Best practice security Domain controller

matteu31 467 Reputation points
2021-04-08T15:17:28.907+00:00

Hello,

I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.

I mean : Applocker, bitlocker, ...
What settings need to be applied today to be protect from main security issue (except microsoft updates).

Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?

I don't know anything about security and I don't know where to start to learn.... I'm not interested about Azure feature in the first time because I don't have lot of customer with Azure in their environment.

Thank you for your help.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,819 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,717 questions
Accepted answer
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-04-09T02:20:07.263+00:00

    Hello @matteu31 ,

    Thank you for posting here.

    Q:Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?
    A:It depends on your security requirement, we usually enable bitlocker on portable physical device, such as laptop.

    Q:I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.
    A: We can see suggestions below from the following link.

    85983-s1.png

    86022-s2.png

    Reference:
    Best Practices for Securing Active Directory
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426K Reputation points MVP
    2021-04-08T15:23:15.507+00:00

    You can follow along here.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. matteu31 467 Reputation points
    2021-04-08T15:37:32.517+00:00

    Thanks for this link.

    Then, there is no detail like here :
    "you can often take advantage of new functionality and security that may not be available in domains or forests with domain controllers running legacy operating system."
    => What is it talking about ? What are new security functionality in 2016 ? 2019 ?

    Use tool to secure Domain controllers -> What do you use most of the time ?
    I don't want hardening. I just want main security protection about common issue.

    RDP restriction => OK ! good idea.
    Patching -> OK
    Block internet + outbound connection -> OK

    Do you have some more idea to give me with your experience maybe ?

    0 comments
  3. Dave Patrick 426K Reputation points MVP
    2021-04-08T15:46:23.713+00:00

    Well yes greater security does mean some level of hardening. I'd suggest starting a case here with product support.
    https://support.serviceshub.microsoft.com/supportforbusiness

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  4. matteu31 467 Reputation points
    2021-04-08T21:14:00.353+00:00

    Unfortunately I don't have ullimited money to open all the case I would like with product support.

    I'm asking here if some people can give me some informations / link to read and improve myself.

    Thanks for your help.

    0 comments