Professional Documents
Culture Documents
Contact Us
27 Top Best 30 Active Directory Security Best Practices C
Jan By Andrew Fitzgerald | In Active Directory | Comments
Best Active Directory Security Best Practices Checklist. Organizations with information te
not safe without security features. Credential theft attacks, malware attacks, ransomware
few methods that help attackers gain access to privileged accounts to a computer on a ne
used to gain access to vulnerabilities on your systems. As a result, your business operatio
shutdown with negative PR. Thus, to reduce the Active Directory Attack Surface and monit
have listed the best AD security practices with solutions both for infrastructure security an
In this post, we have listed the best Active Directory Security Best Practices checklist that
enhancing AD security. Further, these practices will enable administrators to discover mali
Page 1 of 51
prioritize security activities. Follow some of the below listed AD best practices to improve
domain environment.
Table of Contents
Also Read
How to Setup Active Directory Cloud Domain on Azure/AWS/GCP
Domain Admins and other Privileged Groups in Active Directory have a few powerful mem
domain, system, or data. Apart from the default Domain Administrator account, avoid havi
Privileged Groups. Cracking user credentials has become easier for attackers. Thus, try to
DA group once your work is done or ideally create a custom role group that only has perm
changes.
Domain Admin accounts are what attackers often try to seek out. If the attackers gain acc
can easily move within the network and seek higher permissions such as domain admin p
Page 2 of 51
limit its use and other Privileged Groups. The same rule applies to Enterprise Admins, Bac
Admin groups.
Regularly monitor the users in your Domain admins group
Review the privileged access with your IT team and shortlist the users with use-cases why
can be challenging but is one of the best ways to reduce the attack surface. Click here
Domain Admins and other groups.
Hence, instead of having only one local admin with privileged access, try creating a separa
admin rights. Also, avoid adding the regular secondary account in the Domain Admins gro
Practice the least privileged administrative model under which all users with minimum per
몭nish the work. We recommend using it for day to day tasks and removing it from the Dom
work is done. Further, we recommend using the privileged Domain Admin account only to
tasks such as building domain controllers, DC authoritative restores, editing the AD sche
Page 3 of 51
Regular User Access Account
Users should NOT any have admin access to their desktop/laptop or to any systems withi
have basic access to only use applications/systems in order to function in their day to day
Read / Send emails
Browse the internet
Access 몭les / folders either locally or via 몭le server / OneDrive
Print
Using applications they need for their job role
Administrator Account
In most cases the only person who would have an admin account will be IT staff. Even IT
user account and NEVER logon with their admin account. When a user needs to make a c
desktop that requires admin level access to make a change, this is when they can use thei
access) to make the change. The screenshot below shows this example.
Admins will generally need a domain admin account to perform the following in their role:
Making network changes to laptop (WIFI / DNS / Adding to Domain)
Adding users to Active Directory
Editing DNS Server Records
Adding Exchange email mailboxes
Con몭guring GPOs
Creating Hyper-V VMs
Page 4 of 51
Privileged Access Model
Thus, anyone who requests access to servers or AD must use their individual admin accou
should then be in a security group that has permissions to the servers / systems they nee
For the domain admin account use long 20+ characters password. Ideally the domain adm
be locked away so only senior staff members know the password in emergencies.
Another way to keep your account secure is to enable the smart card, deny log on as a se
RDP. Apply these settings to the group policy and all computers for security purposes.
Domain Administrator account.
Page 5 of 51
It is easy for attackers to track and crack the account. Thus, if you have to perform admin
an individual account and using it for safety reasons. You can always boot the local admin
mode even if it is disabled. Also, if due to any reason, you cant disable the local admin acc
GPO settings for denying the admin account to perform the following or alternativley try u
Computer Configuration > Policies > Windows Settings > Security S
Page 6 of 51
Click User Rights Assignment.
Con몭gure the user rights to prevent the local Administrator account from accessing memb
over the network by doing the following:
1. Double-click Deny access to this computer from the network and select De몭ne these p
2. Click Add User or Group, type the user name of the local Administrator account, and clic
be Administrator, the default when Windows is installed.
3. Click OK
Apply the same setting to:
Deny log on as a batch job
Deny log on as a service
Deny log on through Remote Desktop Services
Page 7 of 51
5. Install Local Administrator Passwo
(LAPS)
Most administrators are switching to Local Administrator Password Solution (LAPS) for m
passwords. LAPS is a popular Microsoft tool with in built Active Directory infrastructure. T
unique password for each local admin account and stores it in Active Directory. Also, there
additional servers for LAPS tool to run. It performs all the management tasks by using the
extension.
