Home Page Cloud IaaS Solutions WordPress SSO About Us

 Contact Us
27 Top Best 30 Active Directory Security Best Practices C
Jan  By Andrew Fitzgerald |  In Active Directory |  Comments

Best Active Directory Security Best Practices Checklist.  Organizations with information te
not safe without security features. Credential theft attacks, malware attacks, ransomware
few methods that help attackers gain access to privileged accounts to a computer on a ne

used to gain access to vulnerabilities on your systems. As a result, your business operatio
shutdown with negative PR. Thus, to reduce the Active Directory Attack Surface and monit
have listed the best AD security practices with solutions both for infrastructure security an

AD Security Best Practices

In this post, we have listed the best Active Directory Security Best Practices checklist that
enhancing AD security. Further, these practices will enable administrators to discover mali

Page 1 of 51
prioritize security activities. Follow some of the below listed AD best practices to improve
domain environment.

Table of Contents

Also Read
How to Setup Active Directory Cloud Domain on Azure/AWS/GCP

1. Restrict the use of Domain Admins

Privileged Groups

Domain Admins and other Privileged Groups in Active Directory have a few powerful mem
domain, system, or data. Apart from the default Domain Administrator account, avoid havi
Privileged Groups. Cracking user credentials has become easier for attackers. Thus, try to
DA group once your work is done or ideally create a custom role group that only has perm
changes.
 
Domain Admin accounts are what attackers often try to seek out. If the attackers gain acc
can easily move within the network and seek higher permissions such as domain admin p

Page 2 of 51
limit its use and other Privileged Groups. The same rule applies to Enterprise Admins, Bac
Admin groups. 
 
Regularly monitor the users in your Domain admins group

Review the privileged access with your IT team and shortlist the users with use-cases why
can be challenging but is one of the best ways to reduce the attack surface. Click here
Domain Admins and other groups.

2. Use a minimum of two accounts (R

Administrator account)
Remember, getting away with Domain admin rights is not an easy thing. One cannot deleg
DHCP, Exchange, Group Policy, etc so easily. This is the reason why most users have Dom

Hence, instead of having only one local admin with privileged access, try creating a separa
admin rights. Also, avoid adding the regular secondary account in the Domain Admins gro
Practice the least privileged administrative model under which all users with minimum per
몭nish the work. We recommend using it for day to day tasks and removing it from the Dom
work is done. Further, we recommend using the privileged Domain Admin account only to
tasks such as building domain controllers, DC authoritative restores, editing the AD sche

Regular account and Administrator accounts

Page 3 of 51
Regular User Access Account
Users should NOT any have admin access to their desktop/laptop or to any systems withi
have basic access to only use applications/systems in order to function in their day to day
 
Read / Send emails
Browse the internet
Access 몭les / folders either locally or via 몭le server / OneDrive
Print
Using applications they need for their job role

Administrator Account
In most cases the only person who would have an admin account will be IT staff.  Even IT
user account and NEVER logon with their admin account.  When a user needs to make a c
desktop that requires admin level access to make a change, this is when they can use thei
access) to make the change.  The screenshot below shows this example.
 
Admins will generally need a domain admin account to perform the following in their role:
 
Making network changes to laptop (WIFI / DNS / Adding to Domain)
Adding users to Active Directory
Editing DNS Server Records
Adding Exchange email mailboxes
Con몭guring GPOs
Creating Hyper-V VMs

Page 4 of 51
 Privileged Access Model

3. Secure the Domain Administrator

(Admin)
Each domain has an Administrator account responsible for domain setup and disaster rec
administrator account‘. These accounts are, by default, important members of the Domain
domain is the forest root domain, the account is also a member of the Enterprise Admins

What is Domain Administrator?

A domain administrator has the highest privileges within your Microsoft network and will b
changes on your Microsoft systems, if in the wrong hands it can cause the most damage.
con몭guration of your Active Directory servers and can modify any content stored in Active
creating new users, deleting users, and changing their permissions.  This account should
Active Directory.

Thus, anyone who requests access to servers or AD must use their individual admin accou
should then be in a security group that has permissions to the servers / systems they nee
 
For the domain admin account use long 20+ characters password.  Ideally the domain adm
be locked away so only senior staff members know the password in emergencies. 
 
Another way to keep your account secure is to enable the smart card, deny log on as a se
RDP. Apply these settings to the group policy and all computers for security purposes.
Domain Administrator account.

Con몭gure GPOs to restrict Administrator accounts on compute

4. Deactivate the Local Administrato

on all Computers
You do not require a local administrator account. So it recommended to disable the local a
even if you change its details, attackers can track the well known account via the SID. Sec
con몭gured with the same password and credentials on each computer.

Page 5 of 51
 
It is easy for attackers to track and crack the account. Thus, if you have to perform admin
an individual account and using it for safety reasons. You can always boot the local admin
mode even if it is disabled. Also, if due to any reason, you cant disable the local admin acc
GPO settings for denying the admin account to perform the following or alternativley try u

Deny access to this computer from the network

Deny log on as a batch job
Deny log on as a service
Deny log on through RDP

Create GPO to Deny local admin account on all domain c

Within Group Policy Management, right click and select New on the OU that has your com
GPO to:

The GPO setting to apply this is as follows:

         
         

Computer Configuration > Policies > Windows Settings > Security S

         
     

Page 6 of 51
 Click User Rights Assignment.

