Active Directory Security 101
This document complements the Active Directory security topics talked about on the 7 Minute Security podcast miniseries related to Active Directory. The purpose of this doc is to compile resources we can all use to make our Active Directory environments more physically and logically secure. Here we go....
I can't tell you how many companies I've run into that have flippin' Fort Knox around their DCs at their primary office (cameras, motion detectors, angry guard docs, snipers, etc.) but then the branch office has a DC under the receptionist's desk with no security controls. Make sure all domain controllers are physically locked down. I think a good minimum config is to have the DC locked in a room with keycard access - where only a subset of employees have physical access.
Put users in a least privilege model
Setup your users to run their day-to-day workstation tasks not as a local admin. Do this even for your IT/security staff. Then, let them have a separate account, such as jdoe_admin that they use only for tasks that require elevated privileges. If this is a tough sell to upper management, show them this awesome Avecto report which shows some staggering statistics, such as:
Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017!
Privileged group cleanup
Microsoft has some great guidance around this. In general:
Domain Admins - nobody should be in here except the general Administrator account, and even that should have some additional best practices wrapped around it (see the Microsoft link above)
Schema Admins - should generally be empty unless someone is doing active schema changes.
Enterprise Admins - same as Domain Admins. Should be empty for the most part.
Username format obfuscation
I picked this up from the fine folks at BHIS, and they recommend that instead of having your username structure be email@example.com or firstname.lastname@example.org (which is very predictable), move to something like firstname.lastname.5RandomCharacters@company.com. Brilliant! I love it. I wonder if anybody out there is actually using it? I've never seen it in the wild.