7,023 questions
Something here could help.
--please don't forget to upvote and Accept as answer if the reply is helpful--
How can I protect my Active Directory in a join domain construction?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 64%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hans
0
Reputation points
Currently, I have several servers which are domain Join. This also contains the Active Directory, which has only one forest. What are the possibilities to protect the Active Directory.
When dissolving the domain join, there is a huge administration effort because I want personalized users. I have read that a bastion environment could be a possibility of protection, but it should not be in the cloud. It should be a solution for my DMZ. Does anyone have any experience or suggestions?
Thanks for your answers.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
20,218 questions
Windows for business | Windows Server | Devices and deployment | Configure application groups
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-02-14T16:07:59.9766667+00:00 -
Anonymous
2023-02-15T13:46:57.0833333+00:00 Just checking if there's any progress or updates?
--please don't forget to
upvoteandAccept as answerif the reply is helpful--
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2023-02-15T09:15:20.0533333+00:00 Hi @Hans
To protect your active directory environment , you should start by implementing 3 tiers model : Active Directory Red Forest Design aka Enhanced Security Administrative Environment (ESAE)
Some ideas to harden your active directory environment :
- Reduce the number of account with high privilege
- Disable weak and insecure authentication protocol ntlmv1
- Disable weak and insecure encryption type for kerberos authentication like RC4
- Harden privileged accounts , by checking the option cannot be delegated, delete SPN, applying password policy
- Use a third party product in order to detect vulnerabilities in your active directory environment like https://www.pingcastle.com/
Please don't forget to mark helpful answer as accepted
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2023-02-16T11:13:43.47+00:00 Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query
To protect your Active Directory in a join domain construction, you should ensure that all of your systems are up to date with the latest security patches, use strong passwords for all user accounts, use a two-step authentication process for all administrative accounts, enable audit logging on all domain controllers, configure Network Access Protection (NAP) to prevent non-compliant devices from connecting to the domain, and use an antivirus or antimalware solution to protect against malicious software. Additionally, you should use access control lists (ACLs) to limit user access to resources, restrict logon rights for users, and ensure that all domain controllers are located in secure physical locations.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 50%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
janed 0 Reputation points2023-06-10T11:32:56.8233333+00:00 To protect Active Directory without dissolving the domain join, consider the following budgeting enterprise suggestions:
- Implement a budgeting enterprise bastion environment in your DMZ for added security.
- Seek expert advice on configuring a personalized user setup to minimize administration effort within your budgeting enterprise framework.
- Evaluate budgeting enterprise on-premises solutions that provide robust security features and align with your budgetary requirements.
- Research and compare different budgeting enterprise vendors and their offerings to find the most suitable solution for your needs.
- Consider the long-term costs associated with maintenance, updates, and support when budgeting for the enterprise solution in your budgeting enterprise plan.