Lock down Active Directory in 10 steps

Any new security practices and standards should always be implemented with regard to the organization's security policy. A security policy is always first step and the central resource for effectively securing a network.

By Jeremy Smith, MCSE, CISSP

1.       Use Windows Server 2003 – Out of the box, the Windows Server 2003 version of the Active Directory is significantly more secure than the Windows 2000 version. That doesn’t mean that you can’t make Windows 2000’s version highly secure. It just means that you can make your job easier by using the Windows Server 2003 version, which doesn't require as much work to secure. If you can’t upgrade to Windows Server 2003, try to ensure that you disable all pre-Windows 2000 features, such as “Permissions compatible with pre–Windows 2000 servers."

2.       Limit administrative access – By using Active Directory technologies like Delegation of Administrative Control, or through proper use of Built In Groups and Active Directory Permissions, an organization can significantly enhance its Active Directory security. Instead of assigning broad-sweeping permissions to all administrators, fine-tune your rights by assigning specific tasks and functions only to those IT staff members who actually need them. (This also applies your end users; ensure that they don’t get too many rights either.) Furthermore, in those organizations that span multiple locations and that have multiple trees, domains, or forests, ensure that your administrative rights properly represent the political and business boundaries relevant to your company. You may need to bring management and/or HR into the discussion when setting those permissions.

3.       Protect DNS – Active Directory is highly dependant upon DNS. In particular, service records are critical for telling computers where important domain controller-level functions are on the network. Since DNS contains critical information about an Active Directory network, it is important to ensure that the DNS servers that hold your Active Directory records are secure from snooping, both electronically and physically. One recommended configuration is allowing only Secure Dynamic Updates. Here’s a link on how to enable this setting.

4.       Protect your FSMOs – Flexible Single Master Operations roles, or FSMOs, are very important to Active Directory. In particular, the PDC Emulator is responsible for many important functions, like time synchronization, preferential Group Policy updates, and account lockout processing. Furthermore, the Schema Master controls updates to the Schema and must also be protected. You might consider fault tolerant servers and solid backups as well as other common countermeasures to protect your FSMO servers.

5.       Enable auditing – Auditing allows administrators to determine what has happened with their Active Directory. By turning on auditing, you can audit: Account Management, Logon Events, Policy Change, and Privilege Use. Although it should go without saying, auditing is useless if you don’t regularly inspect the logs.

6.       Disable unnecessary services and remove unnecessary applications – Because all domain controllers should ideally be used only as domain controllers, it makes sense to avoid running any unnecessary services and software on them. Ensure that only a minimal set of applications and services are running. Avoid using your domain controller as a file server or a Web server whenever possible.

7.       Install a security template – Security templates are an effective means of providing consistent security across your domain and should be considered by the prudent, security-conscious administrator. If the predefined templates (e.g. HiSecDc.inf) don’t meet your needs, create a custom template.

8.       Prioritize patches for domain controllers – Microsoft releases critical and standard security updates on a monthly basis (sometimes more often), and administrators need to ensure that domain controllers are at the top of the priority list to get patched as quickly as possible. 

9.       Set up physical security – Ensure your domain controllers are physically protected by being quarantined to a locked room or closet. If a malicious employee or visitor can get physical access to a domain controller and log on with an administrator account, that person could cause significant harm to your Active Directory infrastructure.

10.   Plan a fault tolerant topology – Since security is always about protecting against threats we currently know about, it's likely that at some point something will sneak up on you. Will you be able to recover? Keep in mind that because the Active Directory is a multi-master replication model, having more than one DC means that there are few instances (FSMOs are one example) where the loss of a DC will really hurt your directory. However, you must understand Active Directory’s replication schemes and disaster recovery methods and plan your topology to mitigate the most common problems and outages you can anticipate. Plan and be prepared.


Jeremy Smith is a subject matter expert in Microsoft Exchange and Active Directory as well IT security. He currently works as a solutions engineer for the leading 911 systems maker in the United States, Plant Equipment, Inc., where he helps design enterprise solutions for emergency 911 environments.