Posts

Active Directory Security – Best Practices

Active Directory (AD) is the heart of the Windows Server System. The Active Directory is a repository for essential features and services core to the Windows environment.

It’s in the AD that users, values, groups, organizational units, objects such as printers and computers, and group policies are installed and configured.

Think of the Active Directory as a contact list on your smartphone. The ‘contacts’ app would be the AD, whilst the names would be the ‘objects’, and phone numbers and email addresses would be the values.

IT administrators rely on the AD to structure the organization’s users, groups, and objects in a hierarchical order, as well as configure group policies and settings such as wallpapers and users’ profile pictures.

It’s therefore prudent to ensure the security of your Active Directory.

Why is it crucial to secure the Active Directory?

Since the Active Directory is a critical component in structuring and authorizing users and applications within an organization, it is a potential target for cyber-attacks.

If hackers can penetrate the Active Directory, they can pose an enormous risk. They can access all the user accounts, groups, applications, groups policies, databases, alongside a host of other very crucial information, which should be a reserve of the IT administrators.

If attackers can obtain login credentials, they can penetrate your system and escalate privileges, giving them access to the resources they require.

Without proper security measures and Active Directory audit controls, attackers can easily infiltrate your system and steal valuable information.

It’s therefore important to ensure that security compromises are picked up or detected and remediated in good time before hackers can intrude your system and wreak havoc to your Active Domain Forest, making it very difficult to recover.

Active Directory security vulnerabilities

Let’s now look at some of the potential threats that can leave your AD vulnerable to attacks.

1. Relaxed password policies

A password essentially acts as a lock to your account, keeping outsiders and attackers at bay.

Many users prefer using simple passwords, which can be vulnerable to attacks because of containing few characters, the users’ names or date of birth details, or words that can easily be guessed.

In other cases, users may form a habit of writing down their passwords on a piece of paper, or even sharing them with other users.

Such habits usually leave the users’ accounts vulnerable to hackers through brute force attacks or social engineering attacks.

Password policies in an organization should be stringent and followed to the latter. Strong passwords usually have a combination of uppercase, lowercase, numeric, and special characters, and should be no less than 8-12 characters.

Users should also be encouraged to change their passwords regularly and memorize them, instead of writing them down.

2. Unpatched vulnerabilities in the server

Each successive release of the Windows Server system comes with new security updates and features to address existing vulnerabilities and flaws.

It implies that older versions pose potential security threats that need to be regularly patched with the latest security updates before hackers can exploit the vulnerabilities.

Additionally, all software applications should be regularly updated to fix any security flaws that hackers can leverage.

3. Broad access to the Active Directory Server

Having a long list of Active Directory users who enjoy administrative privileges predisposes your system to privilege abuse, which is a major cause of information leakages.

4. Overreliance on default security settings of the Domain Controller

Most organizations prefer maintaining the default security settings that come with the Windows Server system.

While that may work well, hackers are well acquainted with the default security features and may use that knowledge to infiltrate your system.

It is therefore recommended for IT administrators to make a few tweaks to fortify the security of their Active Directory.

5. Overreliance on Kerberos authentication protocol

An attacker can decrypt data and expose an account’s password where the Kerberos authentication protocol is extensively used.

Active Directory Security Best Practices

After seeing some of the potential vulnerabilities that may expose your Active Directory to security breaches, let’s now focus on some of the best practices you can use to ensure its optimal security.

1. Employ the least privilege administration model

What this means is that all users should login into the system using the least or minimum permissions necessary to execute their tasks.

Additionally, it’s recommended that you should only create two login accounts to the AD: an admin user account and a regular user account. Then, you can use the regular user account for undertaking day-to-day normal tasks, such as browsing the Internet, printing, and so on.

The admin user account should only be used for administrative tasks, such as creating new users, creating groups organizational units, installing roles and features, and configuring the network.

A better option can be to delegate some administration tasks to secondary users. Some of these tasks may include:

  • Managing DHCP and DNS
  • Accessing Active Directory users and computers
  • Managing administration rights on servers and workstations

2. Secure the default domain administrator account

Normally, a built-in domain administrator account is set up by default when a Windows Server system is installed. NOBODY, other than the IT administrator, should know the default built-in administrator’s password.

Additionally, the account should only be used for setting up the domain and for disaster recovery purposes. If there are users that need administrative rights to access the AD or the server, then they should request the IT admin to grant their accounts admin privileges, but not use the built-in account.

In addition, the built-in administrator account should be set up using a very strong password. A minimum password length of 8-12 characters—which includes uppercase, lowercase, numeric, and special characters—is recommended.

