10 Ways Administrators Can Harden Active Directory Security

A highly secured Active Directory environment can help prevent attacks and protect critical data. This slide show looks at how to harden Active Directory security.

When users are not forced to change their password, their account is left vulnerable to attack. Changing the password at regular intervals (90 to 180 days) ensures that an attacker would need to start the attack over if he or she failed to hack the password in time. Changing passwords also ensures that any compromised accounts are safe again after the password is changed.

Most organizations use a standard new user password when new user accounts are created. This is a good idea in principal because the user will only log on one time with this password and then be forced to change it immediately. However, if users never log in and their group membership is still defined, any user in the organization can log on to this account and access any data available to the group. Ideally, random passwords should be used for all newly created users, and any user accounts that have never been logged into should be deleted or disabled.

There are numerous groups that Active Directory creates during installation with elevated privileges. Domain Admins, Enterprise Admins, Account Operators and Administrators are just a few. These groups give immediate privilege to any user added to the group. Some privileges are for the entire domain, whereas others are smaller in scope but still powerful. Group evaluation for correct membership should occur regularly, if not in real time, with a monitoring and alerting system.

After Active Directory is installed, additional privileged groups are created. These groups are created by the installation of applications such as Exchange, SharePoint, SQL and more. Custom groups with elevated privileges are then created by administrators and used for various tasks or groups such as IT, help desk and developers. Like the default privileged groups, these groups need to be evaluated regularly to ensure proper group membership.

User rights are configured per computer and can provide extreme privileges over a computer. Your servers, including your domain controllers, need to have their user rights evaluated to ensure that the correct users can perform tasks such as shutting down the system, changing the system time, logging in locally and backing up files. With more than 35 user rights that could grant incorrect privileges to wrong user accounts, proper evaluation and configuration of these settings are essential.

Delegating tasks to non-domain administrators in Active Directory is a powerful and useful solution to free up administrators’ time. However, the configuration of these delegated tasks is easy, but the reporting and evaluation is not so simple. Most organizations have delegations that they are not aware of due to the complexity of reporting for these settings. With delegations including resetting user passwords, altering group membership and more, it’s important to evaluate and correctly configure these settings.

Group policy is the standard method used to deploy security settings to users and computers within Active Directory. However, if the wrong person sets up the security, they can also weaken security and cause vulnerabilities. Knowing who can create, manage and control group policy objects is a key security control in Active Directory. Reporting and analyzing these privileges are important to ensure that the entire user and computer base in Active Directory stays secure.

Service accounts are typically standard user accounts that have been granted elevated privileges to perform actions for an application or service. Because they have elevated privileges, service accounts attract attacks. Since many organizations do not properly secure these accounts (most often through failure to reset passwords regularly), monitor the activity of the accounts or limit where the accounts can log on, attackers target these accounts often. Reporting on the configurations of these accounts and increasing their security are essential to keep applications and services running.

The password policy deployed through group policy needs to be verified for correct final settings on domain controllers. This policy will control the password policy restrictions for all domain user accounts. If other technologies, such as fine-grained password policies or third-party solutions, are used to establish the password policy, these settings also need to be regularly reviewed to ensure that all passwords are created with security in mind.

Administrators and organizations often feel that getting security settings established is the last step to hardening Active Directory security. The reality, however, is that drift occurs with all settings, including security settings on domain controllers. Having a system that tracks, reports and even alerts on all security areas of your Active Directory environment can give you the upper hand to know when security is an issue, allowing immediate action. The alternative is to be compromised or have a user inform you of an issue.

With these 10 security hardening areas completed, you’ve gone a long way toward improving the overall security of your Active Directory environment. Remember, after reporting, analyzing and configuring each security area, it is imperative that you monitor and receive notifications if that setting changes. This will ensure that you have not only achieved a secure environment, but that the security is not drifting. From now on, this site on Security Hardening will help you with each and every security hardening step along the way.