Server in a Data Center

Best Practices to Secure Active Directory

First of many questions of any server administrator is how to protect and make less vulnerable your Active Directory domain.

In this article, we will bring you the best practices for securing Active Directory domains from any type of attacks and for maximizing your server security.

Account Hierarchy

Hierarchy in every server system is one of the things worth thinking about. All of the users should have their roles and on top of all those roles is Administrator.

Users should not have any more rights than they need. And administrators should use their rights as fitted per situation.

It is recommended for Administrators or other staff with elevated privileges to use two accounts – one for logging in on their workstations when no admin tasks are needed and the other solely for admin work.

The way of account usage will lower the risks of any potential attacks (virus or account hacking).

Group Policies for Restricted Groups

Group policies is an outstanding tool choice for securing pretty much everything. For security practices, especially when users are local administrator of any organization’s computer, Group Policies should be used to keep them local admins, but restrict them from adding new users as admins.

It can be done by creating a “Restricted Group” and applying GPO on that group. You may do this by following these steps:

  • Edit the Group Policy applied to the scope of wanted computers.
  • In the Group Policy Management Editor, create a new Local Group by navigating to:
    • Computer
    • Configuration
    • Preferences
    • Control Panel Settings
    • Local Users and Groups
    • Select Administrator
  • Tick the box that says “Delete all member users” and “Delete all member groups” for all users.
  • Be sure you added back the Domain Admins and Local Admin Groups to prevent restricting yourself. If not, you can use the “Add Local Group Member” option and “BuiltIn\Administrator”.
  • Recommendation: Add DOMAINNAME\Domain Admins. It’s a good practice to have Domain Admin accounts in a local group which can be added through Domain Name variables.

Users can be added as usual and be seated as local admins but they will be restricted by GPO from adding other users as admins.

Server Login Limits

Logging directly to the server should not be common practice to anyone, even Administrators. Most of the administrative operations can be made through remote admin tools so the server can be reachable from a workstation or terminal server.

This can be achieved by applying GPO as following:

  • Access GPO in the console tree, which can be found on the path: Forest name/Domains/Domain name/Group Policy objects.
  • Click add in the Scope tab
  • Type the name of a group that needs security filter in “Enter the object name”.
  • Remove Authenticated Users in the Security Filtering section of the Scope tab.

The settings in a GPO will apply only to users and computers that are contained in the domain, unit, or organizational units where the GPO is linked to.

Domain Controllers Security

Security of servers can be disturbed both via software and hardware.

If the Domain Controller Servers are physical, it is strongly recommended to lock them away so no one can access them. If the Domain Controller Servers are remote, it is recommended to configure them as read-only domain controllers (RODC) and to set up the DCs as Core with GUI. Of course,

it is recommended to apply all practices mentioned as well as closing all unnecessary ports between DC and the workstation.

There are a lot more practices for keeping servers secure and it is a constant, on-going process and admins should always be on the watch. This article gives an overview of some major practices but threats, same as security practices are developing and changing day to day.




Secure Your Windows Folder, too!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *