Best Active Directory Security Best Practices Checklist. Organizations with information technology (IT) infrastructure are not safe without security features. Credential theft attacks, malware attacks, ransomware and security breaches are a few methods that help attackers gain access to privileged accounts to a computer on a network. These techniques are used to gain access to vulnerabilities on your systems. As a result, your business operations will come to a complete shutdown with negative PR. Thus, to reduce the Active Directory Attack Surface and monitor signs of compromise, we have listed the best AD security practices with solutions both for infrastructure security and cloud security options. Show
AD Security Best Practices In this post, we have listed the best Active Directory Security Best Practices checklist that will assist organizations in enhancing AD security. Further, these practices will enable administrators to discover malicious attempts, identify and prioritize security activities. Follow some of the below listed AD best practices to improve and secure your Windows AD domain environment. Table of Contents1. Restrict the use of Domain Admins and other Privileged Groups
Domain Admins and other Privileged Groups in Active Directory have a few powerful members that can access an entire domain, system, or data. Apart from the default Domain Administrator account, avoid having day to day user accounts in Privileged Groups. Cracking user credentials has become easier for attackers. Thus, try to remove the account from the DA group once your work is done or ideally create a custom role group that only has permission to perform the required changes. Domain Admin accounts are what attackers often try to seek out. If the attackers gain access to any single system, they can easily move within the network and seek higher permissions such as domain admin privileges. So, be careful and limit its use and other Privileged Groups. The same rule applies to Enterprise Admins, Backup Admins, and Schema Admin groups. Regularly monitor the users in your Domain admins group Review the privileged access with your IT team and shortlist the users with use-cases why they should be in this group. It can be challenging but is one of the best ways to reduce the attack surface. Click here to know how to limit the use of Domain Admins and other groups. 2. Use a minimum of two accounts (Regular and Administrator account)Remember, getting away with Domain admin rights is not an easy thing. One cannot delegate rights to systems like DNS, DHCP, Exchange, Group Policy, etc so easily. This is the reason why most users have Domain Admin rights. Hence, instead of having only one local admin with privileged access, try creating a separate regular account with no admin rights. Also, avoid adding the regular secondary account in the Domain Admins group on a permanent basis. Practice the least privileged administrative model under which all users with minimum permissions should log in to finish the work. We recommend using it for day to day tasks and removing it from the Domain Admins group once the work is done. Further, we recommend using the privileged Domain Admin account only to perform domain administrative tasks such as building domain controllers, DC authoritative restores, editing the AD schema etc. Regular account and Administrator accounts Regular User Access AccountUsers should NOT any have admin access to their desktop/laptop or to any systems within your network. They should have basic access to only use applications/systems in order to function in their day to day role, for example:
Administrator AccountIn most cases the only person who would have an admin account will be IT staff. Even IT staff should have a regular user account and NEVER logon with their admin account. When a user needs to make a change on their laptop / desktop that requires admin level access to make a change, this is when they can use their admin account (privileged access) to make the change. The screenshot below shows this example. Admins will generally need a domain admin account to perform the following in their role:
Privileged Access Model 3. Secure the Domain Administrator Account (Admin)Each domain has an Administrator account responsible for domain setup and disaster recovery called the ‘Domain administrator account‘. These accounts are, by default, important members of the Domain Admins group and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group. What is Domain Administrator?A domain administrator has the highest privileges within your Microsoft network and will be able to make the most changes on your Microsoft systems, if in the wrong hands it can cause the most damage. It can modify the configuration of your Active Directory servers and can modify any content stored in Active Directory. This includes creating new users, deleting users, and changing their permissions. This account should only be used for restoring Active Directory. Thus, anyone who requests access to servers or AD must use their individual admin accounts. Those admin accounts should then be in a security group that has permissions to the servers / systems they need in order to do their job role. For the domain admin account use long 20+ characters password. Ideally the domain admin accounts password should be locked away so only senior staff members know the password in emergencies. Another way to keep your account secure is to enable the smart card, deny log on as a service, batch job, or through RDP. Apply these settings to the group policy and all computers for security purposes. Read this guide to secure the Domain Administrator account. Configure GPOs to restrict Administrator accounts on computers4. Deactivate the Local Administrator Account on all ComputersYou do not require a local administrator account. So it recommended to disable the local administrator account. Firstly, even if you change its details, attackers can track the well known account via the SID. Secondly, the account is often configured with the same password and credentials on each computer. It is easy for attackers to track and crack the account. Thus, if you have to perform admin tasks, we recommend creating an individual account and using it for safety reasons. You can always boot the local administrator account into safe mode even if it is disabled. Also, if due to any reason, you cant disable the local admin account, try applying the following GPO settings for denying the admin account to perform the following or alternativley try using the Microsoft LAPS tool.