Con몭gure the user rights to prevent the local Administrator account from accessing memb
over the network by doing the following:
 
1. Double-click Deny access to this computer from the network and select De몭ne these p
2. Click Add User or Group, type the user name of the local Administrator account, and clic
be Administrator, the default when Windows is installed.
3. Click OK
 
Apply the same setting to:
 
Deny log on as a batch job
Deny log on as a service 
Deny log on through Remote Desktop Services

Page 7 of 51
5. Install Local Administrator Passwo
(LAPS)

How LAPS Works with Active Directory

Most administrators are switching to Local Administrator Password Solution (LAPS) for m
passwords. LAPS is a popular Microsoft tool with in built Active Directory infrastructure. T
unique password for each local admin account and stores it in Active Directory. Also, there
additional servers for LAPS tool to run. It performs all the management tasks by using the
extension.

If you use an image creation tool like Packer to create OS images, LAPs is great as it sets
new computer build.

LAPS Bene몭ts
Unique password for local administrator per computer
Password available from Active Directory, if needed to use local administrator account
Remotly change the local administrator password
Ability to use a custom administrator account

The following guide explains the steps to install LAPs and apply via GPO

6. Try Using a Secure Admin Worksta

Page 8 of 51
 Secure Admin Workstation (SAW) enforcements

A secure admin workstation must be practiced only by privileged accounts to perform adm
policy, AD administration, management of DNS & DHCP Servers, O몭ce 365 Administration
the purpose of checking email or internet browsing.  Using daily use workstations can be v
tasks on your network. Thus, try using a Secure Admin Workstation (SAW) to protect acco
additionally use Privileged Access Workstation (PAW) and jump servers to make it more c
crack. Also, you can enable full disk encryption, block the internet, use a personal 몭rewall,

To be extra careful use a computer that has a minimal OS like Windows Core Server in the
secure admin workstation with the following con몭gurations:
 
Constantly updated with latest the OS Patches
No internet access
AV / Malware detection installed
Firewall enabled
Apply any 
Enable disk encryption
Enable 2 factor authentication (2MFA)
Automatically delete any OS Windows pro몭les at least once a day

Can You Bene몭t from Implementing a Secure Admin Wor

All domain users and computer operators bene몭t from using a secure workstation. An atta
compromises a PC or device can impersonate or steal credentials/tokens for all accounts
or all other security assurances. For administrators or sensitive accounts, this allows attac
increase the access they have in your organization, often dramatically to domain, global, o
privileges.

Page 9 of 51
Secure Device Roles and Pro몭les
The following examples show hardened Windows 10 devices that you can use as your sec
on how secure you want your workstation.  This solution uses Device Health Attestation
as part of your privileged access device strategy

Secure Workstation Deployment Levels

Enterprise Device

This role is ideal for general users who need general access to do their day to day tasks.  F
internet and applications.  It uses an anti-malware and endpoint detection and response (E
Defender for Endpoint is required.  A policy-based approach to increase the security postu
secure means to work with customer data while also using productivity tools like email an
and Intune allow you to monitor an Enterprise workstation for user behavior and pro몭le us

Specialized Device

This device is the next level up with an enhanced security pro몭le with no local admin privil
applications to run.  Users are blocked from installing any applications or running any prog
locations.  The Specialized security user demands a more controlled environment while st
such as email and web browsing in a simple-to-use experience. These users expect featur
and other shortcuts to work but do not require the ability to modify or debug their device o
drivers, or similar.

Privileged Access Workstation (PAW)

This device pro몭le is the most secure with the highest restrictions.  This device will have n

Page 10 of 51
internet access and will have restricted applications.  No productivity apps.  This role is de
roles that would have a signi몭cant or material impact on the organization if their account w
surface is very low. 
 
A Privileged workstation provides a hardened workstation that has clear application contr
workstation uses credential guard, device guard, app guard, and exploit guard to protect th
behavior. All local disks are encrypted with BitLocker and web tra몭c is restricted to a limit
(Deny all).

Also Read
How to Setup Active Directory Certi몭cate Services (PKI) to Secure Your Devices (Certi몭cat

7. Setup / Enable Audit Policy Setting

Group Policy (GPO)
Workstations are common for malicious activities. Thus, if you do not run a proper auditin
computers and servers, you may miss early signs of an attack. Thus, to avoid a security br
Audit Policy settings to the group policy, computers, and all servers.
 
For Windows 10 and Windows Servers Advanced security audit policy settings they can be
through the local security snap-in (MMC) on your Computer Con몭guration, and click on
Settings, then Security Settings, and choose Advanced Audit Policy Con몭guration to mak

Page 11 of 51
You should apply the following Audit Policy settings:
 
Account Logon
Account Management
Detailed tracking
DS Access (Only for Domain controllers)
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
 
Full instructions for setting up these GPOS can be found on this link

8. Monitor Active Directory for Signs

Compromise
There are various events and objects that can indicate attempts to compromise which is w
monitor Active Directory. As a result, an organization can prevent breaches from occurring
stages. The abnormal behavior indicates a potential or in progress attack. A proactive app
abnormal behavior on the network or compromise can save from major losses. Make sure
Directory events every week.

