As you know that in a Windows based domain system, active directory is the central management tool that provides access controls to users to the servers or to use any services offered by any specific servers. So, security in Windows based infrastructure should start with securing the active directory. Though most of the part of securing an active directory process focus on security settings of the server, but there are some other components in a network environment – DNS, File server etc. – that also play a vital role when we consider about securing an active directory based environment. More or less, you need to know and test the following settings to check up how secure active directory configuration are windows server configurations and the services.
- Server configurations: Every windows server has some basic configuration such as administrator users, network settings, file sharing etc.Check the configuration of the workstations that are managed by the active directory that you are going to review
- Services: List the servers that provide specific functionality or services to the network such as DHCP, DNS, Exchange, and File Servers.
- Rename default administration account and disable the guest account.
- For specifying the permissions in the domain object, always use global or universal groups. Never use the local group for setting permissions to any domain object.
- Check your default users groups and its members. Remove unnecessary groups and its corresponding default users right.
- Physical security of the servers and server rooms.
- User management policy and security monitoring.
- If you domain is protected with anti-virus or anti-malware software.
- Take regular backup of your domain controller
- Check whether server software is updated with the Microsoft recommended security patches.
- Secure your DNS.Though it is a separate service and can reside on the servers that are not hosing active directory, DNS helps active directory to locate the domain controllers and other necessary services in the network.
Check and disable the followings:
- All the drives in the server hosting active directory need to be in NTFS
- Disable SMTP protocols
- Disable boot from any removable devices except the boot disk.
- Run only the services needed to run the server. Disable the rest. The services you can disable are IIS, SMTP, FAX, indexing, Shell Hardware Detection and Distributed Link Tracking Client; upload manager, Portable Media Serial Number, Windows Audio and Utility Manager.
- Allow only secure DNS updates
Note: the primary aim of this article is the familiarize you, not with active directory audit, with the most useful security settings of active directory, which you can use for both windows 2003 and Window 2008.
Before starting the hardening the security of active directory, try to collect the complete topology of your network including the number of domains, sub-domains, and forest. Also make sure if the active directory is only used locally or some other external offices of your organization are under your active directory. Besides, make list administrators: service admin, data admin, enterprise admin, domain admin, backup operators and forest owners.
Active directory security checklist:
- Domain controller logon policy should allow “logon locally” and “system shutdown” privileges to the following administrators: 1. Administrators; 2.Backup operators;
3. Server operators
- The domain controller security policy should be defined in a separate GPO, which should be linked to an OU of domain controller.
- In the domain controller security policy the following should be disabled:
- You can learn about the best practices of securing active directory in Microsoft’s TechNet page
- Never store LAN manager Hash values.
- Set the domain Account lockout duration to ‘0’ and lockout threshold to three.
- Check the domain Kerberos policy for logon restrictions and the maximum lifetime for service ticket, user ticket. Also check the clock synchronization-ideally it can be 3 to 5 minutes.
- Check the domain controller event log policy, in particular pay attention to the log retention time and access. Disable the guests group from accessing the log.
Recap: Never forget to patch up your servers with latest Microsoft server security releases. If possible, perform a disaster recovery plan in your test environment and make sure backup are kept in a secure place. Finally, learn as much as possible about active directory. Active directory is one of the most complicated and major areas of Windows client-server model. Even if you are trying to improve the security of other services such as DHCP, DNS, load-balancing, the knowledge of active directory will always play a vital role in designing network security policy.