Posts Active Directory Security Checklist
Post
Cancel

Active Directory Security Checklist

Posted Apr 12, 2020 2020-04-12T00:00:00+01:00 by mlcsec
Updated Dec 5, 2020 2020-12-05T12:09:34+00:00

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.


Top 25 Active Directory Security Best Practices

  1. Clean up the Domain Admins group
    • limit accounts
    • no day-to-day accounts
  2. Use at Least Two Accounts (Regular and Admin Account)
    • least privilege
    • accountA for day-to-day
    • accountB for admin tasks
  3. Secure The Domain Administrator account
    • 20+ char password
    • only used for domain setup and recovery
  4. Disable the Local Administrator Account (on all computers)
    • often same password
    • can mitigate pass-the-hash/pass-the-password
  5. Use Local Administrator Password Solution (LAPS)
    • sets random password for every admin account
  6. Use a Secure Admin Workstation (SAW)
    • for admin tasks
    • no internet access
    • login with secondary account
  7. Enable Audit policy Settings with Group Policy
    • audit policy on all pcs/devices
  8. Monitor Active Directory Events for Signs of Compromise
    • event logs
    • IoCs
  9. Password Complexity Sucks (Use Passphrases Instead)
    • article recommends 12 chars min
    • 12 isn’t exactly secure anymore
  10. Use Descriptive Security Group Names
    • avoid generic names
    • specific group names
    • prevents control permissions
  11. Cleanup Old Active Directory User & Computer Accounts
    • set up process
  12. Do NOT Install Additional Software or Roles on Domain Controllers
    • limited software/roles
    • use server core - no GUI
    • more software/roles == more security risk
  13. Continuous Patch Management & Vulnerability Scanning
    • don’t forget about 3rd parties
    • upgrade if no longer supported
  14. Use Secure DNS Services to Block Malicious Domains
    • Quad9
    • OpenDNS
    • Comodo Secure DNS
  15. Run Critical Infrastructure on latest Windows Operating System
    • better security
  16. Use Two Factor Authentication for Remote Access
    • DUO
    • RSA
    • Msoft MFA
  17. Monitor DHCP Logs for Connected Devices
    • DHCP logs
    • know what’s connected to network
    • identify anomalies
  18. Monitor DNS Logs for Security Threats
    • malicious DNS lookups
    • Windows DNS debug logs
    • identify anomalies
  19. Use Latest ADFS and Azure Security Features
    • security enhancements
  20. Use Office 365 Secure Score
    • reports/improves security posture
    • compare with benchmarks and establish KPIs
  21. Plan for Compromise (recovery plan)
    • NIST
    • IR/DR
  22. Document Delegation to Active Directory
    • control access to resources
    • security groups
    • know what groups use what
  23. Lock Down Service Accounts
    • often perms too high
  24. Disable SMBv1
    • unsecure
    • over 30 years old
  25. Use Security Baselines and Benchmarks
    • default installs unsecure
    • can be deployed with group policy
    • Security Compliance Toolkit
    • CIS SecureSuite
Windows, Active Directory, Defence
Active Directory Blue
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

HackTheBox - Sniper

SDDL Security Descriptors

© 2021 mlcsec. Some rights reserved.