Also Read
Active Directory Reporting Tool, Find Compromised Users, Locked Out Users, Bad Passwo

Account lockouts
Any changes made to the Domain Admins, Enterprise Admins, and Schema Admins
A spike in bad password attempts or locked out accounts
Disabled antivirus software
Privileged account activities
Logon/Logoff events
Use of local administrator accounts

Page 12 of 51
 Example of AD log monitoring tool by Nagios

Also Read
How to Setup Nagios Core Monitoring to Monitor Active Directory

Collect all logs in one place and run log analyzing software. This method will help monitor
once, quickly spot suspicious activity and help generate reports.  You should also setup
following:
 
Account Logon Events
Account Management
Directory Service Access
Logon Events
Object Access
Policy Change
Privilege Use
Process Tracking
System Events

Page 13 of 51
 Enable Audit Policy to monitor events

9. Enforce Password Complexity with

Passphrases

Having an 8 character long password is no more secure. Instead, we recommend using

random words put together) and a minimum of 16 characters.
 
You can also include numbers and characters in the password. It is not mandatory but can
remember, the longer your password will be, the more the attackers will 몭nd it hard to crac
where the attacker can easily guess the next word and crack the code.
 
Avoid passwords like Summer2022!, March2022$, etc. These are quite easy to crack. Long
techniques are a great combination and can save your system from attackers.

Password Policy Best Practice

Use pass phrases instead of an 8 character complex password.  Research has shown that
much more secure because they are very random and harder for hackers to guess. 
 
Some points to consider to improve your user password security:
 

Page 14 of 51
 Long password length of at least 16 characters
Enable multi-factor authentication (MFA)
Enforce password complexity
Remember 8 password history
Use passphrases
Enforce lockout policy after 4 attempts
Try using a password manager

Also Read
How to Setup KeePass Password Manager on Windows Server in Azure/AWS/GCP

Domain Password Policy GPO Settings

To con몭gure your domain password policy, you will 몭nd the Default Domain Policy within y
Management console as can be seen in our our domain::

Default Domain Policy

Right click on the Default Domain Policy and select Edit.

 
Browse to the following password setting:

Page 15 of 51
          
         

Computer Configuration\Policies\Windows Settings\Security Setting

         
     

Password Policy GPO Settings

10. Use Security Group Naming Conv

For easy management, add permissions to resources with security groups. Secondly, avoi
security groups. For example, HR_Local. Generic names can be used on all types of resou
getting tracked. Prefer going for descriptive group names to save your information from a
control of security.
 
Descriptive security group names help to determine what the group is used for such as ‘
HR_Training_Room7‘.  In this example users in this group are get mapped network drives
Training Room 7.  After training, users can be taking out of the group who no longer need a
making managing your group membership in Active Directory much easier and secure.
 
You can take it even further an automate this process using a powershell script or automa
Manager

Page 16 of 51
 Example of AD Security Group Naming Conventions

Security Group Best Practices

When you need to give users access to any resource within Active Directory, ALWAYS crea
who need access to the resource and apply permissions to this group.  This way you can e
access to your resources (e.g 몭les, folders, printers, network shares, devices, systems, etc
 
Create a security group
Give the group a descriptive naming convention detailing what the group will be used fo
Apply the group to the resource you want to give permissions (e.g a 몭le, folder, applicati
Add / remove users to this group who need or no longer need access

11. Delete Inactive Users and Compu

Accounts
There is no point in having a bunch of unused accounts in Active Directory. Also, they can
can discover and misuse them. This may also result in slowdown of group policy being ap
times, patching, and reporting issues. So, to resolve this issue, its recommended to 몭nd an
accounts.
 
This can be down with Powershell Scripts or using a 몭nd inactive AD Users tools.

Page 17 of 51
 Example of InfraSOS running a password report

Find User Accounts Password not changed in 6 months v

Script
The following Powershell script queries Active Directory for user accounts where the pass
months). In Active Directory Module for Windows PowerShell, run the following script to lis
password has not changed in the last six months.

         
         

$d = [DateTime]::Today.AddDays(‐180) 

Get‐ADUser ‐Filter '(PasswordLastSet ‐lt $d) ‐or (LastLogonTimest

         
     

With the list of users, its recommended to disable these accounts, wait several weeks and
 
Example solution to manage these in active users:
 
1. Run Powershell script or AD reporting software to 몭nd in active users
2. Move to separate OU called (In-Active Users)
3. Wait 6 weeks, if no users complain of being able to login, delete these accounts

Also Read
Active Directory Reporting Tool, Find Disabled & in Active Users – AD Tools by InfraSOS

12. Delete Users from the Local Adm

Group
If a user has a local admin right, he/she will have complete access to the Windows Operat
must not be added as a member to the local administrator group on computers. It can be
problems, such as downloading and installing malware, data stealing, disabling antivirus, h
deleting users with local admin rights from the local administrator group, you can reduce t

Page 18 of 51
attackers.

Use group policy to control the local administrator group. With the help of restricted group
trusted users have the access to manage and control the computer.

Example of Local administrator group on computers

Remove Users from Local Administrators Group using G

Within Group Policy Management, you can create a new GPO or edit an existing policy.
 
Within the GPO editor navigate to the following settings:

         
         

Computer Configuration ‐> Preferences ‐> Control Panel Settings ‐

         
     

Right click in the window and select New > Local Group

Page 19 of 51
 Local Administrators Group GPO

In the New Local Group Properties apply the following settings:

 
Action: Update
Group name: Administrators (built-in)
 
Delete all member users: Yes
Delete all member groups: Yes
 
Members: Click add and select the members you want to be added to the local administra
want to keep the local administrator account and domain admins group as local admins, t
security policies.

Page 20 of 51
13. Domain Controllers (DCs) Best P
Domain Controllers are vital for an enterprise as they help enforce security policies and m
access controls. You should never install any additional software or server roles onto DC’s
increasing security risks.  If you need to run more server roles, install these onto separate
 
DC’s should also have no internet access, no external access should be allowed.

Avoid Logging into DC's

Ideally no one should also be logging into DC’s via RDP.  All Active Directory administration
Server Administration Tools (RSAT) for Windows.  Any admin should be done remotely.

Run Domain Controllers on Secure OS

You can use Windows Server Core as a secure OS to run the DC roles because it doesn’t h
security patches with a smaller footprint.  If you have other server roles you can also run t
for example DHCP, DNS Servers, print servers, and 몭le servers.  You can also build your do
Directory Hardening using a AD Hardened image from CIS

Also Read
How to Setup Secure Active Directory Domain Controllers on Azure/AWS/GCP

Domain Controller Location

Ideally domain controllers should be on physical servers locked away in a cage with TPM
Encryption for all server volumes.  Virtual domain controllers are ok or in the cloud.
 
If you have small remote sites that are only running 1 domain controller, for best practice r
con몭gure the DC as Read Only Domain Controller (RODC)

Page 21 of 51
 RODC Can only Read and not Write. Ideal for small remote branches who dont m

Also Read
FSMO Roles in Active Directory (5 Roles Explained)

14. Patch Management and Vulnerab

Scanning
Make sure to scan and recover discovered vulnerabilities on a regular basis (once in a mo
do not scan these vulnerabilities and 몭x them, attackers can exploit them. As a result, you
some of the best vulnerability and scanning tools online. Scan to identify all potential vuln
based on the degree of risk. Also, deploy automated software updates to operating system
you discover any software is out of date and no longer supported, get it updated.

Page 22 of 51
Patch Management Best Practice
Every device and application must be updated with the latest security patches in order to r
are recommended patch management processes to apply to your environment:
 
1. Update to date inventory of all your systems and applications.  This is critical to unders
environment and understand which systems are most vulnerable.  You can use inventory t
Assessment Planning Tool Kit
2. Stay up-to date with security patches from your application and hardware vendors
and aware of any new vulnerabilities being published from your vendors.  Most vendors pu
vulnerabilities, so its wise to subscribe to these updates so your fully aware of new threats
3. Create a patch management policy.  De몭ne a schedule when to deploy the latest patche
release new updates.
4. Create a patch deployment test group.  Have a test set of users from each department
This way you can monitor if any issues arise for any department users, you can easily roll
to users if you deploy company wide, deploy to small set of users and monitor.
5. Deploy to all users/applications.  If no issues from your test users, deploy patches com
department.  When deploying to servers, try to minimize disruption as possible, if you have
update one at a time.
6. Have a roll back plan.  Its important to have a roll back plan in the event a patch causes
systems/applications. 
 
Patching tools available are WSUS, Azure Automation Update Management, AWS System
Google GCP OS Patch Management with VM Manager

Vulnerability Management
Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender Ad
(Microsoft Defender ATP) that uses a risk-based approach to discover, prioritize, and reme
and miscon몭gurations. With Microsoft Defender ATP’s Threat & Vulnerability Managemen

Page 23 of 51
 
Continuous discovery of vulnerabilities and miscon몭gurations
Prioritization based on business context and dynamic threat landscape
Correlation of vulnerabilities with endpoint detection and response (EDR) alerts to expos
Machine-level vulnerability context during incident investigations
Built-in remediation processes through unique integration with Microsoft Intune and Mic
Con몭guration Manager

Also Read
How to Setup Squid Proxy Cache in Azure (Secure Your Network/Internet)

15. Block Malicious Domains Using a

DNS Service
Computers use an IP address to communicate with each other. Every time you need to acc
domain name to map with an IP address. With the help of a secure DNS service, you can b
from entering the network.
 
These services use public and private sources to collect information about malicious dom
a domain is 몭agged maliciously, the DNS services block them. DNS service is one of the e
attackers. Quad9 is one of the free DNS services. For Azure customers Microsoft have a s
Defender for DNS,  which provides an additional layer of protection for resources that use
name resolution capability.

