Active Directory Security Best Practices
Protecting Active Directory (AD) is a critical focus for security teams due to its central role in numerous vulnerable functions, including authentication, authorization and network access. Each time users, applications, services and IoT devices access enterprise systems, they rely on Active Directory.
In a recent security incident, identity management platform Okta suffered an intrusion into its customer support system, exposing sensitive data such as the names and email addresses of all users. This event raises concerns about potential security vulnerabilities that could be exploited to manipulate or compromise user authentication and access controls. Organizations dependent on Okta for seamless integration with Active Directory may encounter challenges in maintaining the security of their AD environment, as compromised credentials or authentication mechanisms could potentially be leveraged to access AD resources.
Adversaries exploit weaknesses in AD security not only to gain access to a network but also to escalate their privileges, move laterally between endpoints and other systems, deploy malware payloads, and more.
To thwart attackers at every step, use the following Active Directory security best practices checklist.
Secure your domain controllers
A domain controller (DC) is a server that authenticates users by checking their credentials against stored data, and also authorizes (or denies) requests to access various IT resources. That functionality makes DCs a primary target for cybercriminals.
Best practices for securing Active Directory domain controllers include the following:
- Have at least two domain controllers in each Active Directory domain for fault tolerance and high availability.
- Consider deploying read-only DCs in branch offices or other locations with limited connectivity to the main data center to improve security and performance.
- Place domain controllers in different physical locations to ensure that they are not all affected by a single point of failure, such as a power outage or natural disaster.
Access and traffic control
- Restrict physical access to DCs using measures such as locked server rooms and access control systems.
- Use network segmentation to isolate DCs from other parts of the network and limit access to only authorized systems and administrators.
- Implement firewalls to restrict inbound and outbound traffic to DCs, allowing only necessary communication between DCs and other network resources.
- Isolate DCs from the internet by configuring firewalls and routers to block outbound traffic from DCs to the internet. If internet access is required for a domain controller, use a proxy server to control access; configure the proxy server to allow only necessary traffic and block all other traffic, and implement DNS filtering to prevent communication with known malicious domains.
Configuration and updates
- Standardize DC configuration. For example, use build automation through deployment tools such as System Center Configuration Manager.
- Do not install additional server roles or software on DCs, since that can lead to resource contention, instability and performance degradation. If additional software or server roles are required, deploy separate member servers or application servers for running applications or hosting additional services.
- Regularly update DCs with the latest security patches and updates to protect against security vulnerabilities.
- Upgrade the operating systems of your DCs regularly. However, thoroughly plan and test the upgrade process in a non-production environment to identify and mitigate potential issues.
Monitoring and recovery
- Use monitoring tools to track the performance of DCs and ensure that they are functioning optimally.
- Regularly back up the data on domain controllers to enable recovery in the event of a hardware failure or other issue.
Establish a robust password policy
Active Directory allows you to define fine-grained password policies using factors like password length and complexity requirements. Follow the following NIST password guidelines:
- Passwords should contain at least eight characters when set by a human and six characters when set by an automated system or service.
- Using one strong password is more effective than regularly updating weak passwords.
- Avoid complexity requirements that are not user-friendly, since they can lead to users creating weak passwords or storing their passwords in a non-secure way (such as on a sticky note on their desk). Instead, encourage users to choose long passphrases that are easy to remember.
- Monitor administrative password resets. Unusual password reset activity can signal a compromise of the administrator account.
- Calibrate your account lockout settings, applying stricter settings to accounts that have access to valuable data and critical applications. That way, an attacker who attempts to compromise an admin account will be locked out after just a few failed attempts, but a regular user who mistypes their password a few times will not get locked out and need to reset their password before they can get back to work.
- Consider investing in a password manager that makes it easy for users to have strong, unique passwords without increasing the burden on your helpdesk from frequent account lockouts.
Use a different local administrator password on each machine
All too often, organizations create a generic local admin user ID with the same password on every machine, which enables a bad actor who compromises one machine to also compromise others. With the right tools you can easily set a different local admin password on each device.
In particular, Local Administrator Password Solution (LAPS) automatically generates and manages unique, complex passwords for local administrator accounts. These passwords are stored securely in Active Directory and can be retrieved only by authorized users or systems. LAPs offers the following additional benefits:
- LAPS supports the automatic rotation of local administrator passwords at regular intervals, reducing the useful life of a compromised password.
