AD Security Optimization and Hardening White Paper-01
2024-03-08 23:06:21
version number | V1.1 |
Update time | 2023.5.9 |
Writers | Zhu Hongzhi (Microsoft MVP) , Wang Can |
Some terminology | Domain,AD,and Active Directory refer to the same concept in this article. |
Domain Admins group is referred to as DA group Enterprise Admins group is referred to as EA group The domain built-in administrators group is referred to as BA group . Schema Administrators group referred to as SA group | |
Note: This solution mainly focuses on the security reinforcement of the AD itself. It is assumed that the environment has conventional security defenses, such as firewalls, Internet behavior management, bastion machines, anti-virus systems, backup systems, etc. | |
Disclaimer:This article is a suggested solution. When implementing the recommended measures, please ensure that you have fully understood and tested it. We are not responsible for any results. | |
Table of Contents
Chapter 1 Overview
Chapter 2 Improvement and Optimization at the Management Level
2.1 Establishment and Improvement of Overall Domain Management Norms
2.1.1 Remove Arbitrary Actions, Improve and Comply with Approval Process
2.1.2 Complete and Accurate Information Entry, Proper Positioning of Objects
2.1.3 Regular Inspections and Corrections Should Be Made
2.2 Building a Hierarchical Classification Model for Systems
2.3 Building a Hierarchical Classification Model for Accounts
2.4 Building an Operation and Maintenance Management Model
Chapter 3 Technical-Strategic Level Optimization Outline
3.1 Optimization of Domain Architecture
3.2 Minimize the Number of Sites
3.3 Do Not Deploy Too Many Domain Controllers
3.4 Branches Should As Much As Possible Deploy Read-Only Domain Controllers
3.5 Read-Write Domain Controllers Should Preferably Use Physical Machines
3.6 Domain Controllers Should Preferably Use the Latest Operating System
3.7 Reasonable Planning and Authorization of Organizational Units
3.8 Only Domain Admins Group Can Add, Delete and Modify Group Policies
3.9 Automatic Synchronization of User Accounts
3.10 Implement Appropriate Password and Lockout Policies
3.11 Optimization of Patch Update System
3.11.1 Overall Architecture of WSUS Patch Server
3.11.2 Reinforcement of WSUS Patch Server Itself
3.11.3 Domain Group Policy for Patch Updates
3.11.4 Other Notes on Patch Management
3.12 Use Third-Party Backup Software to Backup AD
3.13 Handling of Old Systems within the Domain
3.14 Building a Standardized Server Template
3.15 Establish a Standardized Client System
3.16 Strengthen AD Integrated Security Management
3.17 Establish an Early Warning System
Chapter 4 Technical-Tactical Level Optimization and Reinforcement Measures
4.1 Domain Control Reinforcement
4.1.1 Inspection and Cleanup
4.1.2 Privilege Check and Reinforcement
4.1.3 Optimize Network Location
4.1.4 Encrypt Network Communication to Domain Control
4.1.5 Domain Control Patch
4.1.6 Other Reinforcements
4.2 General Server Reinforcement
4.3 General Client Reinforcement
Chapter 1 Overview
Domains are widely used due to their centralized management characteristics, such as restricting end-user permissions, unifying domain-wide password policies, lockout policies, and various other policies. In addition, the domain is a standard identity authentication platform. These underlying functions cannot be replaced by ordinary desktop management software. Based on its centralized management characteristics, standardized configurations and rapid responses can be implemented in terms of security, thereby enhancing the entire network's security.
However, everything has two sides. If the domain environment itself does not undergo security optimization and reinforcement, a breach in domain control can severely affect the entire network and even production. Therefore, in the production environment, the domain environment must be additionally reinforced to withstand various attacks and fully and safely utilize the domain's functions.
The essence of security optimization in the domain environment is to reduce domain vulnerabilities and shrink the attack surface. The fewer vulnerabilities, the safer it is.
The term "vulnerability" used here is broad.
Vulnerabilities are not only technical but also include management and operation levels. For example, logging into an ordinary computer with a domain administrator account is a typical non-technical vulnerability.
