question

matteu31400 avatar image
0 Votes"
matteu31400 asked DaisyZhou-MSFT commented

Best practice security Domain controller

Hello,

I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.

I mean : Applocker, bitlocker, ...
What settings need to be applied today to be protect from main security issue (except microsoft updates).

Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?

I don't know anything about security and I don't know where to start to learn.... I'm not interested about Azure feature in the first time because I don't have lot of customer with Azure in their environment.

Thank you for your help.

windows-active-directorywindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @matteu31400,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
1 Vote"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @matteu31400,

Thank you for posting here.

Q:Does bitlocker is necessary on virtual machine or only on physical client PC / servers ?
A:It depends on your security requirement, we usually enable bitlocker on portable physical device, such as laptop.

Q:I would like to know if you have some link / ressource / idea about the best practice to protect domain controller and server.
A: We can see suggestions below from the following link.

85983-s1.png

86022-s2.png

Reference:
Best Practices for Securing Active Directory
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou



s1.png (55.8 KiB)
s2.png (25.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

You can follow along here.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Thanks for this link.

Then, there is no detail like here :
"you can often take advantage of new functionality and security that may not be available in domains or forests with domain controllers running legacy operating system."
=> What is it talking about ? What are new security functionality in 2016 ? 2019 ?

Use tool to secure Domain controllers -> What do you use most of the time ?
I don't want hardening. I just want main security protection about common issue.

RDP restriction => OK ! good idea.
Patching -> OK
Block internet + outbound connection -> OK

Do you have some more idea to give me with your experience maybe ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Well yes greater security does mean some level of hardening. I'd suggest starting a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness


--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Unfortunately I don't have ullimited money to open all the case I would like with product support.

I'm asking here if some people can give me some informations / link to read and improve myself.

Thanks for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered

Hello,

WOW, it's EXCELLENT !
Thank you very much for these picture.
I find it on microsoft website too with your link. It's excellent and there are lot of ideas to implement....

Some more information I would like to ask :

-To monitor event in event viewer, I suppose it's better to have SIEM solution because Microsoft don't have anything except powershell right ?
-Eliminate permanent membership in highly privileged group : What does it exactly mean ? If I need someone to be domain admin, I don't add him to domain admin group permanently but only when it's needed and then I remove him from the group ? I need to have a management account to do this task if I understand correctly what I read.
-Application allowlist on domain controller = applocker with whitelist on domain controller ?

Thanks for your answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @matteu31400,

Thank you for your update.

-To monitor event in event viewer, I suppose it's better to have SIEM solution because Microsoft don't have anything except powershell right ?
A:Microsoft has SCOM product, there is monitor tool on it.
Is SIEM solution a microsoft tool or non-mocrosoft tool?

-Eliminate permanent membership in highly privileged group : What does it exactly mean ? If I need someone to be domain admin, I don't add him to domain admin group permanently but only when it's needed and then I remove him from the group ? I need to have a management account to do this task if I understand correctly what I read.
A:I think you are right.

-Application allowlist on domain controller = applocker with whitelist on domain controller ?
A:I think it is that the apps or software can be installed and run on DC.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.