Create GPO to Deny local admin account on all domain computersWithin Group Policy Management, right click and select New on the OU that has your computers you want to apply the GPO to:
The GPO setting to apply this is as follows: Click User Rights Assignment. Configure the user rights to prevent the local Administrator account from accessing members servers and workstations over the network by doing the following:
Apply the same setting to:
5. Install Local Administrator Password Solution (LAPS)How LAPS Works with Active Directory Most administrators are switching to Local Administrator Password Solution (LAPS) for managing the local admin passwords. LAPS is a popular Microsoft tool with in built Active Directory infrastructure. The trusted tool helps set a unique password for each local admin account and stores it in Active Directory. Also, there is no requirement to install additional servers for LAPS tool to run. It performs all the management tasks by using the group policy client side extension. LAPS Benefits
6. Try Using a Secure Admin Workstation (SAW)Secure Admin Workstation (SAW) enforcements A secure admin workstation must be practiced only by privileged accounts to perform administrative tasks like group policy, AD administration, management of DNS & DHCP Servers, Office 365 Administration, etc. These are not used for the purpose of checking email or internet browsing. Using daily use workstations can be very risky for doing admin level tasks on your network. Thus, try using a Secure Admin Workstation (SAW) to protect accounts from attackers. One can additionally use Privileged Access Workstation (PAW) and jump servers to make it more confusing for attackers to crack. Also, you can enable full disk encryption, block the internet, use a personal firewall, etc. To be extra careful use a computer that has a minimal OS like Windows Core Server in the cloud to be used as your secure admin workstation with the following configurations:
Can You Benefit from Implementing a Secure Admin Workstation ?All domain users and computer operators benefit from using a secure workstation. An attacker or hacker who compromises a PC or device can impersonate or steal credentials/tokens for all accounts that use it, undermining many or all other security assurances. For administrators or sensitive accounts, this allows attackers to escalate privileges and increase the access they have in your organization, often dramatically to domain, global, or enterprise administrator privileges. Secure Device Roles and ProfilesSecure Workstation Deployment Levels Enterprise DeviceThis role is ideal for general users who need general access to do their day to day tasks. For example using email, internet and applications. It uses an anti-malware and endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint is required. A policy-based approach to increase the security posture is taken. It provides a secure means to work with customer data while also using productivity tools like email and web browsing. Audit policies and Intune allow you to monitor an Enterprise workstation for user behavior and profile usage. Specialized DeviceThis device is the next level up with an enhanced security profile with no local admin privileges and only allows approved applications to run. Users are blocked from installing any applications or running any programs from un approved locations. The Specialized security user demands a more controlled environment while still being able to do activities such as email and web browsing in a simple-to-use experience. These users expect features such as cookies, favorites, and other shortcuts to work but do not require the ability to modify or debug their device operating system, install drivers, or similar. Privileged Access Workstation (PAW)This device profile is the most secure with the highest restrictions. This device will have no local admin access no internet access and will have restricted applications. No productivity apps. This role is designed for extremely sensitive roles that would have a significant or material impact on the organization if their account was compromised. The attack surface is very low. A Privileged workstation provides a hardened workstation that has clear application control and application guard. The workstation uses credential guard, device guard, app guard, and exploit guard to protect the host from malicious behavior. All local disks are encrypted with BitLocker and web traffic is restricted to a limit set of permitted destinations (Deny all). 7. Setup / Enable Audit Policy Settings with Group Policy (GPO)Workstations are common for malicious activities. Thus, if you do not run a proper auditing and logging setting on your computers and servers, you may miss early signs of an attack. Thus, to avoid a security breach, one must Configure Audit Policy settings to the group policy, computers, and all servers. For Windows 10 and Windows Servers Advanced security audit policy settings they can be setup via Group Policy or through the local security snap-in (MMC) on your Computer Configuration, and click on Policies. Select Windows Settings, then Security Settings, and choose Advanced Audit Policy Configuration to make changes to the settings.
