Active Directory Infrastructure Security

Security is always a HOT topic.

Recently we had lots of global attacks. Daily we have to deal with those as an IT Professional. There are lots of components involved with security and all are maintained by not a single person but here our concern is Active Directory Infrastructure security. We have created a list of Active Directory Infrastructure security.

 

WorkStation

1) Windows 10 – PAW
2) Limit WorkStations to WorkStations communication
3) Restrict permissions on critical GPOs

Domain Controller

1)At least Windows 2012 R2 FFL & DFL
2) Active Directory Three Tier design.
3) Implement Secure LDAP (Required internal PKI infrastructure)
4) Implement  DAC **
5) Implement Authentication Policy & Authentication Policy SILO.**
6) Implement ** Applocker.**
7) Implement ** Fine Grained Password Policy.**
8) Remote Desktop Gateway for isolate Terminal server login along with MFA
9) Privileged Group membership monitoring.
10) Critical Events monitoring.
11) Domain Controllers \ Critical servers services monitoring
12) Software Restriction Policy
13) PowerShell Logging
14) Implement gMSA & remove normal service account (If supported by application)
15) Implement Microsoft ATA
16) Restrict permissions on critical GPOs
17) Limit Server to Server communication using Windows Firewall
18) Use HTTPS WINRM for remoting
19) Use Certificate everywhere (Not Self Signed certificate)
20) Disable SMB1** **
21) Implement IPSEC on ADDS Environment
22) Implement Smart Card (PKINIT)