Summary of Best Practices
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
The following table contains a summary of the best practices for securing Active Directory as described in this document, with hyperlinks to the sections in which the recommendations are detailed. Practices and controls that are described as tactical in nature may be implemented more quickly and with less effort than those that are described as strategic or are applicable to discrete components in the larger infrastructure.
Some of the best practices described here are not specific to Active Directory, but are designed to help you implement solutions that can reduce the most commonly exploited vulnerabilities that are used to gain an initial foothold in an organization’s infrastructure, which may then be used to launch attacks directly against Active Directory.
Other recommendations are specific to Active Directory and may be implemented in existing AD DS installations, or implemented as fundamental principles in a new Active Directory installation, whether that installation is an enterprise deployment (housing corporate users, servers, workstations, and applications), or whether the installation is “purpose-built” (designed to house critical accounts and assets that should be separated from other AD DS forests and secured more stringently).
Another version of this table, which provides information about whether each best practice is tactical or strategic in nature, and whether its implementation provides preventative or detective controls can be found in the Executive Summary section of this document. The following table provides each recommended best practice in general order of priority, and links to more information about each.
Best Practice |
More Information |
|
1 |
Patch applications. |
“Initial Breach Targets” in Avenues to Compromise |
2 |
Patch operating systems. |
“Initial Breach Targets” in Avenues to Compromise Appendix A: Patch and Vulnerability Management Software “Principles for Creating Secure Administrative Hosts” in Implementing Secure Administrative Hosts |
3 |
Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. |
|
4 |
Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. |
Monitoring Active Directory for Signs of Compromise “Active Directory Objects and Attributes to Monitor” in Audit Policy Recommendations |
5 |
Protect and monitor accounts for users who have access to sensitive data. |
“VIP Accounts” in Attractive Accounts for Credential Theft “Implementing Robust Authentication Controls” in Implementing Least-Privilege Administrative Models “Identifying Principles for Segregating and Securing Critical Assets” in Planning for Compromise “Simplify Security for End Users” in Planning for Compromise “Active Directory Objects and Attributes to Monitor” in Monitoring Active Directory for Signs of Compromise |
6 |
Prevent powerful accounts from being used on unauthorized systems. |
Implementing Least-Privilege Administrative Models |
7 |
Eliminate permanent membership in highly privileged groups. |
Appendix B: Privileged Accounts and Groups in Active Directory Appendix C: Protected Accounts and Groups in Active Directory Appendix D: Securing Built-In Administrator Accounts in Active Directory Appendix E: Securing Enterprise Admins Groups in Active Directory Appendix F: Securing Domain Admins Groups in Active Directory Appendix G: Securing Administrators Groups in Active Directory Appendix H: Securing Local Administrator Accounts and Groups |
8 |
Implement controls to grant temporary membership in privileged groups when needed. |
Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory |
9 |
Implement secure administrative hosts. |
|
10 |
Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems. |
|
11 |
Identify critical assets, and prioritize their security and monitoring. |
|
12 |
Implement least-privilege, role-based access controls to administer the directory, its supporting infrastructure, and domain-joined systems. |
“Role-Based Access Controls (RBAC) for Active Directory” in Implementing Least-Privilege Administrative Models |
13 |
Isolate legacy systems and applications. |
“Isolating Legacy Systems and Applications” in Planning for Compromise |
14 |
Decommission legacy systems and applications. |
“Implementing Creative Destruction” in Planning for Compromise |
15 |
Implement secure development lifecycle programs for custom applications. |
“Lack of Secure Application Development Practices” in Avenues to Compromise |
16 |
Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. |
“Maintaining a More Secure Environment” in Planning for Compromise |
17 |
Migrate critical assets to pristine forests with stringent security and monitoring requirements. |
|
18 |
Simplify security for end users. |
“Simplify Security for End Users” in Planning for Compromise |
19 |
Use host-based firewalls to control and secure communications. |
“Principles for Creating Secure Administrative Hosts” in Implementing Secure Administrative Hosts “Secure Configuration of Domain Controllers” in Securing Domain Controllers Against Attack |
20 |
Patch devices. |
Contact your device vendors |
21 |
Implement business-centric lifecycle management for IT assets. |
“Creating Business-Centric Security Practices for Active Directory” in Planning for Compromise |
22 |
Create or update incident recovery plans. |