You should apply the following Audit Policy settings:
Full instructions for setting up these GPOS can be found on this link 8. Monitor Active Directory for Signs of CompromiseThere are various events and objects that can indicate attempts to compromise which is why you should constantly monitor Active Directory. As a result, an organization can prevent breaches from occurring or stop attacks at the initial stages. The abnormal behavior indicates a potential or in progress attack. A proactive approach to detecting any abnormal behavior on the network or compromise can save from major losses. Make sure to monitor these listed Active Directory events every week.
Example of AD log monitoring tool by Nagios Collect all logs in one place and run log analyzing software. This method will help monitor all the above listed points at once, quickly spot suspicious activity and help generate reports. You should also setup audit policy to monitor the following:
9. Enforce Password Complexity with PassphrasesHaving an 8 character long password is no more secure. Instead, we recommend using passphrases (two or more random words put together) and a minimum of 16 characters. You can also include numbers and characters in the password. It is not mandatory but can be helpful. Also, always remember, the longer your password will be, the more the attackers will find it hard to crack. Avoid using a sentence where the attacker can easily guess the next word and crack the code. Avoid passwords like Summer2022!, March2022$, etc. These are quite easy to crack. Long passwords with passphrase techniques are a great combination and can save your system from attackers. Password Policy Best PracticeUse pass phrases instead of an 8 character complex password. Research has shown that long password phrases are much more secure because they are very random and harder for hackers to guess. Some points to consider to improve your user password security:
Domain Password Policy GPO SettingsTo configure your domain password policy, you will find the Default Domain Policy within your Group Policy Management console as can be seen in our our domain:: Default Domain Policy Right click on the Default Domain Policy and select Edit. Browse to the following password setting: Password Policy GPO Settings 10. Use Security Group Naming ConventionsFor easy management, add permissions to resources with security groups. Secondly, avoid the use of generic names for security groups. For example, HR_Local. Generic names can be used on all types of resources and have high chances of getting tracked. Prefer going for descriptive group names to save your information from attackers and maintain all control of security. Descriptive security group names help to determine what the group is used for such as ‘K Net Drive HR_Training_Room7‘. In this example users in this group are get mapped network drives when doing HR training in Training Room 7. After training, users can be taking out of the group who no longer need access to the network drive, making managing your group membership in Active Directory much easier and secure. You can take it even further an automate this process using a powershell script or automation tool like Cloud Ad Manager Example of AD Security Group Naming Conventions Security Group Best PracticesWhen you need to give users access to any resource within Active Directory, ALWAYS create a security group, add users who need access to the resource and apply permissions to this group. This way you can easily track which users have access to your resources (e.g files, folders, printers, network shares, devices, systems, etc)
11. Delete Inactive Users and Computer AccountsThere is no point in having a bunch of unused accounts in Active Directory. Also, they can work against you, and hackers can discover and misuse them. This may also result in slowdown of group policy being applied slowing down logon times, patching, and reporting issues. So, to resolve this issue, its recommended to find and remove such unused accounts. This can be down with Powershell Scripts or using a find inactive AD Users tools. Example of InfraSOS running a password report Find User Accounts Password not changed in 6 months via Powershell ScriptThe following Powershell script queries Active Directory for user accounts where the password age is over 180 days (6 months). In Active Directory Module for Windows PowerShell, run the following script to list the user accounts where the password has not changed in the last six months. With the list of users, its recommended to disable these accounts, wait several weeks and then delete the accounts. Example solution to manage these in active users:
12. Delete Users from the Local Administrator GroupIf a user has a local admin right, he/she will have complete access to the Windows Operating system. Thus, such a user must not be added as a member to the local administrator group on computers. It can be risky and cause security problems, such as downloading and installing malware, data stealing, disabling antivirus, hacking passwords, etc. By deleting users with local admin rights from the local administrator group, you can reduce threats and opportunities for attackers. Use group policy to control the local administrator group. With the help of restricted groups and group policy, only trusted users have the access to manage and control the computer. Example of Local administrator group on computers Remove Users from Local Administrators Group using Group Policy (GPO)Within Group Policy Management, you can create a new GPO or edit an existing policy. Within the GPO editor navigate to the following settings: Right click in the window and select New > Local Group Local Administrators Group GPO In the New Local Group Properties apply the following settings: Action: Update Delete all member users: Yes Members: Click add and select the members you want to be added to the local administrator group. You most likely will want to keep the local administrator account and domain admins group as local admins, that depends on your internal security policies.
