control to the lowest level that is needed for someone to perform their job.
Granting Temporary Membership in Privileged Group
s You can create an account that can be used to manage the membership of privileged groups without requiring the account to be granted excessive rights and permissions.
- Your Active Directory should contain Organizational Units (OUs) that allow for separating protected accounts from the normal user accounts.
- When you create the management accounts, they should be created as a regular user account. There is no need to grant additional user rights.
- After you have created the management account, make sure it is only usable for the specialized purpose for which it was created. Management accounts should have their passwords reset at each use and should be disabled when not being used.
- Configure the permissions on the AdminSDHolder object to allow management accounts to change the membership of the privileged groups in the domain.
Implementing a Least-Privilege Administrative Model
One way to keep permissions simple is to grant full control permissions to everyone. Most administrators realize that this would also be a recipe for disaster. It is, however, easy to get in the habit of extending more privilege than necessary to servers, workstations, applications and Active Directory. You should always to take the time to do what is right and not what is easy.
Retire Legacy Systems and Applications
Everyone wants to get the most out of their investment, but there is a time to just say goodbye to old technology. If you are still running Windows XP or Windows Server 2003, you should be developing a plan to move on. Legacy systems, especially those that are no longer supported, are a security risk on your network. They can create backdoor opportunities for would-be hackers. When Microsoft no longer supports an operating system, security updates will no longer be issued for that platform making it a security risk.
Make Security Simple for the End User
If security measures are too difficult to follow, users will try to find a way around them. Instead of super long and complicated passwords, maybe you should move your organization to card readers or even biometrics. I have known users to minimize PowerPoint presentations or to use a fake keystroke program to prevent their systems from locking automatically. If you find your security policies are overly restrictive, you may be able to find other ways to achieve the desired results.
Many breaches of security do come in the form of a hacker exploiting a software vulnerability. Still, don't overlook physical security. You may want to take steps to prohibit flash drive user or the ability to burn DVDs. This may keep your data from walking away without permission. You can also never underestimate the importance of a locked door. If someone has physical access to your datacenter, then they also have the ability to destroy or remove drives, processors, etc.
It seems like every day, there is a new report about a company being hacked. Whether it is Home Depot, Target, OPM or Anthem, every company who has a presence on the internet is a potential victim. Make sure that you take all necessary steps to secure your Active Directory environment.
Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is firstname.lastname@example.org.