- Administrators can delegate permissions for retrieving local administrator passwords based on users’ roles and responsibilities.
- LAPS integrates seamlessly with Active Directory, leveraging its security features and access controls to manage the storage and retrieval of local administrator passwords.
- LAPS maintains an audit trail of password retrieval activities to facilitate investigations and accountability.
- LAPS can be configured and managed through Group Policy, which provides a centralized and scalable approach to deploying and managing local administrator passwords across the organization.
Control access rights
Security groups are the recommended way to control access to resources. Instead of assigning access rights directly to user accounts one by one, you assign permissions to security groups and then make each user a member of the appropriate groups. Follow these best practices:
- Rigorously follow a least privilege model, giving each user only the minimum permissions they need to complete their tasks.
- Create guest accounts with minimum privileges.
- Have data owners regularly review security group membership to ensure that only the right users are members of each group.
- Establish an AD delegation model following best practices.
- Closely monitor changes to the membership of security groups, especially those that have permissions to access, modify or remove sensitive data.
- Monitor for suspicious modifications to AD accounts.
- Immediately disable accounts for employees who leave the organization.
- Monitor inactive accounts and disable them if necessary.
Pay special attention to privileged accounts
Naturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially vigilant about these powerful accounts. Best practices include the following:
- Tightly restrict membership in Domain Admins and other privileged groups in accordance with the principle of least privilege.
- Train admins to use their administrative accounts only when absolutely necessary to reduce the risk of credential theft.
- Ideally, implement a privileged account management (PAM) solution. If that is not possible, keep only the default account in the groups like Domain Admins and place other accounts in that group only temporarily, until they have completed their work.
- Regularly review the use of privileged accounts to ensure that they are only used for authorized purposes and that access is granted on a need-to-know basis.
- Implement strong password policies and management practices for privileged accounts, including regular password changes and the use of complex passwords.
- Require privileged users to use a secure admin workstation (SAW) to perform administrative tasks. SAWs enhance security through features such as strong authentication, encryption and monitoring. Restrict access to SAWs to authorized personnel with administrative responsibilities and implement strong access controls to prevent unauthorized use. Physically and logically isolate SAWs from standard user workstations and networks to reduce the risk of malware infection and unauthorized access.
Monitor Active Directory for signs of compromise
Active Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are the top five things to monitor:
User account changes
Be on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you answer the following questions:
- What changes were made to which user accounts?
- Who performed each change?
- When did the change happen?
- Where was the change made from?
Password resets by administrators
Administrators should always follow established best practices when resetting user credentials. A robust monitoring tool helps answer questions like:
- Which user accounts had their passwords reset?
- Who reset each password?
- When did the reset happen?
- Where did the admin reset the password?
Changes to security group membership
Unexpected changes to security group membership can indicate malicious activity, such as privilege escalation or other insider threats. You need to know:
- Who was added or removed?
- Who made the change?
- When did the change happen?
- Where was the security group change made?
Logon attempts by a single user from multiple endpoints
Attempts by a single user to log on from different endpoints is often a sign that someone has taken control of their account or is trying to. It is vital to flag and investigate this activity to find out:
- Which account attempted to log on from multiple endpoints?
- What were those endpoints?
- How many attempts were made from each endpoint?
- When did the suspicious activity begin?
Changes to Group Policy
A single improper change to Group Policy can dramatically increase your risk of a breach or other security incident. Using a tool to monitor this activity will make it easy to answer pressing questions like:
- What changes have been made to Group Policy?
- Who performed each change?
- When was each change made?
Disable SMBv1 and restrict NTLM
Devices running Microsoft Windows primarily use the SMB (Server Message Block) communications protocol. However, research shows that SMB is being used for intrusion by remote code execution, so it is recommended to disable SMBv1 and use only latest versions of SMB.
Similarly, NTLM is an old authentication protocol that attackers use for credential theft. If possible, replace NTLM entirely with the newer Kerberos protocol. At a minimum, eliminate use of NTLMv1.
LSASS (Local Security Authority Subsystem Service) is a Windows process that is responsible for multiple security-related tasks: verifying user credentials during logon; enforcing password complexity, expiration and lockout policies; managing security tokens that grant access to resources; and implementing the Kerberos authentication protocol. Best practices for protecting LASAA include the following:
- Regularly apply security updates and patches to the operating system to address vulnerabilities that could be exploited to compromise LSASS.