13. Domain Controllers (DCs) Best PracticesDomain Controllers are vital for an enterprise as they help enforce security policies and manage user security and access controls. You should never install any additional software or server roles onto DC’s. If you do you are indirectly increasing security risks. If you need to run more server roles, install these onto separate servers. DC’s should also have no internet access, no external access should be allowed. Avoid Logging into DC'sRun Domain Controllers on Secure OS
You can use Windows Server Core as a secure OS to run the DC roles because it doesn’t have a GUI there are less security patches with a smaller footprint. If you have other server roles you can also run them on Windows Server core for example DHCP, DNS Servers, print servers, and file servers. You can also build your domain controllers with Active Directory Hardening using a AD Hardened image from CIS Domain Controller LocationIdeally domain controllers should be on physical servers locked away in a cage with TPM chips and BitLocker Drive Encryption for all server volumes. Virtual domain controllers are ok or in the cloud. If you have small remote sites that are only running 1 domain controller, for best practice run this on Hyper-V and configure the DC as Read Only Domain Controller (RODC) RODC Can only Read and not Write. Ideal for small remote branches who dont make changes to AD 14. Patch Management and Vulnerability ScanningMake sure to scan and recover discovered vulnerabilities on a regular basis (once in a month or more frequently). If you do not scan these vulnerabilities and fix them, attackers can exploit them. As a result, you will be at a greater risk. Find some of the best vulnerability and scanning tools online. Scan to identify all potential vulnerabilities and prioritize them based on the degree of risk. Also, deploy automated software updates to operating systems or third party software. If you discover any software is out of date and no longer supported, get it updated.
Patch Management Best PracticeEvery device and application must be updated with the latest security patches in order to reduce the risk of attack. Here are recommended patch management processes to apply to your environment:
Patching tools available are WSUS, Azure Automation Update Management, AWS Systems Manager Patch Manager, Google GCP OS Patch Management with VM Manager Vulnerability ManagementThreat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. With Microsoft Defender ATP’s Threat & Vulnerability Management, customers benefit from:
15. Block Malicious Domains Using a Secure DNS ServiceComputers use an IP address to communicate with each other. Every time you need to access the internet, they use a domain name to map with an IP address. With the help of a secure DNS service, you can block a lot of malicious traffic from entering the network. These services use public and private sources to collect information about malicious domains. As and when, a query for a domain is flagged maliciously, the DNS services block them. DNS service is one of the easy and secure ways to block attackers. Quad9 is one of the free DNS services. For Azure customers Microsoft have a service called Microsoft Defender for DNS, which provides an additional layer of protection for resources that use Azure DNS’s Azure-provided name resolution capability. What is DNS Layer Security Microsoft Defender for DNS FeaturesMicrosoft Defender for DNS detects suspicious and anomalous activities such as:
16. Run Supported Operating SystemsMicrosoft Windows OS’s latest versions comprise in built security features and enhancements. For example, Windows Server 2022 built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: Security, Azure hybrid integration , management, and application platform. These new features help track the system and update on any issue. Any Unsupported Operating system will not receive security updates. As mentioned earlier ideally domain controllers should be run on Windows Server Core OS if possible as the core OS has a smaller footprint as the OS has no GUI/Desktop. Windows Server 2019 vs 2022 Security Features Security Features in Windows Server 2019
Security Features in Windows Server 2022
17. For Office 365 and Remote Access Use Two Factor Authentication
Nowadays, attackers can easily access your systems using a VPN, Citrix, and other remote access systems. For example, if you cross check your Office 365 or ADFS logs, you may find various login attempts from different countries. Thus, the best way to keep your account secure against compromised accounts is to implment two factor authentication (2MFA). With the help of MFA, hackers will find it hard to compromise your AD logins. Even if the attacker gets access to the system, he will require a second set of credentials to log in. Two factor authentication is also advantageous in keeping accounts safe from password spraying attacks. DUO, RSA, Microsoft MFA are a few trusted two factor authentication solutions.