If you use an image creation tool like Packer to create OS images, LAPs is great as it sets
new computer build.
LAPS Bene몭ts
Unique password for local administrator per computer
Password available from Active Directory, if needed to use local administrator account
Remotly change the local administrator password
Ability to use a custom administrator account
The following guide explains the steps to install LAPs and apply via GPO
A secure admin workstation must be practiced only by privileged accounts to perform adm
policy, AD administration, management of DNS & DHCP Servers, O몭ce 365 Administration
the purpose of checking email or internet browsing. Using daily use workstations can be v
tasks on your network. Thus, try using a Secure Admin Workstation (SAW) to protect acco
additionally use Privileged Access Workstation (PAW) and jump servers to make it more c
crack. Also, you can enable full disk encryption, block the internet, use a personal 몭rewall,
To be extra careful use a computer that has a minimal OS like Windows Core Server in the
secure admin workstation with the following con몭gurations:
Constantly updated with latest the OS Patches
No internet access
AV / Malware detection installed
Firewall enabled
Apply any
Enable disk encryption
Enable 2 factor authentication (2MFA)
Automatically delete any OS Windows pro몭les at least once a day
Page 9 of 51
Secure Device Roles and Pro몭les
The following examples show hardened Windows 10 devices that you can use as your sec
on how secure you want your workstation. This solution uses Device Health Attestation
as part of your privileged access device strategy
Enterprise Device
This role is ideal for general users who need general access to do their day to day tasks. F
internet and applications. It uses an anti-malware and endpoint detection and response (E
Defender for Endpoint is required. A policy-based approach to increase the security postu
secure means to work with customer data while also using productivity tools like email an
and Intune allow you to monitor an Enterprise workstation for user behavior and pro몭le us
Specialized Device
This device is the next level up with an enhanced security pro몭le with no local admin privil
applications to run. Users are blocked from installing any applications or running any prog
locations. The Specialized security user demands a more controlled environment while st
such as email and web browsing in a simple-to-use experience. These users expect featur
and other shortcuts to work but do not require the ability to modify or debug their device o
drivers, or similar.
This device pro몭le is the most secure with the highest restrictions. This device will have n
Page 10 of 51
internet access and will have restricted applications. No productivity apps. This role is de
roles that would have a signi몭cant or material impact on the organization if their account w
surface is very low.
A Privileged workstation provides a hardened workstation that has clear application contr
workstation uses credential guard, device guard, app guard, and exploit guard to protect th
behavior. All local disks are encrypted with BitLocker and web tra몭c is restricted to a limit
(Deny all).
Also Read
How to Setup Active Directory Certi몭cate Services (PKI) to Secure Your Devices (Certi몭cat
Page 11 of 51
You should apply the following Audit Policy settings:
Account Logon
Account Management
Detailed tracking
DS Access (Only for Domain controllers)
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Full instructions for setting up these GPOS can be found on this link
Also Read
Active Directory Reporting Tool, Find Compromised Users, Locked Out Users, Bad Passwo
Account lockouts
Any changes made to the Domain Admins, Enterprise Admins, and Schema Admins
A spike in bad password attempts or locked out accounts
Disabled antivirus software
Privileged account activities
Logon/Logoff events
Use of local administrator accounts
Page 12 of 51
Example of AD log monitoring tool by Nagios
Also Read
How to Setup Nagios Core Monitoring to Monitor Active Directory
Collect all logs in one place and run log analyzing software. This method will help monitor
once, quickly spot suspicious activity and help generate reports. You should also setup
following:
Account Logon Events
Account Management
Directory Service Access
Logon Events
Object Access
Policy Change
Privilege Use
Process Tracking
System Events
Page 13 of 51
Enable Audit Policy to monitor events
Page 14 of 51
Long password length of at least 16 characters
Enable multi-factor authentication (MFA)
Enforce password complexity
Remember 8 password history
Use passphrases
Enforce lockout policy after 4 attempts
Try using a password manager
Also Read
How to Setup KeePass Password Manager on Windows Server in Azure/AWS/GCP
Page 15 of 51
Computer Configuration\Policies\Windows Settings\Security Setting
Page 16 of 51
Example of AD Security Group Naming Conventions
Page 17 of 51
Example of InfraSOS running a password report
$d = [DateTime]::Today.AddDays(‐180)
Get‐ADUser ‐Filter '(PasswordLastSet ‐lt $d) ‐or (LastLogonTimest
With the list of users, its recommended to disable these accounts, wait several weeks and
Example solution to manage these in active users:
1. Run Powershell script or AD reporting software to 몭nd in active users
2. Move to separate OU called (In-Active Users)
3. Wait 6 weeks, if no users complain of being able to login, delete these accounts
Also Read
Active Directory Reporting Tool, Find Disabled & in Active Users – AD Tools by InfraSOS
Page 18 of 51
attackers.