Technical vulnerabilities include lack of key patches, incorrect or unreasonable configuration, unreasonable permission allocation, non-standard or abusive use of privileged accounts, too many obsolete objects, etc.
To minimize various "vulnerabilities", the following three major parts discuss domain security optimization and reinforcement.
1. Management level perfection and optimization
2. Technology: Strategic level optimization
3. Technology: Tactical level optimization and reinforcement
Chapter 2: Improvement and Optimization at the Management Level
2.1 Establishment and Improvement of Overall Domain Management Norms
Before technology moves, systems should be in place.
Firstly, a comprehensive domain management standard is needed. Actions should be standardised and follow processes. If the process is well executed, the outcome won't be far off. Here are some key points about management norms:
2.1.1 Remove Arbitrary Actions, Improve and Comply with Approval Process
For operations that impact domain architecture, permissions related, or potentially have significant impacts, change approval should be implemented. This eliminates the arbitrary nature of administrator operations. Even if administrators have the authority to perform some operations, they should follow processes, restricting the "expansion" and "randomness" of administrator permissions. If permissions are not restrained, serious consequences may occur. This is the case in the real world, as well as in the digital world. Administrators' permissions should be regulated and constrained by processes.
Below is a recommended approval form.
Management object | operate | final approver | operator | Default action |
forest and AD | new, cancel | Information department leaders and higher-level leaders | Enterprise admins | Prohibit creation and cancellation |
Subdomains | Create and cancel | Information department leaders and higher-level leaders | Enterprise admins | Prohibit creation |
schema | Expand | Information Department Leader | Schema Admins | Prohibit extension |
site | new, cancel | Information Department Leader | Domain admins | |
DC | Add and delete | Information Department Leader | Domain admins | |
DC | Restart, shutdown | direct leader of domain admin | site administrators group | |
First-level organizational unit | New, rename, delete | direct leader of domain admin | domain control administrators | |
Existing organizational unit schema | change | direct leader of domain admin | domain control administrators | |
Enterprise Admins group | Member add | Information Department Leader | domain control administrators | |
Domain Admins group | Member add | direct leader of domain admin | domain control administrators | |
domain control Administrators | Member add | direct leader of domain admin | Domain admins | |
site administrators group | Member add | direct leader of domain admin | domain control administrators | Member deletion does not require approval |
Site Client Administrators group member | Member add | direct leader of domain admin | domain control administrators | Member deletion does not require approval |
Site add to domain group | Member add or delete | direct leader of domain admin | Corresponding site administrator group | |
Global service account | Create, disable, delete | direct leader of domain admin | domain control administrators | |
Site- level service account | site administrator | |||
Site- level test account | site administrator | |||
Users outside the company | create | direct leader of domain admin | site administrator | |
DNS | Configuration changes | direct leader of domain admin | domain control administrators | |
DNS | Record additions and subtractions | direct leader of domain admin | ||
global group policy | new, change | direct leader of domain admin | ||
site group policy | New | direct leader of domain admin | ||
site group policy | edit | direct leader of domain admin | The corresponding site administrator; It is recommended that the headquarters domain administrator handles this issue best. | |
Integrate with AD | New change | direct leader of domain admin | domain administrator | |
Install software on domain controller | New | direct leader of domain admin | domain administrator |
2.1.2 Complete and Accurate Information Entry, Proper Positioning of Objects
Naming conventions for objects (such as users, computers, security groups) need to be established, and all objects must be created following these conventions.
When creating or editing objects, administrators need to fill in relevant information completely and in accordance with the rules.
Newly created objects should be placed in the corresponding organizational units and should not be randomly placed.
2.1.3 Regular Inspections and Corrections Should Be Made
Over time, any object can deviate from its intended state, at which point inspections are needed to identify and correct problems.
Inspections are mainly conducted through regular checks such as daily, weekly, monthly, and annual inspections.
Inspections can be completed through automated tools in combination with manual checks.
It is also recommended to conduct a domain penetration test annually to verify the effectiveness of defense measures.
Previous: No More