Best Practices for Securing Active Directory
Attacks against computing infrastructure have increased over the last decade in all parts of the world. We live in an age of cyber-warfare, cybercrime, and hacktivism. As a result, organizations of all sizes all over the world have had to deal with information leaks, theft of intellectual property (IP), denial-of-service (DDoS) attacks, or even destroyed infrastructure.
However, as the threat landscape has changed over the years, the security landscape has also adapted to counter these threats. While no organization with an information technology (IT) infrastructure is ever perfectly immune to attack, the ultimate goal of security isn't preventing attack attempts altogether, but protecting the IT infrastructure from attacks. With the right policies, processes, and controls, you can protect key parts of your IT infrastructure from compromise.
In this article, we describe the most common types of vulnerabilities we've observed in Active Directory (AD) deployments. Next, we arm you with recommendations for how to protect these weak points from compromises. We designed these recommendations based on the expertise of our Microsoft IT (MSIT) and Microsoft Information Security and Risk Management (ISRM) organizations. We also show you steps you can take to reduce how much vulnerable infrastructure, or attack surface, on your AD is exposed to the outside world. We also include suggestions for how to recover vital data and infrastructure function if there's a security compromise.
Common security vulnerabilities
In order to learn how to best protect your infrastructure, you first need to understand where attacks are most likely to strike and how they work. This article only covers general recommendations, but if you want to go into more detail, we've included links to more thorough articles.
Now, let's look at the most common security vulnerabilities.
Common entry points
Initial breach targets, or entry points, are areas where attackers can most easily enter your IT infrastructure. Entry points are usually gaps in security or updates that attackers can exploit to gain access to a system within your infrastructure. Attackers usually start with one or two systems at a time, then escalate their attack as they spread their influence across more systems undetected.
The most common vulnerabilities are:
Gaps in antivirus and antimalware deployments
Incomplete patching
Outdated applications and operating systems
Misconfiguration
Lack of secure application development practices
Credential theft
Credential theft attacks are when an attacker gains privileged access to a computer on a network by using tools to extract credentials from sessions of accounts that are currently signed in. Attackers often go for specific accounts that already have elevated privileges. The attacker steals the credentials of this account to mimic its identity to gain access to the system.
Credential thieves usually target these kinds of accounts:
Permanently privileged accounts
VIP accounts
Privilege-attached Active Directory accounts
Domain controllers
Other infrastructure services that affect identity, access, and configuration management, such as public key infrastructure (PKI) servers or systems management servers
Users with highly privileged accounts raise the risk of having their credentials stolen by engaging in the following behaviors:
Signing into their privileged accounts on unsecured computers
Browsing the internet while signed in to a privileged account
You should also avoid poor and risky configurations to protect the credential security of your system, such as:
Configuring local privileged accounts with the same credentials across all systems.
Assigning too many users to privileged domain groups, encouraging overuse.
Insufficiently managing domain controller security.
For more information about vulnerable accounts, see Attractive accounts for credential theft.
Reduce Active Directory attack surface
You can prevent attacks by reducing the attack surface on your Active Directory deployment. In other words, you make your deployment safer by closing up gaps in security that we mentioned in the previous section.
Avoid granting excessive privileges
Credential theft attacks depend on admins granting certain accounts excessive privileges. You can prevent these attacks is to do the following things:
Remember there are three built-in groups that have the highest privileges in Active Directory by default: Enterprise Admins, Domain Admins, and Administrators. Make sure you take steps to protect those three groups, along with any other groups your organization gave elevated privileges to.
Implement a least-privilege administrative model. Don't use highly privileged accounts for everyday administrative tasks if you can avoid it. Also, make sure your admin accounts only have the baseline privileges required to do their jobs, with no extra privileges they don't need. Avoid giving excessive privileges to user accounts that don't need them. Make sure you don't accidentally give an account the same privileges across systems unless they absolutely need them.
Check the following areas of your infrastructure to make sure you aren't granting excessive privileges to user accounts:
Active Directory
Member servers
Workstations
Applications
Data repositories
For more information, see Implementing least-privilege administrative models.
Use secure administrative hosts
Secure administrative hosts are computers configured to support administration for Active Directories and other connected systems. These hosts don't run nonadministrative software like email applications, web browsers, or productivity software like Microsoft Office.