Use group policy to control the local administrator group. With the help of restricted group
trusted users have the access to manage and control the computer.
Computer Configuration ‐> Preferences ‐> Control Panel Settings ‐
Right click in the window and select New > Local Group
Page 19 of 51
Local Administrators Group GPO
Page 20 of 51
13. Domain Controllers (DCs) Best P
Domain Controllers are vital for an enterprise as they help enforce security policies and m
access controls. You should never install any additional software or server roles onto DC’s
increasing security risks. If you need to run more server roles, install these onto separate
DC’s should also have no internet access, no external access should be allowed.
Also Read
How to Setup Secure Active Directory Domain Controllers on Azure/AWS/GCP
Page 21 of 51
RODC Can only Read and not Write. Ideal for small remote branches who dont m
Also Read
FSMO Roles in Active Directory (5 Roles Explained)
Page 22 of 51
Patch Management Best Practice
Every device and application must be updated with the latest security patches in order to r
are recommended patch management processes to apply to your environment:
1. Update to date inventory of all your systems and applications. This is critical to unders
environment and understand which systems are most vulnerable. You can use inventory t
Assessment Planning Tool Kit
2. Stay up-to date with security patches from your application and hardware vendors
and aware of any new vulnerabilities being published from your vendors. Most vendors pu
vulnerabilities, so its wise to subscribe to these updates so your fully aware of new threats
3. Create a patch management policy. De몭ne a schedule when to deploy the latest patche
release new updates.
4. Create a patch deployment test group. Have a test set of users from each department
This way you can monitor if any issues arise for any department users, you can easily roll
to users if you deploy company wide, deploy to small set of users and monitor.
5. Deploy to all users/applications. If no issues from your test users, deploy patches com
department. When deploying to servers, try to minimize disruption as possible, if you have
update one at a time.
6. Have a roll back plan. Its important to have a roll back plan in the event a patch causes
systems/applications.
Patching tools available are WSUS, Azure Automation Update Management, AWS System
Google GCP OS Patch Management with VM Manager
Vulnerability Management
Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender Ad
(Microsoft Defender ATP) that uses a risk-based approach to discover, prioritize, and reme
and miscon몭gurations. With Microsoft Defender ATP’s Threat & Vulnerability Managemen
Page 23 of 51
Continuous discovery of vulnerabilities and miscon몭gurations
Prioritization based on business context and dynamic threat landscape
Correlation of vulnerabilities with endpoint detection and response (EDR) alerts to expos
Machine-level vulnerability context during incident investigations
Built-in remediation processes through unique integration with Microsoft Intune and Mic
Con몭guration Manager
Also Read
How to Setup Squid Proxy Cache in Azure (Secure Your Network/Internet)
Page 24 of 51
What is DNS Layer Security
Also Read
What is Private DNS and How to Use a DNS Server?
As mentioned earlier ideally domain controllers should be run on Windows Server Core OS
a smaller footprint as the OS has no GUI/Desktop.
Page 25 of 51
Windows Server 2019 vs 2022 Security Features
Also Read
How Does RADIUS Secure VPN Remote Access
Page 27 of 51
DHCP monitoring and management best practices
Page 28 of 51
Monitor DNS Logs
When using a local Windows DNS server, its recommend to enable auditing and logging
internal and external DNS. For example, if your device connects with a malicious site, the s
DNS logs. Also, make sure to enable DNS debug logs on the Windows Servers to view DNS
Go to the DNS Management Console, then Right click and choose properties. From the di
Logging Tab and tick the checkbox “Log packets for debugging“. Once the setup is compl
analyzer to discover and spot any malicious activity.
