Best practice security Domain controller

Question

Hello,

I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.

I mean : Applocker, bitlocker, ...
What settings need to be applied today to be protect from main security issue (except microsoft updates).

Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?

I don't know anything about security and I don't know where to start to learn.... I'm not interested about Azure feature in the first time because I don't have lot of customer with Azure in their environment.

Thank you for your help.

Answer 1

Hello @matteu31 ,

Thank you for posting here.

Q:Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?
A:It depends on your security requirement, we usually enable bitlocker on portable physical device, such as laptop.

Q:I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.
A: We can see suggestions below from the following link.

Reference:
Best Practices for Securing Active Directory
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hello @matteu31 ,

Thank you for your update.

-To monitor event in event viewer, I suppose it's better to have SIEM solution because Microsoft don't have anything except powershell right ?
A:Microsoft has SCOM product, there is monitor tool on it.
Is SIEM solution a microsoft tool or non-mocrosoft tool?

-Eliminate permanent membership in highly privileged group : What does it exactly mean ? If I need someone to be domain admin, I don't add him to domain admin group permanently but only when it's needed and then I remove him from the group ? I need to have a management account to do this task if I understand correctly what I read.
A:I think you are right.

-Application allowlist on domain controller = applocker with whitelist on domain controller ?
A:I think it is that the apps or software can be installed and run on DC.

Best Regards,
Daisy Zhou

Answer 3

Hello,

WOW, it's EXCELLENT !
Thank you very much for these picture.
I find it on microsoft website too with your link. It's excellent and there are lot of ideas to implement....

Some more information I would like to ask :

-To monitor event in event viewer, I suppose it's better to have SIEM solution because Microsoft don't have anything except powershell right ?
-Eliminate permanent membership in highly privileged group : What does it exactly mean ? If I need someone to be domain admin, I don't add him to domain admin group permanently but only when it's needed and then I remove him from the group ? I need to have a management account to do this task if I understand correctly what I read.
-Application allowlist on domain controller = applocker with whitelist on domain controller ?

Thanks for your answer.

Answer 4

Unfortunately I don't have ullimited money to open all the case I would like with product support.

I'm asking here if some people can give me some informations / link to read and improve myself.

Thanks for your help.

Answer 5

Well yes greater security does mean some level of hardening. I'd suggest starting a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness

--please don't forget to Accept as answer if the reply is helpful--