Securing Active Directory
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Securing Active Directory
Active Directory provides a secure directory environment for your organization using built-in logon authentication and user authorization. To further secure Active Directory once it has been deployed, consider the following precautions and recommendations.
For general security information about Active Directory, see Security information for Active Directory.
For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web Site. For more information about authorization, see "Authorization and Access Control" at the Microsoft Windows Resource Kits Web Site.
Important
- Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. Therefore, it is recommended that all domain controllers be locked in a secured room with limited public access. In addition, you should limit membership in the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators, and Backup Operators groups to trusted personnel in your organization. For more information about domain controllers and groups, see Domain controllers and Default groups.
To | Use |
---|---|
Manage the security relationship between two forests and simplify security administration and authentication across forests. |
Forest trusts See Forest trusts. |
Force domain users to use strong passwords. |
Group Policy See Strong passwords. |
Enable audit policy. Auditing event logs can notify you of actions that could pose a security risk. |
Group Policy See Auditing Policy. |
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain. |
Group Policy See Group types. |
Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts. |
Group Policy |
Enforce password history on user accounts and decrease the possibility of an attacker compromising your domain. |
Group Policy |
Enforce minimum and maximum password ages on user accounts and decrease the possibility of an attacker compromising your domain. |
Group Policy |
Verify and authenticate the validity of each user through the use of public key cryptography. |
Public key infrastructure |
Promote a secure operating environment by running your computer without administrative credentials except when required. |
Run as See Using Run as. |
Restrict user, group, and computer access to shared resources and filter Group Policy settings. |
Security groups See Group types. |
Prevent attacks from malicious users who might try to grant elevated user rights to another user account. |
SID filtering See "Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks" at the Microsoft Web Site. |
Provide tamper-resistant user authentication and e-mail security. |
Smart cards See Smart cards overview. |
Use strong encryption techniques to secure account password information on local computers, member servers, or domain controllers. |
Syskey |