Page 29 of 51
Denial-of-service (DoS) attacks
Distributed denial-of-service (DDos) attacks
Domain hijacking
Distributed re몭ection denial-of-service (DRDoS) attacks
DNS 몭ood attacks
DNS tunneling
DNS spoo몭ng
Random subdomain attacks
NXDOMAIN attacks
Phantom domain attacks
Also Read
What is DNS Hierarchy Architecture with Examples (Explained)
Page 30 of 51
ADFS and Azure AD/ O몭ce 365 security features are highly advantageous as they can pro
password spraying, compromised accounts, phishing, etc. One can also switch to premium
security features. Here are some of the features provided by ADFS and Azure AD:
Also Read
How to Setup an ADFS Farm on Azure/AWS/Google
Also Read
How to Sync Active Directory with O몭ce 365 with Azure AD Connect
Page 31 of 51
Microsoft Secure Score is a value indicating an organization’s security posture. It tracks th
security depending on the activities and security settings. Firstly, it analyzes your O몭ce 36
analyzes the security settings, activities, and then concludes a security score. Based on th
actions will be provided to 몭x these issues.
In order to access all these features, we recommend you switch to a Premium or Enterpris
require to assign custom roles or a global admin.
Page 32 of 51
Do you have a solution for a RansomWare attack or what would you do if the network was
trained your staff on how to deal with such situations? Do you follow any response policy?
Cyber attacks are too common, and they have the power to shut down your systems and c
reputation for your business. As a result, your business operations will come to a halt. How
you can limit this impact. Make sure to plan an incident response policy, conduct incident
procedures. Also, you can appoint a response team and establish procedures for commun
prioritize your critical servers and train your staff with DR planning.
Also Read
Top 10 Azure Disaster Recovery Solutions (Best Practices)
Page 33 of 51
will in a way make you lose control of who has access. Thus, create custom groups and d
what with the reason behind why they need access and from what date access was given.
admin staff to be able to add any user in these custom groups without any consent and tra
process of when users request access to be in a group. Keep track of which groups are de
document them.
One idea is to request users to submit a ticket via your helpdesk software so you can mon
requests.
Administration and management of AD objects becomes easier when the OUs mirror your
Different OU models examples can be as follows:
The geographic model separates your OUs based on the location of your o몭ces
The department model divides OUs corresponding to the departments in your organizat
The type-based model classi몭es OUs based on object types
Choose an Organizational Unit model that best 몭ts your administrative needs.
Page 34 of 51
Separate users and computers. In Active Directory, when you create a user and computer
their respective containers by default. However, GPOs cannot be linked to containers; inste
users and computers that require GPO application. This practice can be followed irrespec
choose for your organization. This makes it much easier to manage your Group Policy ma
Page 35 of 51
HR Adds user to their platform > Triggers a call to create a new IT Helpdesk ticket > IT ap
call to create a new user
User provision tools you can use are:
WorkDay
Azure AD
SCIM
Service accounts are privileged accounts that allow the execution of applications and run
accounts are used for Active Directory authentication and usually have local admin privileg
instances or worse members of domain admin group. The service accounts usually have a
expires. If this account gets in the wrong hands you can imagine the damage and vulnera
Page 36 of 51
To lock down service accounts try the following:
Use long complex passwords
Avoid giving local admin rights
Deny logon locally
Deny logon as a batch
Use Managed Service Accounts
Grant only the required permissions
Do not grant local administrator rights and request vendors to create software without
Do not add account to domain admins
Computer Configuration > Policies > Windows Settings > Security S
Page 37 of 51
25. Try Using Security Baselines and
Tools
Windows Operating system comprises various features and enabled ports that are not sec
settings that must be reviewed against known security benchmarks.
It is vital to have a secure con몭guration to maintain functionality and protect all systems a
Check out the following bench mark tools to scan and analyze and test against security co
tools also help scan systems and report failures.
Security Compliance Toolkit
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security adm
analyze, test, edit, and store Microsoft-recommended security con몭guration baselines for
products.
The SCT enables administrators to effectively manage their enterprise’s Group Policy Obje
administrators can compare their current GPOs with Microsoft-recommended GPO baselin
them, store them in GPO backup 몭le format, and apply them broadly through Active Direct
Page 38 of 51
them, store them in GPO backup 몭le format, and apply them broadly through Active Direct
policy.
CIS Benchmarks
Safeguard IT systems against cyber threats with more than 100 con몭guration guidelines a
product families. Windows, Linux, Cloud, Cisco, Vmware, IBM and much more.