18. Monitor DHCP Logs for Connected DevicesDo you have multiple branches? In that case, it can be very challenging to track users and computers and understand what network is connected to multiple locations. However, there are ways to connect only the authorized devices, but it can be time consuming. Another method that is cost effective and will be highly beneficial is monitoring DHCP logs for connected devices. To use DHCP, you will require all end user devices setup to use DHCP to obtain an IP address. This will help you locate which IP is trying to track or log in to your system and from what location. You should have a naming convention configured on all your devices, this way it makes it easier to identify unauthorized devices in your DHCP logs. DHCP monitoring and management best practices DHCP Server Best Practice
19. Monitor DNS Logs for Malicious Network ActivityMonitor DNS Logs When using a local Windows DNS server, its recommend to enable auditing and logging. This setup will help track all internal and external DNS. For example, if your device connects with a malicious site, the site name will display in the DNS logs. Also, make sure to enable DNS debug logs on the Windows Servers to view DNS lookups. Go to the DNS Management Console, then Right click and choose properties. From the dialog box, select Debug Logging Tab and tick the checkbox “Log packets for debugging“. Once the setup is complete, import all logs into a log analyzer to discover and spot any malicious activity. Enable DNS Debug Logging Common Threats to DNS ServersDNS monitoring is very important, in part, because it helps you identify vulnerabilities before they are exploited. There are many types of DNS attacks. These include:
How to Monitor DNS ServerBy monitoring your DNS server entries and monitoring for any changes, you can quickly identify issues that may pose a security risk to your system. To monitor DNS effectively, you should focus on the following components:
20. Implement ADFS and Azure AD / Office 365 Security Features
ADFS and Azure AD/ Office 365 security features are highly advantageous as they can protect your system against password spraying, compromised accounts, phishing, etc. One can also switch to premium subscriptions with advanced security features. Here are some of the features provided by ADFS and Azure AD: ADFS / Azure AD Security Features
21. Use Office 365 Secure Score to Improve Security Posture
Microsoft Secure Score is a value indicating an organization’s security posture. It tracks the office 365 organization security depending on the activities and security settings. Firstly, it analyzes your Office 365 services. Once done, it analyzes the security settings, activities, and then concludes a security score. Based on this measurement, a list of actions will be provided to fix these issues. Secure Score Actions In order to access all these features, we recommend you switch to a Premium or Enterprise subscription. Also, you will require to assign custom roles or a global admin. Secure Score helps organizations:
22. Implement a Disaster Recovery Plan (DR)
Do you have a solution for a RansomWare attack or what would you do if the network was compromised? Have you trained your staff on how to deal with such situations? Do you follow any response policy? Cyber attacks are too common, and they have the power to shut down your systems and cause disruption and a negative reputation for your business. As a result, your business operations will come to a halt. However, with a response plan, you can limit this impact. Make sure to plan an incident response policy, conduct incident handling, and report procedures. Also, you can appoint a response team and establish procedures for communicating with third parties. Also, prioritize your critical servers and train your staff with DR planning. Domain Controller Disaster Recovery
Your domain controllers are your most critical servers in Active Directory. If these servers become corrupt or fail, your users will be greatly affected. Users cant login to devices and email will stop working, so its important you have fault tolerance and a DR plan in place for your AD domain controllers. This is what i recommend to safe guard your AD:
Refer to the Active Directory Forest Recovery Guide 23. Delegation for Active Directory PermissionsUse Security Groups to control access to Active Directory and associated resources. Delegating rights to individual users will in a way make you lose control of who has access. Thus, create custom groups and document who has rights to what with the reason behind why they need access and from what date access was given. Do not give permission to admin staff to be able to add any user in these custom groups without any consent and tracking with an approval process of when users request access to be in a group. Keep track of which groups are delegated to what resources and document them. One idea is to request users to submit a ticket via your helpdesk software so you can monitor and approve permission requests. Best Practices for Granting AD Access
Define OU Security ModelYou need to plan your OU structure and hierarchy in order to probably and securely manage your resources. Microsoft recommends that you ensure simplicity and adaptability while planning your OU design. So, prepare a layout of your Active Directory OU structure keeping Group Policy Object (GPO) linkage and delegation in mind to avoid creating OUs at random in the long run. Administration and management of AD objects becomes easier when the OUs mirror your organization’s structure. Different OU models examples can be as follows:
Choose an Organizational Unit model that best fits your administrative needs.