- Deploy reputable antivirus and anti-malware solutions on all systems to detect and prevent malicious software from targeting LSASS.
- Enable Windows Credential Guard, a security feature in Windows that helps protect LSASS and credentials from theft by malware.
Run only supported operating systems and keep them updated
It's important to use only supported operating systems that receive regular security updates and patches to reduce the risk of security vulnerabilities and ensure access to technical assistance and guidance for security-related issues.
In addition, ensure that all operating systems in your environment are regularly updated with the latest security patches and updates provided by the vendor.
Clean up Active Directory
Active Directory security best practices for cleanup include the following:
- Identify and remove any stale or unused user accounts and computer accounts from Active Directory to prevent adversaries from misusing them and avoiding detection.
- Establish processes to ensure that a user’s account is promptly disabled when they leave the organization.
- Remove any unnecessary security groups to thwart privilege escalation attempts.
- Document the cleanup processes and establish regular schedules for reviewing and maintaining Active Directory to ensure ongoing security and efficiency.
Audit Active Directory
Below are some best practices for auditing Active Directory:
- Ensure that auditing is enabled in Active Directory to track changes and access to directory objects. This can be done through Group Policy settings or directly in the Active Directory Users and Computers console.
- Configure audit policies based on the specific security and compliance requirements of your organization. In particular, audit changes to user accounts, group memberships, permissions, and critical Group Policy objects.
- Regularly review the audit logs generated by Active Directory to identify any suspicious changes or other unusual activity. Promptly investigate any potential security threats.
- Consider implementing a real-time monitoring solution that will provide immediate alerts for critical security events and automated threat response to anticipated AD threats.
- Consider using automated tools to generate regular audit reports, which can help in tracking compliance, demonstrating due diligence, and identifying trends or patterns in directory activity.
Perform patch management
Establish a process for promptly receiving and deploying security patches for Active Directory and other critical systems. Prioritize patch deployment based on the severity of the vulnerability and the potential impact on the organization.
Test patches in a non-production environment before deploying them in production to ensure that they do not cause any compatibility or stability issues.
Perform vulnerability scanning and pen testing
Conduct regular vulnerability scans of Active Directory and other critical systems to identify potential security weaknesses. Prioritize vulnerabilities based on severity and potential impact on your organization. Remediate vulnerabilities by applying security patches, implementing security controls or taking other measures. Consider using automated tools to conduct vulnerability scanning to streamline the process and reduce the risk of human error.
Also conduct regular penetration testing to identify potential vulnerabilities and assess the effectiveness of your security controls.
Lock down service accounts
Service accounts are used to run services, scheduled tasks and applications. To reduce security risks, assign each service account the minimum necessary permissions to perform its specific functions. In addition, enforce strong password policies that include complexity requirements and restrictions on password reuse, and require regular password changes.
Service accounts should be configured to disallow interactive logon. They should not be used for interactive sessions or console logins, as they are intended for running services and background tasks.
Use managed service accounts (MSAs) whenever possible
Managed service accounts (MSAs) automatically generate and manage strong, complex passwords, eliminating the need for manual password management and reducing the risk of password-related security issues. The password is automatically managed and rotated by the domain controllers. MSAs can be easily deployed and managed using PowerShell commands or Group Policy, making them a scalable and efficient solution.
Implement multifactor authentication (MFA)
MFA increases security by requiring users to authenticate using two or more different methods, such as a code from a hardware or software token or SMS message, biometrics, and push notifications to mobile devices. Consider factors such as ease of use, scalability and compatibility with your existing infrastructure, including Active Directory.
Define MFA policies based on user roles, groups or specific security requirements. For example, you may want to enforce MFA for all privileged accounts, remote access requests or specific applications.
- Secure DNS by using Active Directory-integrated DNS zones. This provides enhanced security through access control lists (ACLs) and secure dynamic updates.
- Implement Domain Name System Security Extensions (DNSSEC) to add an extra layer of security to DNS. DNSSEC helps protect against DNS spoofing and cache poisoning attacks by digitally signing DNS data.
- Configure DNS servers to restrict zone transfers to authorized servers. Limiting zone transfers helps prevent unauthorized access to DNS zone data.
