Active Directory: Version 1.

0
Lock it down in 10 steps March 2, 2005

By Jeremy Smith, MCSE, CISSP

1. Use Windows Server 2003 – Out of the box, the Windows Server 2003 version of the Active
Directory is significantly more secure than the Windows 2000 version. That doesn’t mean that you
can’t make Windows 2000’s version highly secure. It just means that you can make your job easier by
using the Windows Server 2003 version, which doesn't require as much work to secure. If you can’t
upgrade to Windows Server 2003, try to ensure that you disable all pre-Windows 2000 features, such
as “Permissions compatible with pre–Windows 2000 servers."

2. Limit administrative access – By using Active Directory technologies like Delegation of

Administrative Control, or through proper use of Built In Groups and Active Directory Permissions, an
organization can significantly enhance its Active Directory security. Instead of assigning broad-
sweeping permissions to all administrators, fine-tune your rights by assigning specific tasks and
functions only to those IT staff members who actually need them. (This also applies your end users;
ensure that they don’t get too many rights either.) Furthermore, in those organizations that span
multiple locations and that have multiple trees, domains, or forests, ensure that your administrative
rights properly represent the political and business boundaries relevant to your company. You may
need to bring management and/or HR into the discussion when setting those permissions.

3. Protect DNS – Active Directory is highly dependant upon DNS. In particular, service records are
critical for telling computers where important domain controller-level functions are on the network.
Since DNS contains critical information about an Active Directory network, it is important to ensure
that the DNS servers that hold your Active Directory records are secure from snooping, both
electronically and physically. One recommended configuration is allowing only Secure Dynamic
Updates. Here’s a link on how to enable this setting.

4. Protect your FSMOs – Flexible Single Master Operations roles, or FSMOs, are very important to
Active Directory. In particular, the PDC Emulator is responsible for many important functions, like time
synchronization, preferential Group Policy updates, and account lockout processing. Furthermore, the
Schema Master controls updates to the Schema and must also be protected. You might consider fault
tolerant servers and solid backups as well as other common countermeasures to protect your FSMO
servers.

5. Enable auditing – Auditing allows administrators to determine what has happened with their Active
Directory. By turning on auditing, you can audit: Account Management, Logon Events, Policy Change,
and Privilege Use. Although it should go without saying, auditing is useless if you don’t regularly
inspect the logs.

6. Disable unnecessary services and remove unnecessary applications – Because all domain
controllers should ideally be used only as domain controllers, it makes sense to avoid running any
unnecessary services and software on them. Ensure that only a minimal set of applications and
services are running. Avoid using your domain controller as a file server or a Web server whenever
possible.

7. Install a security template – Security templates are an effective means of providing consistent
security across your domain and should be considered by the prudent, security-conscious
administrator. If the predefined templates (e.g. HiSecDc.inf) don’t meet your needs, create a custom
template.

8. Prioritize patches for domain controllers – Microsoft releases critical and standard security
updates on a monthly basis (sometimes more often), and administrators need to ensure that domain
controllers are at the top of the priority list to get patched as quickly as possible.

Page 1
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.
(Active Directory: Lock it down in 10 steps – TechRepublic.com)

9. Set up physical security – Ensure your domain controllers are physically protected by being
quarantined to a locked room or closet. If a malicious employee or visitor can get physical access to a
domain controller and log on with an administrator account, that person could cause significant harm
to your Active Directory infrastructure.

10. Plan a fault tolerant topology – Since security is always about protecting against threats we
currently know about, it's likely that at some point something will sneak up on you. Will you be able to
recover? Keep in mind that because the Active Directory is a multi-master replication model, having
more than one DC means that there are few instances (FSMOs are one example) where the loss of a
DC will really hurt your directory. However, you must understand Active Directory’s replication
schemes and disaster recovery methods and plan your topology to mitigate the most common
problems and outages you can anticipate. Plan and be prepared.

Author's note on security policies

Any new security practices and standards should always be implemented with regard to the
organization's security policy. A security policy is always first step and the central resource for effectively
securing a network.

Jeremy Smith is a subject matter expert in Microsoft Exchange and Active Directory as well IT security.
He currently works as a solutions engineer for the leading 911 systems maker in the United States, Plant
Equipment, Inc., where he helps design enterprise solutions for emergency 911 environments.

Page 2
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.
(Active Directory: Lock it down in 10 steps – TechRepublic.com)

Additional resources
• Sign up for the Windows 2000 Server newsletter, delivered on Tuesdays
• Sign up for the Windows Server 2003 newsletter, delivered on Wednesdays
• See all of TechRepublic's newsletter offerings
• Secure Windows Server 2003 Active Directory (TechProGuild)
• Know these five key FSMO roles in Active Directory (TechProGuild)
• Organizing and maintaining Active Directory (TechProGuild)

Version history
• Version: 1.0
• Published: March 2, 2005

Tell us what you think

TechRepublic downloads are designed to help you get your job done as painlessly and effectively as
possible. Because we're continually looking for ways to improve the usefulness of these tools, we need
your feedback. Please take a minute to drop us a line and tell us how well this download worked for you
and offer your suggestions for improvement.

Thanks!

—The TechRepublic Downloads Team

Page 3
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.