Today, Microsoft has released a document, detailing the Best Practices for Securing Active Directory Domain Services.
The document contains 22 best practice recommendations to assist organizations in enhancing the security of their Active Directory installations. By implementing these recommendations, organizations will be able to identify and prioritize security activities, protect key segments of their organization’s computing infrastructure, and create controls that significantly decrease the likelihood of successful attacks against critical components of their networking environments:
- Patch applications.
- Patch operating systems.
- Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it.
- Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise.
- Protect and monitor accounts for users who have access to sensitive data.
- Prevent powerful accounts from being used on unauthorized systems.
- Eliminate permanent membership in highly privileged groups.
- Implement controls to grant temporary membership in privileged groups when needed.
- Implement secure administrative hosts.
- Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems.
- Identify critical assets, and prioritize their security and monitoring.
- Implement least-privilege, role-based access controls to administer the directory, its supporting infrastructure, and domain-joined systems.
- Isolate legacy systems and applications.
- Decommission legacy systems and applications.
- Implement secure development lifecycle programs for custom applications.
- Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version.
- Migrate critical assets to pristine forests with stringent security and monitoring requirements.
- Simplify security for end users.
- Use host-based firewalls to control and secure communications.
- Patch devices.
- Implement business-centric lifecycle management for IT assets.
- Create or update incident recovery plans.
The document also discusses the most common attacks against Active Directory and countermeasures to reduce the attack surface, and recommendations for recovery in the event of complete compromise.
The 321-page document (135 pages of main content and 185 pages with appendices A through M) is provided for free in *.docx format. Download it here.
Related blogposts
Auditing directory changes aka "Who deleted this object"
How to create and use confidential attributes
MS013-032 Vulnerability in Active Directory Could Allow Remote Code Execution (Important)Preventing Domain Controller promotions, cloning and demotions in Windows Server 2012
Updated Active Directory Capacity Planning Guidance Available (adsizer.exe Be Gone!)
Acknowledgements
Thanks to Meinolf Weber for the tip.
New version has been released: https://www.microsoft.com/en-us/download/confirmation.aspx?id=38815