What are the Best Practices for Secure Active Directory

What are the Best Practices for Secure Active Directory
No association with an information technology( IT) structure is protected from attack, but if applicable procedures, processes, and controls are enforced to cover crucial parts of an organization’s computing structure, it might be possible to help a breach event from growing to a noncommercial concession of the computing terrain. This administrative summary is intended to be useful as a standalone document recapitulating the content of the document, which contains recommendations that will help associations in enhancing the security of their Active Directory installations. By enforcing these recommendations, associations will be suitable to identify and prioritize security conditioning, cover crucial parts of their association’s computing structure, and produce controls that significantly drop the liability of successful attacks against critical factors of the IT terrain. Reducing the Active Directory Attack Surface This section focuses on technical controls to reduce the attack surface of an Active Directory installation. Included in this section are the following subjects: The Privileged Accounts and Groups in Active Directory section discusses the highest privileged accounts and groups in Active Directory and the mechanisms by which privileged accounts are protected. Within Active Directory, three built-in groups are the highest privilege groups in the directory (Enterprise Admins, Domain Admins, and Administrators), although a number of additional groups and accounts should also be protected. The Implementing Least-Privilege Administrative Models section focuses on identifying the risk that the use of highly privileged accounts for day-to-day administration presents, in addition to providing recommendations to reduce that risk. Excessive privilege isn’t only found in Active Directory in compromised environments. When an organization has developed the habit of granting more privilege than is required, it is typically found throughout the infrastructure:
  • In Active Directory
  • On member servers
  • On workstations
  • In applications
  • In data repositories
The Implementing Secure Administrative Hosts section describes secure administrative hosts, which are computers that are configured to support administration of Active Directory and connected systems. These hosts are dedicated to administrative functionality and do not run software such as email applications, web browsers, or productivity software (such as Microsoft Office).   Included in this section are the following:
  • Principles for Creating Secure Administrative Hosts – The general principles to keep in mind are:
    • Never administer a trusted system from a less-trusted host.
    • Do not rely on a single authentication factor when performing privileged activities.
    • Do not forget physical security when designing and implementing secure administrative hosts.
  • Securing Domain Controllers Against Attack – If a malicious user obtains privileged access to a domain controller, that user can modify, corrupt, and destroy the Active Directory database, and by extension, all of the systems and accounts that are managed by Active Directory.
Included in this section are the following subjects:
  • Physical Security for Domain Controllers – Contains recommendations for providing physical security for domain controllers in datacenters, branch offices, and remote locations.
  • Domain Controller Operating Systems – Contains recommendations for securing the domain controller operating systems.
  • Secure Configuration of Domain Controllers – Native and freely available configuration tools and settings can be used to create security configuration baselines for domain controllers that can subsequently be enforced by Group Policy Objects (GPOs).

Monitoring Active Directory for Signs of Compromise

This section provides information about legacy audit categories and audit policy subcategories (which were introduced in Windows Vista and Windows Server 2008), and Advanced Audit Policy (which was introduced in Windows Server 2008 R2). Also provided is information about events and objects to monitor that can indicate attempts to compromise the environment and some additional references that can be used to construct a comprehensive audit policy for Active Directory. Included in this section are the following subjects:
  • Windows Audit Policy – Windows security event logs have categories and subcategories that determine which security events are tracked and recorded.
  • Audit Policy Recommendations – This section describes the Windows default audit policy settings, audit policy settings that are recommended by Microsoft, and more aggressive recommendations for organizations to use to audit critical servers and workstations.

Planning for Compromise

This section contains recommendations that will help organizations prepare for a compromise before it happens, implement controls that can detect a compromise event before a full breach has occurred, and provide response and recovery guidelines for cases in which a complete compromise of the directory is achieved by attackers. Included in this section are the following subjects:
  • Rethinking the Approach – Contains principles and guidelines to create secure environments into which an organization can place their most critical assets. These guidelines are as follows:
    • Identifying principles for segregating and securing critical assets
    • Defining a limited, risk-based migration plan
    • Leveraging “nonmigratory” migrations where necessary
    • Implementing “creative destruction”
    • Isolating legacy systems and applications
    • Simplifying security for end users
  • Maintaining a More Secure Environment – Contains high-level recommendations meant to be used as guidelines to use in developing not only effective security, but effective lifecycle management. Included in this section are the following subjects:
    • Creating Business-Centric Security Practices for Active Directory – To effectively manage the lifecycle of the users, data, applications and systems managed by Active Directory, follow these principles.
      • Assign a Business Ownership to Active Directory Data – Assign ownership of infrastructure components to IT; for data that is added to Active Directory Domain Services (AD DS) to support the business, for example, new employees, new applications, and new information repositories, a designated business unit or user should be associated with the data.
      • Implement Business-Driven Lifecycle Management – Lifecycle management should be implemented for data in Active Directory.
      • Classify all Active Directory Data – Business owners should provide classification for data in Active Directory. Within the data classification model, classification for the following Active Directory data should be included:
        • Systems – Classify server populations, their operating system, their role, the applications running on them, and the IT and business owners of record.
        • Applications – Classify applications by functionality, user base, and their operating system.
        • Users – The accounts in the Active Directory installations that are most likely to be targeted by attackers should be tagged and monitored.

Summary of Best Practices for Securing Active Directory Domain Services

The following table provides a summary of the recommendations provided in this document for securing an AD DS installation. Some best practices are strategic in nature and require comprehensive planning and implementation projects; others are tactical and focused on specific components of Active Directory and related infrastructure. Practices are listed in approximate order of priority, that is., lower numbers indicate higher priority. Where applicable, best practices are identified as preventative or detective in nature. All of these recommendations should be thoroughly tested and modified as needed for your organization’s characteristics and requirements.
Best Practice Tactical or Strategic Preventative or Detective
Patch applications. Tactical Preventative
Patch operating systems. Tactical Preventative
Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. Tactical Both
Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. Tactical Detective
Protect and monitor accounts for users who have access to sensitive data Tactical Both
Prevent powerful accounts from being used on unauthorized systems. Tactical Preventative
Eliminate permanent membership in highly privileged groups. Tactical Preventative
Implement controls to grant temporary membership in privileged groups when needed. Tactical Preventative
Implement secure administrative hosts. Tactical Preventative
Use application allowslists on domain controllers, administrative hosts, and other sensitive systems. Tactical Preventative
Identify critical assets, and prioritize their security and monitoring. Tactical Both
Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems. Strategic Preventative
Isolate legacy systems and applications. Tactical Preventative
Decommission legacy systems and applications. Strategic Preventative
Implement secure development lifecycle programs for custom applications. Strategic Preventative
Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. Strategic Preventative
Migrate critical assets to pristine forests with stringent security and monitoring requirements. Strategic Both
Simplify security for end users. Strategic Preventative
Use host-based firewalls to control and secure communications. Tactical Preventative
Patch devices. Tactical Preventative
Implement business-centric lifecycle management for IT assets. Strategic N/A
Create or update incident recovery plans. Strategic N/A
  Source & Reference – Microsoft Executive Summary
Related Posts