Separate users and computers. In Active Directory, when you create a user and computer objects, they are added to their respective containers by default. However, GPOs cannot be linked to containers; instead, create separate OUs for users and computers that require GPO application. This practice can be followed irrespective of the OU model you choose for your organization. This makes it much easier to manage your Group Policy management. Automate Joiners Movers Leavers ProcessIts important to audit and manage what new users have access to and to disable their accounts when they leave a company or perhaps a user is moving department and shouldn’t have access to resources they used to have. You want this to be automated. If you have other applications that rely on Active Directory user accounts, you also want these accounts to be restricted on your other applications that perform sso authentication. Typical flow would be as follows:
HR Adds user to their platform > Triggers a call to create a new IT Helpdesk ticket > IT approve request and triggers a call to create a new user User provision tools you can use are:
24. Lock Down and Restrict Service AccountsService accounts are privileged accounts that allow the execution of applications and run automated services. The accounts are used for Active Directory authentication and usually have local admin privileges on virtual machine instances or worse members of domain admin group. The service accounts usually have a set password that never expires. If this account gets in the wrong hands you can imagine the damage and vulnerabilities it could open up. To lock down service accounts try the following:
Lock Down via GPOYou can apply the above settings via the following Group Policy:
25. Try Using Security Baselines and Benchmark Tools
Windows Operating system comprises various features and enabled ports that are not secure. They also include default settings that must be reviewed against known security benchmarks. It is vital to have a secure configuration to maintain functionality and protect all systems against attacks. Check out the following bench mark tools to scan and analyze and test against security configuration baselines. These tools also help scan systems and report failures.
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products. The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
Safeguard IT systems against cyber threats with more than 100 configuration guidelines across more than 25 vendor product families. Windows, Linux, Cloud, Cisco, Vmware, IBM and much more. 26. Protect Default AD Security GroupsWhen you install an Active Directory domain, a few default security groups are created. These groups hold extensive permissions. These groups include the following: Account Operators, Administrators, DNS Admins, Domain Admins, Guests, Users, Protected Users, Server Operators and many more.. See full list of these default groups
You should have AD monitoring and auditing setup to detect when users have been added to your admin groups so you can track if a security breach could potentially happen 27. Forcing RDP to use TLS EncryptionRemote Desktop Protocol is a great way for attackers to scan for endpoints. Tools like Massscan, Nmap help them discover system ports. They can also penetrate your RDP logins if you’re using weak credentials. Once successful, they have access to a compromised system. So, avoid directly exposing RDP to the public internet without multi factor authentication enabled. The RDP connection does not use strong encryption by default. Enable RDP TLS Encryption via GPOTo force your RDP connections to use TLS encryption, you can apply the following Group Policy settings: RDP Client Encryption level GPO Settings 28. Enable Windows Firewall on All Systems
There are high chances that attackers or malware can make a move through the inbound network traffic to your Windows computers and servers. Thus, to protect all your systems, its best to configure Windows Firewall rules. The purpose of enabling Windows Firewall is to limit any inbound or outbound network traffic for applications, protocols, or ports. Windows firewall should be managed by Active Directory GPO and users should be blocked from disabling their firewall. Here is the Group Policy settings for enabling Windows Firewall with Advanced Security. Windows Defender Firewall with Advanced Security GPOWithin your Group Policy management editior, here is the path to crate your Windows firewall GPO and apply settings for inbound / outbound traffic and specify which profiles to enable the firewall for. (Domain / Private / Public). Ideally all profiles should be enabled.