When configuring a secure administrative host, you must follow these general principles:
Never administer a trusted system from a less-trusted host.
Require multifactor authentication when using privileged accounts or doing administrative tasks.
Physical security for your administrative hosts is as important as system and network security.
For more information, see Implementing secure administrative hosts.
Keep your domain controllers secure
If an attacker gains privileged access to a domain controller, they can modify, corrupt, and destroy the AD database. An attack on the domain controller potentially threatens all AD-managed systems and accounts within your organization. Therefore, it's important you take the following measures to keep your domain controllers safe:
Keep your domain controllers physically secure within their datacenters, branch offices, and remote locations.
Become familiar with your domain controller operating system.
Configure your domain controllers with built-in and freely available configuration tools to make security configuration baselines you can enforce with group policy objects (GPOs).
For more information, see Securing domain controllers against attack.
Monitor Active Directory for signs of attack or compromise
Another way you can keep your AD deployment secure is to monitor it for signs of malicious attacks or security compromises. You can use legacy audit categories and audit policy subcategories, or use Advanced Audit Policy. For more information, see Audit Policy Recommendations.
Plan for security compromises
While you can protect your AD from outside attacks, no defense is ever truly perfect. It's important that in addition to taking preventative measures that you also plan for worst-case scenarios. When planning for security breaches, you should follow the guidelines in Planning for compromise, particularly the section Rethinking the approach, You should also read Maintaining a more secure environment.
Here's a brief summary of things you should do when planning for security compromises, as described in more detail in Maintaining a more secure environment:
Maintain a more secure environment
Create business-centric security practices for AD
Assign business ownership to AD data
Implement business-driven lifecycle management
Classify all AD data as systems, applications, or users
To continue reading more detail about these practices, see Maintaining a more secure environment.
Security measure summary table
The following table summarizes the recommendations listed in this article, listed in order of priority. The ones closer to the bottom of the table are the ones you and your organization should prioritize when setting up your Active Directory. However, you're also free to adjust the priority order and how you implement each measure based on your organization's unique needs.
Each measure is also categorized based on whether it's tactical, strategic, preventative, or detective. Tactical measures focus on specific components of AD and any related infrastructure. Strategic measures are more comprehensive and therefore require more planning to implement. Preventative measures prevent attacks from bad actors. Detective measures help you detect security breaches as they happen, before they can spread to other systems.
| Security measure | Tactical or Strategic | Preventative or Detective |
|---|---|---|
| Patch applications. | Tactical | Preventative |
| Patch operating systems. | Tactical | Preventative |
| Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. | Tactical | Both |
| Monitor sensitive Active Directory objects for modification attempts and Windows for events that might indicate attempted compromise. | Tactical | Detective |
| Protect and monitor accounts for users who have access to sensitive data | Tactical | Both |
| Prevent powerful accounts from being used on unauthorized systems. | Tactical | Preventative |
| Eliminate permanent membership in highly privileged groups. | Tactical | Preventative |
| Implement controls to grant temporary membership in privileged groups when needed. | Tactical | Preventative |
| Implement secure administrative hosts. | Tactical | Preventative |
| Use application allowlists on domain controllers, administrative hosts, and other sensitive systems. | Tactical | Preventative |
| Identify critical assets, and prioritize their security and monitoring. | Tactical | Both |
| Implement least-privilege, role-based access controls for administration of the directory, its supporting infrastructure, and domain-joined systems. | Strategic | Preventative |
| Isolate legacy systems and applications. | Tactical | Preventative |
| Decommission legacy systems and applications. | Strategic | Preventative |
| Implement secure development lifecycle programs for custom applications. | Strategic | Preventative |
| Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. | Strategic | Preventative |
| Migrate critical assets to pristine forests with stringent security and monitoring requirements. | Strategic | Both |
| Simplify security for end users. | Strategic | Preventative |
| Use host-based firewalls to control and secure communications. | Tactical | Preventative |
| Patch devices. | Tactical | Preventative |
| Implement business-centric lifecycle management for IT assets. | Strategic | N/A |
| Create or update incident recovery plans. | Strategic | N/A |