You should have AD monitoring and auditing setup to detect when users have been added
can track if a security breach could potentially happen
Also Read
Audit Active Directory Security Groups with Cloud AD Manager
Page 39 of 51
27. Forcing RDP to use TLS Encryptio
Remote Desktop Protocol is a great way for attackers to scan for endpoints. Tools like Ma
discover system ports. They can also penetrate your RDP logins if you’re using weak crede
have access to a compromised system. So, avoid directly exposing RDP to the public inter
authentication enabled.
The RDP connection does not use strong encryption by default.
Computer Configuration > Administrative Templates > Windows Compo
Page 40 of 51
RDP Client Encryption level GPO Settings
Also Read
Azure RDS Farm Deployment – Setup Azure Remote Desktop Services for Secure Remote
There are high chances that attackers or malware can make a move through the inbound n
Page 41 of 51
There are high chances that attackers or malware can make a move through the inbound n
Windows computers and servers. Thus, to protect all your systems, its best to con몭gure W
purpose of enabling Windows Firewall is to limit any inbound or outbound network tra몭c f
ports.
Windows 몭rewall should be managed by Active Directory GPO and users should be blocke
Here is the Group Policy settings for enabling Windows Firewall with Advanced Security.
Also Read
How to Setup NGINX Server to Secure Your Network Tra몭c in Azure/AWS/GCP
Computer Configuration > Policies > Windows Settings > Security S
Page 42 of 51
And also the following GPO setting to specify the type of tra몭c that will be allow for your n
Computer Configuration > Policies > Administrative Templates > Ne
Page 43 of 51
Application Whitelisting with Windows Defender Application Con
Page 44 of 51
PowerShell is great for task automation and con몭guration management but it can also be
through your network and infect your systems if not carefully managed. PowerShell is a
critical security threats. Ransomware is often spread through your network via PowerShe
I would recommend disabling PowerShell on all your computers, users don’t need PowerS
PowerShell for their day to day job, they can run PowerShell from a dedicated Jump box vs
Page 45 of 51
Within your Group Policy Management Editor, browse to the following setting:
User Configuration ‐> Policies ‐> Windows Settings ‐> Security Se
Right click “Software Restriction Policies” select “New Software Restriction Policies”
Select “Additional Rules”, then right click and select “New Path Rule”
Page 46 of 51
Next click browse and select the powershell.exe 몭le from the path -> C:\Windows\System
Set the security level to “Disallowed” Click OK.
Page 47 of 51
Also Read
Active Directory Certi몭cate Services (PKI) Best Practices
Let me know if there is anything else i’ve missed of our AD security checklist?. We have
techniques and solutions that will help IT experts protect an enterprise Active Directory do
prevent attacks, at least reduce your Active Directory attack surface possibilities.
Related Posts:
Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022)
Top 10 Best Application Security Best Practices Checklist
Top 20 Best FREE Active Directory Reporting Tools (AD Tools in 2022)
VoIP Security Best Practices (Checklist)
15 Apache Web Server Security and Hardening Best Practices Checklist
DNS Security Best Practices to Secure Your DNS Server (Checklist)
<
Andrew Fitzgerald
Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years e
and a Microsoft Certi몭ed Solutions Expert on everything Cloud
Page 48 of 51
Article Rating
0 COMMENTS
Recent Pages
Posts
Contact
Us
Cloud Best 25
About
Infrastructure Jira Us
Services Alternatives
Azure
Ltd for Marketplace
5 Project Solutions
Southcliffe Management
AWS
Drive Tools Marketplace
Chalfont
Kafka vs Solutions
St
Redis – GCP
Peter
What’s Marketplace
GERRARDS
the Solutions
CROSS
Difference Azure
Buckinghamshire
? (Pros Management
SL9
and Cloud
0SD,
Cons) IaaS
UK
Setup
Complete &
List of Management
Joomla Services
Terms Features Active
Privacy and Directory
Policy Bene몭ts Reporting
Page 49 of 51
Explained WordPress
SSO
Git vs
Blog
SVN –
What’s
the Follow
Difference Us
? (Pros
and
Cons)
How
Machine
Learning
is Used in
Cybersecurity
Azure
App
Registration
vs
Enterprise
App –
What’s
the
Difference
?
How to
Stop
WordPress
Comment
Spam
using
Built-In
Features
Docker
Storage
Explained
(Docker
Storage
Mount
Types)
How to
Page 50 of 51
Setup
WordPress
Localhost
Environment
using
XAMPP
What is
RADIUS
Accounting
and How
it Works
(Explained)
Page 51 of 51