Page 24 of 51
 What is DNS Layer Security

Image Source: Cisco Umbrella

Microsoft Defender for DNS Features

Microsoft Defender for DNS detects suspicious and anomalous activities such as:
 
Data ex몭ltration from your Azure resources using DNS tunneling
Malware communicating with command and control servers
DNS attacks – communication with malicious DNS resolvers
Communication with domains used for malicious activities such as phishing and crypto

Also Read
What is Private DNS and How to Use a DNS Server?

16. Run Supported Operating System

Microsoft Windows OS’s latest versions comprise in built security features and enhancem
Server 2022 built on the strong foundation of Windows Server 2019 and brings many inno
Security, Azure hybrid integration , management, and application platform. These new fe
and update on any issue. Any Unsupported Operating system will not receive security upd

As mentioned earlier ideally domain controllers should be run on Windows Server Core OS
a smaller footprint as the OS has no GUI/Desktop.

Page 25 of 51
 Windows Server 2019 vs 2022 Security Features

Security Features in Windows Server 2019

New Shielded VM Improvements
Device Guard Policy Updates without Reboot
Kernel Control Flow Guard (CFG)
System Guard Runtime Monitor
Virtual Network Encryption
Windows Defender ATP Agent Included OOB

Security Features in Windows Server 2022

New Secured-Core Server OS option with Hardware-based device identity. Capable of en
up to date and is remotely manageable.  Provides protection for data at rest and data in tr
and hardening.
Hardware root-of-trust
Firmware protection
UEFI secure boot
Virtualization-based security (VBS) – Secured-Core supports VBS and hypervisor-assist
(HVCI). Customers can also use Credential Guard.
Secure DNS.  DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS pro
Azure hybrid capabilities
Advanced multi-layer security
Windows Defender System Guard
SMB Hardening
Guarded fabric and shielded VMs

17. For O몭ce 365 and Remote Acces

Factor Authentication
Page 26 of 51
Nowadays, attackers can easily access your systems using a VPN, Citrix, and other remot
example, if you cross check your O몭ce 365 or ADFS logs, you may 몭nd various login attem
Thus, the best way to keep your account secure against compromised accounts is to impl
(2MFA).
 
With the help of MFA, hackers will 몭nd it hard to compromise your AD logins. Even if the at
system, he will require a second set of credentials to log in. Two factor authentication is a
accounts safe from password spraying attacks. DUO, RSA, Microsoft MFA are a few truste
solutions.
 
If you’re currently using Active Directory Federation Services consider implementing mu
PKI – Certi몭cate Authentication for user certi몭cate authentication
Turn on O몭ce 365 multi factor authentication with conditional access polices
Azure also provides Azure Active Directory MFA
Consider implementing a RADIUS Server for remote access clients

Also Read
How Does RADIUS Secure VPN Remote Access

18. Monitor DHCP Logs for Connecte

Do you have multiple branches? In that case, it can be very challenging to track users and
what network is connected to multiple locations. However, there are ways to connect only
can be time consuming. Another method that is cost effective and will be highly bene몭cia
connected devices.
 
To use DHCP, you will require all end user devices setup to use DHCP to obtain an IP addre
which IP is trying to track or log in to your system and from what location.  You should hav
con몭gured on all your devices, this way it makes it easier to identify unauthorized devices

Page 27 of 51
 DHCP monitoring and management best practices

DHCP Server Best Practice

1. Never run DHCP on a Domain Controller
2. Enable DHCP Logging
3. Use DHCP Failover
4. If using Azure Sentinel, use DHCP Server Activity monitoring
5. Run DHCP Best Practices Analyzer Scanner
6. Use an IPAM to document and manage your IP Addresses.
7. Prevent Rouge DHCP Servers

19. Monitor DNS Logs for Malicious

Activity

Page 28 of 51
 Monitor DNS Logs

When using a local Windows DNS server, its recommend to enable auditing and logging
internal and external DNS. For example, if your device connects with a malicious site, the s
DNS logs. Also, make sure to enable DNS debug logs on the Windows Servers to view DNS
 
Go to the DNS Management Console, then Right click and choose properties. From the di
Logging Tab and tick the checkbox “Log packets for debugging“. Once the setup is compl
analyzer to discover and spot any malicious activity.

Enable DNS Debug Logging

Common Threats to DNS Servers

DNS monitoring is very important, in part, because it helps you identify vulnerabilities befo
many types of DNS attacks. These include:
 
DNS cache poisoning

Page 29 of 51
 Denial-of-service (DoS) attacks
Distributed denial-of-service (DDos) attacks
Domain hijacking
Distributed re몭ection denial-of-service (DRDoS) attacks
DNS 몭ood attacks
DNS tunneling
DNS spoo몭ng
Random subdomain attacks
NXDOMAIN attacks
Phantom domain attacks

Also Read
What is DNS Hierarchy Architecture with Examples (Explained)

How to Monitor DNS Server

By monitoring your DNS server entries and monitoring for any changes, you can quickly ide
security risk to your system. To monitor DNS effectively, you should focus on the following
 
1. IP Addresses.  Set a monitor for any mismatches between IP addresses resolving to A r
2. SOA Records.  The SOA record needs to be monitored to see if the serial number has be
changed then you know an attack has happened.
3. MX and SRV Records.  Keep these records monitored as these control your communica
systems.
4. NS Records and Root Servers.  These should be monitored if any rogue DNS servers ha
replication partners.  

20. Implement ADFS and Azure AD /

Security Features

Page 30 of 51
ADFS and Azure AD/ O몭ce 365 security features are highly advantageous as they can pro
password spraying, compromised accounts, phishing, etc. One can also switch to premium
security features. Here are some of the features provided by ADFS and Azure AD:

Also Read
How to Setup an ADFS Farm on Azure/AWS/Google

ADFS / Azure AD Security Features

Smart Lockout
Custom bad passwords
Banned passwords
MFA Authentication
IP Lockout
Attack Simulations
Azure AD Connect Health
Single Sign On (SSO)

Also Read
How to Sync Active Directory with O몭ce 365 with Azure AD Connect

21. Use O몭ce 365 Secure Score to Im

Security Posture

Page 31 of 51
Microsoft Secure Score is a value indicating an organization’s security posture. It tracks th
security depending on the activities and security settings. Firstly, it analyzes your O몭ce 36
analyzes the security settings, activities, and then concludes a security score. Based on th
actions will be provided to 몭x these issues.

Secure Score Actions

In order to access all these features, we recommend you switch to a Premium or Enterpris
require to assign custom roles or a global admin.

Secure Score helps organizations:

 
Report on the current state of the organization’s security posture.
Improve their security posture by providing discoverability, visibility, guidance, and contr
Compare with benchmarks and establish key performance indicators (KPIs).

22. Implement a Disaster Recovery P

Page 32 of 51
Do you have a solution for a RansomWare attack or what would you do if the network was
trained your staff on how to deal with such situations? Do you follow any response policy?
 
Cyber attacks are too common, and they have the power to shut down your systems and c
reputation for your business. As a result, your business operations will come to a halt. How
you can limit this impact. Make sure to plan an incident response policy, conduct incident
procedures. Also, you can appoint a response team and establish procedures for commun
prioritize your critical servers and train your staff with DR planning.

Domain Controller Disaster Recovery

Your domain controllers are your most critical servers in Active Directory.  If these servers
users will be greatly affected.  Users cant login to devices and email will stop working, so
tolerance and a DR plan in place for your AD domain controllers.
 
This is what i recommend to safe guard your AD:
 
1. Replicate domain controllers between sites.  If 1 site/branch goes down you can run off
2. Setup hybrid AD, with DC’s on prem and Active Directory in the cloud.
3. Run frequent backups of your domain controllers
4. Implement Azure Site Recovery.  In the event of a disaster, your domain controllers fail o
5. Hyper-v Replication to the cloud. If you’re running DCs on Hyper-V, consider having Hype
Hyper-v replication
 
Refer to the Active Directory Forest Recovery Guide

Also Read
Top 10 Azure Disaster Recovery Solutions (Best Practices)

23. Delegation for Active Directory P

Use Security Groups to control access to Active Directory and associated resources. Deleg

Page 33 of 51
will in a way make you lose control of who has access. Thus, create custom groups and d
what with the reason behind why they need access and from what date access was given.
admin staff to be able to add any user in these custom groups without any consent and tra
process of when users request access to be in a group. Keep track of which groups are de
document them.
 
One idea is to request users to submit a ticket via your helpdesk software so you can mon
requests.

Best Practices for Granting AD Access

1. Create Custom Groups for Roles with Assign Responsibilities: Create a set of roles tha
access for all your resources for each department for example within your IT team:
1. Exchange Administrators
1. Server Admins: Administrators who need to do server speci몭c tasks (backups, ser
con몭guration of transport settings, Uni몭ed Messaging, client access, and mailbox fea
copies, certi몭cates, transport queues and Send connectors, virtual directories, and cli
2. Help Desk: Permissions to create a mailbox, add a user to a distribution list, give p
a shared mailbox.
3. Compliance: Access to run reports on email activity about users, emails, auditing, l
This would be ideal for security teams.
2. Active Directory Administrators
1. Domain admins: Responsible for top-level service administration across the domai
manageable number of trusted administrators.
2. GPO admins: Responsible managing and creating group policies.  These will most
3. IT Helpdesk: Mainly responsible for resetting passwords, updating user pro몭le attr
4. HR: Responsible for creating new users as part of the on boarding process for new

De몭ne OU Security Model

You need to plan your OU structure and hierarchy in order to probably and securely manag
recommends that you ensure simplicity and adaptability while planning your OU design. S
Active Directory OU structure keeping Group Policy Object (GPO) linkage and delegation in
random in the long run.

Administration and management of AD objects becomes easier when the OUs mirror your
Different OU models examples can be as follows:
 
The geographic model separates your OUs based on the location of your o몭ces
The department model divides OUs corresponding to the departments in your organizat
The type-based model classi몭es OUs based on object types
 
Choose an Organizational Unit model that best 몭ts your administrative needs.

Page 34 of 51
Separate users and computers.  In Active Directory, when you create a user and computer
their respective containers by default. However, GPOs cannot be linked to containers; inste
users and computers that require GPO application. This practice can be followed irrespec
choose for your organization.  This makes it much easier to manage your Group Policy ma

Automate Joiners Movers Leavers Process

Its important to audit and manage what new users have access to and to disable their acc
company or perhaps a user is moving department and shouldn’t have access to resources
this to be automated.  If you have other applications that rely on Active Directory user acco
accounts to be restricted on your other applications that perform sso authentication.
 
Typical 몭ow would be as follows:

Page 35 of 51
HR Adds user to their platform > Triggers a call to create a new IT Helpdesk ticket > IT ap
call to create a new user
 
User provision tools you can use are:
WorkDay
Azure AD
SCIM

24. Lock Down and Restrict Service A

Service accounts are privileged accounts that allow the execution of applications and run
accounts are used for Active Directory authentication and usually have local admin privileg
instances or worse members of domain admin group. The service accounts usually have a
expires.  If this account gets in the wrong hands you can imagine the damage and vulnera
 

Page 36 of 51
To lock down service accounts try the following:
 
Use long complex passwords
Avoid giving local admin rights
Deny logon locally
Deny logon as a batch
Use Managed Service Accounts
Grant only the required permissions
Do not grant local administrator rights and request vendors to create software without
Do not add account to domain admins

Lock Down via GPO

You can apply the above settings via the following Group Policy:

         
         

Computer Configuration > Policies > Windows Settings > Security S

         
     

Page 37 of 51
25. Try Using Security Baselines and
Tools

Windows Operating system comprises various features and enabled ports that are not sec
settings that must be reviewed against known security benchmarks.

It is vital to have a secure con몭guration to maintain functionality and protect all systems a
 
Check out the following bench mark tools to scan and analyze and test against security co
tools also help scan systems and report failures.
 
Security Compliance Toolkit
The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security adm
analyze, test, edit, and store Microsoft-recommended security con몭guration baselines for
products.
The SCT enables administrators to effectively manage their enterprise’s Group Policy Obje
administrators can compare their current GPOs with Microsoft-recommended GPO baselin
them, store them in GPO backup 몭le format, and apply them broadly through Active Direct

Page 38 of 51
them, store them in GPO backup 몭le format, and apply them broadly through Active Direct
policy.
 
CIS Benchmarks 
Safeguard IT systems against cyber threats with more than 100 con몭guration guidelines a
product families. Windows, Linux, Cloud, Cisco, Vmware, IBM  and much more.

26. Protect Default AD Security Grou

When you install an Active Directory domain, a few default security groups are created. Th
permissions.   These groups include the following:
 
Account Operators, Administrators, DNS Admins, Domain Admins, Guests, Users, Protec
and many more..
 
See full list of these default groups

You should have AD monitoring and auditing setup to detect when users have been added
can track if a security breach could potentially happen

Also Read
Audit Active Directory Security Groups with Cloud AD Manager

Page 39 of 51
27. Forcing RDP to use TLS Encryptio

Remote Desktop Protocol is a great way for attackers to scan for endpoints. Tools like Ma
discover system ports. They can also penetrate your RDP logins if you’re using weak crede
have access to a compromised system. So, avoid directly exposing RDP to the public inter
authentication enabled.
 
The RDP connection does not use strong encryption by default.

Enable RDP TLS Encryption via GPO

To force your RDP connections to use TLS encryption, you can apply the following Group P

         
         

Computer Configuration > Administrative Templates > Windows Compo

         
     

Page 40 of 51
 RDP Client Encryption level GPO Settings

Also Read
Azure RDS Farm Deployment – Setup Azure Remote Desktop Services for Secure Remote

28. Enable Windows Firewall on All S

There are high chances that attackers or malware can make a move through the inbound n

Page 41 of 51
There are high chances that attackers or malware can make a move through the inbound n
Windows computers and servers. Thus, to protect all your systems, its best to con몭gure W
purpose of enabling Windows Firewall is to limit any inbound or outbound network tra몭c f
ports.
 
Windows 몭rewall should be managed by Active Directory GPO and users should be blocke
 
Here is the Group Policy settings for enabling Windows Firewall with Advanced Security.

Also Read
How to Setup NGINX Server to Secure Your Network Tra몭c in Azure/AWS/GCP

Windows Defender Firewall with Advanced Security GPO

Within your Group Policy management editior, here is the path to crate your Windows 몭rew
inbound / outbound tra몭c and specify which pro몭les to enable the 몭rewall for. (Domain / P
pro몭les should be enabled.

         
         

Computer Configuration > Policies > Windows Settings > Security S

         
     

Page 42 of 51
And also the following GPO setting to specify the type of tra몭c that will be allow for your n

         
         

Computer Configuration > Policies > Administrative Templates > Ne

         
     

29. Implement Application Whitelisti

Page 43 of 51
 Application Whitelisting with Windows Defender Application Con

Without the consent of an administrator, if a program is installed and left unpatched or pu

enter and exploit the system. It is important to make sure any unpatched application or pr
they are secure. Only approved programs are allowed to run under Application whitelisting
Application Control and AppLocker.
 
As a result, any unpatched program will be blocked by default using Application whitelistin
programs from running to protect your Windows environment. It is one of the best practice
from emerging threats. Save time and money with Application whitelisting.
 
Windows Defender Application Control has an inherent advantage over traditional antiviru
application control moves away from an application trust model where all applications are
where applications must earn trust in order to run.

Windows Defender Application Control Features

WDAC was introduced with Windows 10 and allows organizations to control which drivers
to run on their Windows clients. It was designed as a security feature under the servicing c
Microsoft Security Response Center (MSRC).
 
WDAC policies apply to the managed computer as a whole and affects all users of the dev
de몭ned based on:
 
Attributes of the codesigning certi몭cate(s) used to sign an app and its binaries
Attributes of the app’s binaries that come from the signed metadata for the 몭les, such a
version, or the hash of the 몭le
The reputation of the app as determined by Microsoft’s Intelligent Security Graph
The identity of the process that initiated the installation of the app and its binaries (man
The path from which the app or 몭le is launched (beginning with Windows 10 version 190
The process that launched the app or binary
 
If you’re using SCCM you can deploy WDAC via Con몭guration Manager

30. Disable PowerShell for Users (no

Page 44 of 51
PowerShell is great for task automation and con몭guration management but it can also be
through your network and infect your systems if not carefully managed.  PowerShell is a
critical security threats.  Ransomware is often spread through your network via PowerShe
 
I would recommend disabling PowerShell on all your computers, users don’t need PowerS
PowerShell for their day to day job, they can run PowerShell from a dedicated Jump box vs

Disable PowerShell with Group Policy (GPO)

First is to 몭nd out the default path of where PowerShell.exe is located, its normally in:
C:\Windows\System32\WindowsPowerShell\v1.0
 
To check this on your computer, open PowerShell, then open task manager, go to the deta
powershell.exe, right click and select “open 몭le location”.

Page 45 of 51
Within your Group Policy Management Editor, browse to the following setting:

         
         

User Configuration ‐> Policies ‐> Windows Settings ‐> Security Se

         
     

Right click “Software Restriction Policies” select “New Software Restriction Policies”

Select “Additional Rules”, then right click and select “New Path Rule”

Page 46 of 51
Next click browse and select the powershell.exe 몭le from the path -> C:\Windows\System
 
Set the security level to “Disallowed” Click OK.

Page 47 of 51
 Also Read
Active Directory Certi몭cate Services (PKI) Best Practices

Active Directory Security Best Practi

Checklist Conclusion
IT organizations are no more immune from cyber attacks. Attacks against computing infra
been in the business for too long. Cybercrime record rates have increased with organizatio
size. Thus, there are high chances of being attacked and compromised in ways epsecially
one needs to stay more alert and implement Active Directory security. These AD and cloud
advancements will keep ransomeware attacks and malware away from your server system

Let me know if there is anything else i’ve missed of our AD security checklist?.  We have
techniques and solutions that will help IT experts protect an enterprise Active Directory do
prevent attacks, at least reduce your Active Directory attack surface possibilities.

Related Posts:
Windows Server Hardening Security Checklist (Windows 2016 / 2019 / 2022)
Top 10 Best Application Security Best Practices Checklist
Top 20 Best FREE Active Directory Reporting Tools (AD Tools in 2022)
VoIP Security Best Practices (Checklist)
15 Apache Web Server Security and Hardening Best Practices Checklist
DNS Security Best Practices to Secure Your DNS Server (Checklist)

<
Andrew Fitzgerald
Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years e
and a Microsoft Certi몭ed Solutions Expert on everything Cloud

Page 48 of 51
 Article Rating

 Subscribe  Login and comm

Please login to comment

0 COMMENTS

Recent Pages
Posts
Contact
Us
Cloud Best 25
About
Infrastructure Jira Us
Services Alternatives
Azure
Ltd for Marketplace
5 Project Solutions
Southcliffe Management
AWS
Drive Tools Marketplace
Chalfont
Kafka vs Solutions
St
Redis – GCP
Peter
What’s Marketplace
GERRARDS
the Solutions
CROSS
Difference Azure
Buckinghamshire
? (Pros Management
SL9
and Cloud
0SD,
Cons) IaaS
UK
Setup
  Complete &
List of Management
Joomla Services
Terms Features Active
Privacy and Directory
Policy Bene몭ts Reporting

Page 49 of 51
Explained WordPress
SSO
Git vs
Blog
SVN –
What’s
the Follow
Difference Us
? (Pros
and
Cons)

How
Machine
Learning
is Used in
Cybersecurity

Azure
App
Registration
vs
Enterprise
App –
What’s
the
Difference
?

How to
Stop
WordPress
Comment
Spam
using
Built-In
Features

Docker
Storage
Explained
(Docker
Storage
Mount
Types)

How to

Page 50 of 51
Setup
WordPress
Localhost
Environment
using
XAMPP

What is
RADIUS
Accounting
and How
it Works
(Explained)

Page 51 of 51