- Utilize DNS filtering and protection solutions to block malicious domains and prevent access to known malicious websites. This can help protect against malware, phishing and other security threats.
- Deploy a DNS firewall to filter and block malicious DNS traffic. DNS firewalls can help protect against DNS-based attacks and mitigate the risk of data exfiltration.
- Keep DNS servers up to date with the latest security patches and updates to fix vulnerabilities and guard against known exploits.
Force RDP to use TLS encryption
Remote Desktop Protocol (RDP) is a popular protocol used to remotely access Windows-based systems. By default, RDP uses encryption to secure communications between the client and the server. However, it is recommended to enforce the use of Transport Layer Security (TLS) encryption for RDP to enhance security. Install and configure an SSL/TLS certificate on the Remote Desktop Gateway server. This certificate will be used to encrypt communications between the client and the server.
Implement a backup and disaster recovery plan for Active Directory
A disaster or outage that affects AD can have serious consequences for the organization's operations. Implementing a disaster recovery plan for AD can help ensure business continuity in the event of a disaster. Be sure to include backup and recovery procedures, failover and failback procedures, communication and notification procedures. testing of backup and recovery procedures, and offsite storage of backup data.
Other AD best practices related to backup and recovery include the following:
- Back up Active Directory on a regular schedule. Windows Server includes a built-in backup feature that can be used to back up Active Directory. You can use the "Windows Server Backup" tool to perform system state backups, which include AD data. However, third-party backup solutions specifically designed for Active Directory offer additional features and flexibility.
- In particular, ensure that you back up the domain controllers holding the FSMO roles, as these are critical for AD operations.
- Ensure that backup data is securely stored. This includes protecting backup media from physical damage, encrypting backup data and restricting access to backup files to authorized personnel.
- Document the backup procedures for Active Directory, including the backup schedule, retention requirements and any specific considerations for your environment.
Enable Windows Firewall on all systems
Enable Windows Firewall on all systems to help protect against unauthorized access and network-based threats.
- Use Group Policy to centrally manage and enforce Windows Firewall settings across all systems in your network.
- Create firewall rules to allow or block specific types of traffic based on your organization's security policies. For example, you can create rules to allow inbound and outbound traffic for specific applications, services or ports, while blocking unnecessary or potentially risky traffic.
- Use the Windows Firewall with Advanced Security console to configure advanced settings such as connection security rules, authentication exemptions, and custom firewall rules that provide granular control over network traffic.
Deploy antivirus and antimalware tools and keep them updated
Choose reliable antivirus and antimalware software that is compatible with Active Directory and meets the security needs of your organization.
Install the antivirus and antimalware software on a server within the Active Directory environment. Ensure that the software is configured to scan and protect all the systems and devices connected to the Active Directory network.
Set up automatic updates for the antivirus and antimalware software to ensure that it is always up to date with the latest virus definitions and security patches.
Secure network communication
- Configure Active Directory to use SSL/TLS for LDAP communication to encrypt data transmitted between clients and domain controllers.
- Use Internet Protocol Security (IPsec) to secure network traffic between domain controllers, ensuring that data is encrypted and authenticated.
- Enable Server Message Block (SMB) signing to ensure that data transferred over the network is signed and validated, preventing tampering and unauthorized access.
- Configure Active Directory to use Kerberos authentication, which provides secure mutual authentication between clients and domain controllers.
Implement virtual private networks (VPNs) for your intranet based on the needs of your organization, including the number of remote users, types of applications accessed and the level of security required. When selecting a VPN solution, also think about ease of maintenance, security features and scalability. Install and configure VPN client software on remote users' devices and ensure that they can securely connect to the VPN servers within the intranet.
Isolate legacy systems and applications
Physically or logically segregate legacy systems and applications from the rest of the network to limit security risks. Create separate organizational units (OUs) in AD for legacy systems and applications so you can easily apply Group Policy settings and access controls tailored to their requirements.
Decommission legacy systems and applications
Evaluate the usage, business impact and security risks of legacy systems and applications and develop a plan to decommission them if possible. Notify users and stakeholders about the details, including timelines, alternative solutions and potential impacts on their workflows. Be sure to archive any data that is no longer needed but must be retained for compliance or historical purposes.
The Active Directory security best practices laid out here are essential to strengthening your security posture. Careful management of activities across the entire network that affect AD security will enable you to reduce your attack surface area and to promptly detect and respond to threats.