Active Directory is most organizations' primary identity storage, and is integral to an organization's operating system. It is used to manage security principals, including user accounts, computers, servers, and other devices in the network. Since its launch 20 years ago, it has been integrated with numerous applications and systems and became one of the main foundations in the organization's IT infrastructure.
This post will discuss how to secure active directory with 3 key principles:
- Least Privileges Model to Secure Active Directory
- Hardening Domain Controllers
- Hardening Administrative Hosts
By following these 3 principles to secure active directory, you'll significantly lower your Active Directory attack surface and decrease the chances for cyberattacks.
Use a least privilege administrative model:
Least privilege model aims to make sure that only required privileges that are essential for the daily tasks are allocated to a user. It also ensures authenticated users are granted only essential privileges, minimizing security risks By implementing a least privilege administrative model for both user and computer accounts you lower the chances that a compromised account will cause excessive damage to the entire network.
This is a simple principle to understand, yet it is rarely implemented appropriately. We often find excessive numbers of accounts having rights and privileges that are not required for their daily functions. The bigger the organization, the more complex it is to follow this principle.
In Active Directory is common to see Domain Admins (DA), Enterprise Admins (EA), or built-in Administrators (BA) groups contain an excessive number of accounts. A good least privilege model is a 'role-based access control model'.
Role-based access control in Active Directory is a mechanism for grouping users into security groups and granting them access and privileges that are based on their business tasks.
Securing Domain Controllers Configuration:
Given their access to sensitive directory information in the AD DS database, Domain Controllers' hardening process should be treated with extra care. Once they are compromised, your Active Directory forest can never be trusted again (unless you have good backups and found the gap that allowed the intrusion).
Here are few best practices for Domain Controller hardening:
a. Block Domain Controllers access to the internet:
A basic step in assessing Active Directory security is to check whether it has access to a web browser. And yet, analyses revealed numerous cases where this fundamental requirement wasn't followed.
Browsing the internet or intranet from a highly privileged account exposes the organization to a major risk. Attackers can use different methods to insert malware-infected utilities to gain access and destroy the Active Directory environment.
b. Configure Perimeter Firewall Restrictions:
You can use perimeter firewall restrictions to prevent an outbound connection from domain controllers to the internet. In case of domain controllers that need to communicate across the site's boundaries, you can configure perimeter firewalls to allow this kind of communication.
In addition, you configure your firewall with advanced security settings on domain controllers.
c. Restrict RDP:
Allow RDP connection only from authorized users and systems. You can read this RDP Hardening Guide for more detailed instructions for RDP secured configuration.
d. Use industry's hardening best practices to configure domain controllers:
Best practices such as DISA STIGs and CIS Benchmarks have special consideration to domain controllers, comparing to other infrastructure components. You should use these files as a baseline of your policy and aim to achieve the highest compliance posture possible for your organizations.
To learn how you can implement these best practices in an automated fashion, continue your reading here.
Secure Administrative Hosts:
Administrative hosts are workstations or servers that are hosting privileged accounts. These privileged accounts refer to accounts that are members of the most privileged groups in Active Directory and to accounts that have rights that allow them to perform administrative tasks. For example, Help Desk accounts and accounts that are used for configuration management (check here how you can minimize the number of users authorized to perform hardening to only one user).
There are few basic recommendations for securing Administrative Hosts:
a. Restrict Single Factor Authentication:
Do not allow single-factor authentication when performing administrative tasks. Therefore, user name and password combination is not an acceptable authentication.
b. Consider using a smart card logon for these accounts.
c. Restrict RDP:
Restrict RDP connection to only authorized users. Consider removing or blocking other logon types that are not required for administrative tasks. You can read this RDP Hardening Guide for more detailed instructions for RDP secured configuration.
d. Use industry's hardening best practices to configure administrative hosts:
Best practices such as DISA STIGs and CIS Benchmarks have guidance for securing hosts configurations. You should use these files as a baseline of your policy and aim to achieve the highest compliance posture possible for your organizations.
To learn how you can implement these best practices in an automated fashion, continue your reading here.
e. Block access to the intranet and intranet:
Administrative Hosts should not be permitted to access the internet and the intranet. Web browsers should not be used. You can use a firewall to block internet access.
f. Use virtual machines:
By using virtualization, you can store and manage specific administrative hosts to each user's needs. You can control it and shut it down when not active, to prevent credential theft. There are many other practices you can use with virtual machines to enhance administrative hosts security.
An Automated Approach for Active Directory Security:
CalCom offers an automated approach for configuration security and hardening tasks. By using CalCom Hardening Automation Suite you'll be able to easily harden your Domain Controllers and Administrative Hosts and achieve compliance to industry's best practices.
CalCom Hardening Automation Suite learns your production and indicates what will be the impact of each configuration change on your production, therefore eliminating the need to perform any testing before implementing your policy.
The entire hardening process is done from a single point of control, allowing you to minimize the number of authorized users to a minimum.
Finally, CalCom Hardening Automation Suite monitors your compliance posture, making you'll remain secure and audit-ready at any given time. To learn more, continue your reading here.
