10 Ways Administrators Can Harden Active Directory Security

 
 
By Chris Preimesberger  |  Posted 2016-04-01
 
 
 
 
 
 
 
 
 
  • Previous
    1 - 10 Ways Administrators Can Harden Active Directory Security
    Next

    10 Ways Administrators Can Harden Active Directory Security

    A highly secured Active Directory environment can help prevent attacks and protect critical data. This slide show looks at how to harden Active Directory security.
  • Previous
    2 - User Accounts With Non-Expiring Passwords
    Next

    User Accounts With Non-Expiring Passwords

    When users are not forced to change their password, their account is left vulnerable to attack. Changing the password at regular intervals (90 to 180 days) ensures that an attacker would need to start the attack over if he or she failed to hack the password in time. Changing passwords also ensures that any compromised accounts are safe again after the password is changed.
  • Previous
    3 - User Accounts That Have Never Logged In
    Next

    User Accounts That Have Never Logged In

    Most organizations use a standard new user password when new user accounts are created. This is a good idea in principal because the user will only log on one time with this password and then be forced to change it immediately. However, if users never log in and their group membership is still defined, any user in the organization can log on to this account and access any data available to the group. Ideally, random passwords should be used for all newly created users, and any user accounts that have never been logged into should be deleted or disabled.
  • Previous
    4 - Default Privileged Groups Need Evaluation
    Next

    Default Privileged Groups Need Evaluation

    There are numerous groups that Active Directory creates during installation with elevated privileges. Domain Admins, Enterprise Admins, Account Operators and Administrators are just a few. These groups give immediate privilege to any user added to the group. Some privileges are for the entire domain, whereas others are smaller in scope but still powerful. Group evaluation for correct membership should occur regularly, if not in real time, with a monitoring and alerting system.
  • Previous
    5 - Application, Custom Privileged Groups Need Evaluation
    Next

    Application, Custom Privileged Groups Need Evaluation

    After Active Directory is installed, additional privileged groups are created. These groups are created by the installation of applications such as Exchange, SharePoint, SQL and more. Custom groups with elevated privileges are then created by administrators and used for various tasks or groups such as IT, help desk and developers. Like the default privileged groups, these groups need to be evaluated regularly to ensure proper group membership.
  • Previous
    6 - User Rights Provide Computer Privileges
    Next

    User Rights Provide Computer Privileges

    User rights are configured per computer and can provide extreme privileges over a computer. Your servers, including your domain controllers, need to have their user rights evaluated to ensure that the correct users can perform tasks such as shutting down the system, changing the system time, logging in locally and backing up files. With more than 35 user rights that could grant incorrect privileges to wrong user accounts, proper evaluation and configuration of these settings are essential.
  • Previous
    7 - Active Directory Delegation
    Next

    Active Directory Delegation

    Delegating tasks to non-domain administrators in Active Directory is a powerful and useful solution to free up administrators' time. However, the configuration of these delegated tasks is easy, but the reporting and evaluation is not so simple. Most organizations have delegations that they are not aware of due to the complexity of reporting for these settings. With delegations including resetting user passwords, altering group membership and more, it's important to evaluate and correctly configure these settings.
  • Previous
    8 - Group Policy Delegation
    Next

    Group Policy Delegation

    Group policy is the standard method used to deploy security settings to users and computers within Active Directory. However, if the wrong person sets up the security, they can also weaken security and cause vulnerabilities. Knowing who can create, manage and control group policy objects is a key security control in Active Directory. Reporting and analyzing these privileges are important to ensure that the entire user and computer base in Active Directory stays secure.
  • Previous
    9 - Service Accounts
    Next

    Service Accounts

    Service accounts are typically standard user accounts that have been granted elevated privileges to perform actions for an application or service. Because they have elevated privileges, service accounts attract attacks. Since many organizations do not properly secure these accounts (most often through failure to reset passwords regularly), monitor the activity of the accounts or limit where the accounts can log on, attackers target these accounts often. Reporting on the configurations of these accounts and increasing their security are essential to keep applications and services running.
  • Previous
    10 - Password Policy
    Next

    Password Policy

    The password policy deployed through group policy needs to be verified for correct final settings on domain controllers. This policy will control the password policy restrictions for all domain user accounts. If other technologies, such as fine-grained password policies or third-party solutions, are used to establish the password policy, these settings also need to be regularly reviewed to ensure that all passwords are created with security in mind.
  • Previous
    11 - Real-Time Monitoring of Active Directory Changes
    Next

    Real-Time Monitoring of Active Directory Changes

    Administrators and organizations often feel that getting security settings established is the last step to hardening Active Directory security. The reality, however, is that drift occurs with all settings, including security settings on domain controllers. Having a system that tracks, reports and even alerts on all security areas of your Active Directory environment can give you the upper hand to know when security is an issue, allowing immediate action. The alternative is to be compromised or have a user inform you of an issue.
  • Previous
    12 - Summary
    Next

    Summary

    With these 10 security hardening areas completed, you've gone a long way toward improving the overall security of your Active Directory environment. Remember, after reporting, analyzing and configuring each security area, it is imperative that you monitor and receive notifications if that setting changes. This will ensure that you have not only achieved a secure environment, but that the security is not drifting. From now on, this site on Security Hardening will help you with each and every security hardening step along the way.
 

Active Directory is a data directory service using passwords that Microsoft developed decades ago for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management; it has since branched out to include cloud systems. For years, Active Directory has been a target of cyber-criminals in their attempts to hack passwords and crack enterprise systems and steal, damage or obfuscate data. A highly secured Active Directory environment can help prevent attacks from being successful and protect critical data, but do you know where to start this hardening? The following 10 areas need to be verified, analyzed, configured and monitored to ensure consistent security for an Active Directory environment. This eWEEK slide show uses industry information from Derek Melber, technical evangelist at ManageEngine, a Microsoft Group Policy MVP who helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage and solve issues that occur in Active Directory and Group Policy.

 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel