Published: 13/09/17 by Sophie Fulton
Microsoft’s Active Directory for Windows domain networks is a powerful administrative and organisational tool, acting as an umbrella for a number of Windows services, including domain services, certificate services, rights management services, and more.
But, like every internet-connected technology, Active Directory is vulnerable to attack. Here are some ways in which you can, without great time or expense, improve your Active Directory security.
1) Prevent internet-access for Domain Controllers: The internet should not be browsed from a Domain Controller under any circumstances. Microsoft Windows Active Directory Domain Controllers can only be used with high-privilege accounts, and so browsing the internet on such an account and from one of the most powerful machines in the Windows infrastructure is a huge security risk for an organisation. Visiting a single malicious URL could result in the Domain Controller being compromised. Web browsers on Domain Controllers should be prohibited by policy and technical controls, and Domain Controllers should not be permitted to access the internet. If Domain Controllers need to replicate across sites, secure connections should be used rather than the internet.
2) Assign a random password upon account creation: By default, new accounts are assigned a standard “new user” password by Active Directory. This password expires the first time a new user logs in, and the user is forced to change it to their own password. However, a problem arises if the new user never logs in, for whatever reason, but the account is left active. Thus, potentially, active accounts exist with the standard “new user” password, which can be researched or cracked relatively easily be attackers. Assigning a random password solves this problem.
3) Force users to change passwords at regular intervals: This is actually little more than common sense – the more frequent a password is changed, the less likely any one password is to be compromised during the time that it is the active password.
4) Ensure that Domain Controllers run updated operating systems: Domain Controllers should run on the newest version of Windows Server that is available and supported by your organisation. Avoid upgrading Domain Controller operating system software: instead, domain controllers should be freshly-installed rather than upgraded from previous operating systems or server roles. Do not perform upgrades of Domain Controllers and do not run the Active Directory Domain Services Installation Wizard on servers on which the operating system is not freshly-installed. The danger with upgrading Domain Controller operating system software is that legacy files and settings may be inadvertently left on domain controllers in such a scenario, leaving potential security vulnerabilities open to exploitation.
5) Ensure physical security for Domain Controllers: If deployed as part of a datacentre, Domain Controllers should be installed in dedicated racks or cages separate from the general rank and file servers. BitLocker Drive Encryption should be used to protect all volumes in the Domain Controller server(s). While BitLocker Drive Encryption adds some performance overhead, it protects discs against compromise if they are physically removed from the server. In security, an adage is: “if you have physical access, you’ve already won”. But this adage can be challenged if BitLocker Drive Encryption is used.
The advice above is not an exhaustive list of everything you need to do to secure your Active Directory in general and Domain Controllers in particular, but if you follow it, you will be on the way to a hardened, more secure domain, environment and infrastructure.
10th Floor, 3 Hardman Street
1st Floor, 138a Main Street