~Active Directory Hardening

Prepared by, Moamen Hany

www.momenhany.com

• Security Hardening
o Resolving Security configurations that meet the compliance and overall security needed,
some of the key areas for this analysis and resolution would include:
▪ Security groups with privileges
▪ User rights
▪ Password policy
▪ Account lockout policy
▪ Active Directory delegations
▪ Group Policy delegations
o Group membership (default privileged groups)
▪ Domain admins
▪ Administrators
▪ Administrators (local)
▪ Backup operators
o OU Protection
▪ Protect Organizational Units from missing deletions
o Domain Controller runtime updates & Applied Security Patches
o Trusting DC’s using Microsoft Baseline Security Analyzer tool
• Local Users and Groups
o Solution to Manage Local Administrator Password
o Solution to Manage Local Group Memberships
• Active Directory Users
o Find and delete Never used accounts
o Tracking down no login users
o Solution to tracking inactive users
o Solution to tracking AD login attacks attempts
• Active Directory Computers
o Find and delete disabled computer accounts
• Active Directory Groups
o Securing default Groups memberships
o Security Nested administrators
o Solution for administrator modifications group membership
• Active Directory User Rights
o Update User Rights using Group Policy Management using most common rights as per
my experiences and according the business needed
• Active Directory Delegations
o Create two an Active Directory delegations’ templates
• Active Directory Service Accounts
o Securing Service Accounts
o Preventing Service Account to login or access another resource
• Password Management
o Define Default Domain Policy for Password policy
o Password policy must meet the complexity 3:4 characters
o For more Password policy recommended to meet 4:4 characters
o Provide users Self-reset password
o Password Policy in GPO must have high priority and enforced to discard any block
inheritance OU
• Audit and Alerting
o Force Login audit
o Force Object access audit
o Solution to find Active Directory Security Alerts
o Solution to monitor Active Directory objects changes\behavior
• Configuration and Best Practices
o Run MBPA tool and solve the findings
• Domain Name System DNS and Application Partition
o Secure DNS Zones by storing them in Active Directory Application Partition
• Active Directory Sites and Subnets Configuration Partition
o Optimize Logical Configuration Partition to match the physical status by:
▪ Structure Domain Controllers based on physical locations
▪ Applying Site Links Replication schedules and costs
▪ Bridge site reduce the replication traffic bottlenecks
▪ Site Subnets should be more customized as reality
• Active Directory Backup
o Solution to backup Active Directory Databases
o Solution to backup Active Directory Servers
o Solution to recover deleted items using Recycle Bin