3. Maintain constant monitoring of the Active Directory

The active directory needs to be constantly monitored for signs of abnormal or unusual activities.

Some of the events you should pay attention to when monitoring the AD include:

  • Account lockouts
  • The use of administrator accounts
  • A spike in the frequency of incorrect password attempts
  • A rise in the number of locked out accounts
  • Disabled antivirus software
  • Logon and logoff events
  • All activities performed by privileged account users

So, how can you monitor events in the Active Directory?

The best way of monitoring events in the AD is by using a log analyzing software application that generates AD reports.

Some of the best software tools for log analysis include:

4. Enforce complex passwords and passphrases

IT administrators should encourage their users to use passwords with a length of at least 8-12 characters with a combination of uppercase, lowercase, numeric, and special characters.

Moreover, users should be encouraged to use random passphrases as passwords. Also, a strong password policy should include account lockout after 3 failed login attempts.

Here are some good examples of strong passwords:

M@gnum@2030!TkrY

#Pros$YuOT29$7%

5. Delete old and unused AD user accounts

You should develop a procedure for cleaning old and unused user accounts sitting in the AD. Hackers can use such idle accounts to infiltrate your system.

6. Practice patch management and vulnerability scanning

Hackers can leverage known vulnerabilities to breach your system. The earlier these vulnerabilities are discovered, the better.

It is prudent to periodically scan the Domain Controller for any vulnerabilities and update all the software applications. You can also use third-party applications to detect loopholes and vulnerabilities.

Additionally, it’s a good practice to regularly update software applications on your server and fix flaws addressed in the latest versions.

7. Desist from installing additional software or roles on the Domain Controller

To minimize risks of potential attacks, Domain Controllers should have as few software applications as possible.

Attackers can leverage preexisting vulnerabilities in the applications and use the flaws to gain entry and escalate privileges.

It is recommended to use the Windows Server core since it has no GUI and comes with a small footprint. Domain controllers should be kept as lean as possible.

8. Use security groups to determine which users have certain privileges

It is recommended for IT administrators to create custom security groups to determine the users having access rights and special privileges. This should also be documented to keep tabs of the users assigned to different privileges.

Using security groups can assist in managing access privileges and preventing unauthorized access to sensitive data.

Wrapping up

Those are the best practices for maintaining the security of your Active Directory.

Is there something we’ve missed in this article?

Or, do you have a comment or a question?

Please post them below.

Protect yourself and discover all permissions owner on your Windows fileservers!

Pass your next security audit without worrying about security leaks!

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

How To Generate All Domain Controllers in Active Directory

In this article, we’ll describe how to generate all Domain Controllers in the Active Directory Sites and Services tool.

Active Directory Sites and Services can be seen as an administrative tool used to manage sites and the related components on Microsoft Server systems.

It contains a list of all Domain Controllers (DCs) connected to the system, regardless of their number.

In some situations, admins can notice more than one DC listed under Windows NT Directory Services (NTDS) settings.

What are these other DCs, and how can they be generated automatically?

KCC

Those DCs are called KCCs (Knowledge Consistency Checkers). They are nominated bridgehead servers per site that handle replication tasks between specific sites.

A bridgehead server is responsible for replicating any changes to all remaining DCs in its site.

In simple words, KCCs take care of replication by generating DCs, which communicate with other DCs and KCCs—consequently, the auto-generated domain controllers take care of the replication.

How to create automatically generated Domain Controllers

There are instances, such as during server moves or adding new organizational Domain Controllers, when   Active Directory is unable to create ‘Automatically Generated’ connections with the root Domain Controller.

In such a situation, the Domain Controller can be seen, but not on the “real” Domain Controller list.

There is more than one solution to this problem.

Let’s talk about two of the most used and tested solutions.

1. Manually forcing auto generation

This first method, although it can get in the quick “workaround” category,  involves manually forcing auto-generation.

It can be done by right clicking on the NTDS Settings option and then choosing ‘All Tasks and Check Replication Topology’ in the end.

That should force trigger auto-generation of all Domain Controllers, and your Domain Controllers should now be visible on the list.

2. Repadmin

Repadmin is a command line tool used for diagnosing and repairing replication problems.

It can be used from an elevated command prompt by typing ntdsutil.

Then, entering this command:

repadmin / showrepl*

To create an output that replicates the state of all DCs in the system, enter this command:

Repadmin/replicate

As a result, force replication will be started. This command forces replication and generates all Domain Controllers on the Sites and Services list.

Conclusion

It is usually not necessary to create manual connections when the KCC is being used to generate automatic connections; if any conditions change, the KCC automatically reconfigures the connections.

Adding manual connections when the KCC is employed can potentially increase replication traffic and conflicts with optimal settings stipulated by KCC.