And also the following GPO setting to specify the type of traffic that will be allow for your network connection profiles:
29. Implement Application WhitelistingApplication Whitelisting with Windows Defender Application Control Without the consent of an administrator, if a program is installed and left unpatched or publicly disclosed, attackers may enter and exploit the system. It is important to make sure any unpatched application or program must not run unless they are secure. Only approved programs are allowed to run under Application whitelisting by using Windows Defender Application Control and AppLocker. As a result, any unpatched program will be blocked by default using Application whitelisting. It restricts any unauthorized programs from running to protect your Windows environment. It is one of the best practices to protect your systems from emerging threats. Save time and money with Application whitelisting. Windows Defender Application Control has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Windows Defender Application Control FeaturesWDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the servicing criteria, defined by the Microsoft Security Response Center (MSRC). WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
If you’re using SCCM you can deploy WDAC via Configuration Manager 30. Disable PowerShell for Users (non admins)PowerShell is great for task automation and configuration management but it can also be used by malware to spread through your network and infect your systems if not carefully managed. PowerShell is a source of more than a third of critical security threats. Ransomware is often spread through your network via PowerShell, checkout the article from CIS I would recommend disabling PowerShell on all your computers, users don’t need PowerShell. If an admin requires PowerShell for their day to day job, they can run PowerShell from a dedicated Jump box vs Bastion Host.
Disable PowerShell with Group Policy (GPO)First is to find out the default path of where PowerShell.exe is located, its normally in: C:\Windows\System32\WindowsPowerShell\v1.0 To check this on your computer, open PowerShell, then open task manager, go to the details tab, scroll down to find powershell.exe, right click and select “open file location”.
Within your Group Policy Management Editor, browse to the following setting: Right click “Software Restriction Policies” select “New Software Restriction Policies”
Select “Additional Rules”, then right click and select “New Path Rule”
Next click browse and select the powershell.exe file from the path -> C:\Windows\System32\WindowsPowerShell\v1.0. Set the security level to “Disallowed” Click OK.
Active Directory Security Best Practices Checklist ConclusionIT organizations are no more immune from cyber attacks. Attacks against computing infrastructures and networks have been in the business for too long. Cybercrime record rates have increased with organizations expanding and growing in size. Thus, there are high chances of being attacked and compromised in ways epsecially Active Directory attacks. Thus, one needs to stay more alert and implement Active Directory security. These AD and cloud security solutions and advancements will keep ransomeware attacks and malware away from your server systems and operate smoothly. Let me know if there is anything else i’ve missed of our AD security checklist?. We have put together a set of practical techniques and solutions that will help IT experts protect an enterprise Active Directory domain environment. If you can’t prevent attacks, at least reduce your Active Directory attack surface possibilities. What are the steps on how do you create user template on Active Directory?In Server Manager, on the Tools menu, select Active Directory Users And Computers. Right-click on the Organizational Unit (OU) where the template is to be created and select New > User. In the New Object - User wizard, name the account as _TemplateUser and the user logon name as _templateuser. Once done, click Next.
What are the 3 essential pieces of an Active Directory user account?The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain.
What is Microsoft's best practice when it comes to creating additional Active Directory domains?For the following reasons, the best practice is to create new Active Directory domains that have fully qualified DNS names: Single-label DNS names cannot be registered by using an Internet registrar.
How do I create a user template?Click on the Management tab. Navigate to Azure Active Directory > User Management > User Templates.. Select the User Creation Templates option. Click on the Create New Template option available on the top-right corner.
|