If a connection is not working due to a failed domain controller, the KCC automatically builds temporary connections to other replication sites (if the damage is not too big) to ensure that replication occurs.

If all the domain controllers in a site are unavailable, KCC automatically creates replication connections between domain controllers from another site.

It is not recommended to manually modify this, unless you have a very specific use case.

As long as these records are auto-generated, they can survive a Domain Controller failure, as the KCC/ISTG will automatically create a new connection.

However, if you manually create a connection or specify a bridgehead server, and that server goes offline, KCC will not create a new connection and replication between the affected sites will stall.

Active Directory Domain Services Overview

Active Directory (AD) is a Microsoft-developed technology that consists of a set of processes for managing domains centrally, managing access privileges to networked resources, and managing other directory-related identity-based services. 

While AD consists of multiple directory services, the one that performs the core activities is Active Directory Domain Services (usually abbreviated as AD DS). Essentially, AD DS keeps information about the resources in the domain, authenticates their permissions, and determines their access rights. 

In this article, we’ll give an overview about the AD Domain Services.

Advantages of AD DS

The Active Directory Domain Services offer a wide range of advantages to the management of computing resources.

Here are some of them:

  • A directory is often implemented by building structures that store data based on the logical and hierarchical organization of information. The data stored in the directory usually has all the information about the various Active Directory objects, such as network printers, servers, shared volumes, and individual computer accounts. Consequently, this allows for data to be organized based on the users’ needs and preferences. 
  • AD DS provides multi-master replication and multi-master authentication capabilities. This allows an administrator to manage the entire directory from any location on the network.
  • AD DS comes with built-in redundancy capabilities. As such, if the performance of one Domain Controller (DC) fails, another DC takes over the load.
  • AD DS uses policy-based administration to make the work of system administrators easy, especially in a complex network infrastructure. Every access to network resources occurs through AD DS, which ensures the access rights are managed centrally. 

Common terminologies and concepts in AD DS

Let’s define some terminologies and concepts that are commonly used in Active Directory Domain Services.

  • Schema: It is a set of rules used to define objects and attributes within the directory. Schemas also define the limits on instances and how they are represented in the directory. A schema is preferably stored in its own partition within the directory and replicated among all existing domains in the forest.
  • Global Catalog: It contains all the information about every object defined in the directory, enabling both users and administrators to locate directory information easily—even if the data is on a different domain.
  • Query and Index Mechanism: Query indexing enables users and applications to locate objects and their properties within the directory. This feature comes in handy when looking for specific information in the directory structure.
  • Replication Service: This dedicated service distributes data all over the network; it’s what ensures that every DC contains the same Schema and Global Catalog. All changes made in the Active Directory Domain Services are usually replicated to every DC in the domain. The DCs usually track any changes made and only implement the updates that have taken place since the last replication. The update tracker has two roles: first, it changes what has not been received or need to be replicated at the destination; second, it resolves conflicts arising from simultaneous changes to an object.
  • Lightweight Directory Access Protocol (LDAP): It’s the protocol responsible for providing a common language for interaction between clients and servers across platforms. 

Role of Domain Controllers with AD DS

The servers running the Active Directory Domain Services are called Domain Controllers (DC). Every DC responds to requests for authentication and stores the AD Domain Services data.

Furthermore, the DCs host other essential services, which are complementary to the functions of the AD Domain Services.

Here are some of them:

  • NetLogon: A service that incessantly runs in the background to authenticate users and other services available in a domain. 
  • Kerberos Key Distribution Center (KDC): A service that validates the Kerberos tickets that the Active Directory Domain Services utilize for authentication. 
  • Intersite Messaging (IsmServ): A service that enables Domain Controllers to interact with one another for replication and site-routing purposes.

Every Active Directory should have at least a single DC. The Domain Controllers serve as containers for the domains. Furthermore, every domain is a component of an Active Directory forest, which consists of at least a single domain that is categorized in organizational units.

It’s the Active Directory Domain Services that manage trusts amongst various domains, allowing users to be granted access rights and communication privileges. So, while AD DS is the basis for domain management, DC is the computer that is used to access the Active Directory. 

Conclusion

An Active Directory network infrastructure provides a centralized storage and management of objects. It allows the system administrator, through group policies, to manage the access and availability of shared network resources securely.

An Active Directory Domain Service acts as a foundation for identifying users and also provides a central basis for authenticating and authorizing all the server roles in a typical Windows Server Operating System.

Some of the distinct features found in the latest Active Directory configurations include system auditing, password and account lockout policies, read-only domain controllers, ability to restart domain services, and an Active Directory Database Mounting Tool.