Active Directory Security

Best Practices
Protecting Active Directory (AD) is a critical focus for security teams. Bad actors frequently target AD because it is
central to so many vulnerable functions, including authentication, authorization and network access. Your users,
applications, services and IoT devices use AD every time they access your enterprise systems.

The 2018 healthcare.gov attack is one real-world example of a severe AD breach. Using stolen credentials, attackers were
able to log into a database undetected and expose over 75,000 files containing personally identifiable information (PII).

Defending your organization starts with understanding how attacks unfold. They typically follow the same
fundamental steps:

1. Steal the credentials of a legitimate AD account, or take advantage of weak or re-used passwords.

2. Log into systems posing those credentials.

3. Spy on AD to uncover valuable information about vulnerable users, servers and computers.

4. Move laterally to escalate their privileges, steal data, sabotage systems or commit other cybercrimes.

In other words, AD attacks often hinge upon the weakest link in every security system: the human element.
Phishing schemes, in particular, have become worryingly effective. Bad actors posing as representatives of well-
regarded partners like financial institutions routinely convince unwitting employees to willingly hand over vital
information. Cybercriminals have persuaded employees to:

ƒ Transfer money into bogus accounts

ƒ Share login credentials over the phone

ƒ Escalate access privileges

ƒ Share private personal data (PPD)

To protect your organizations, it is crucial to establish, communicate and enforce the following Active Directory
security best practices.

2
Secure Your Domain Controllers
A domain controller (DC) is a server that authenticates users by checking their usernames, passwords and other
credentials against stored data, and also authorizes (or denies) requests to access various IT resources.

DCs are a primary target for cybercriminals because they store and process information that hackers can use to
steal data and cause enterprise-wide damage.

Best Practices

ƒ Ensure the physical security of domain controllers.

ƒ Limit the software and roles installed on domain controllers.

ƒ Standardize DC configuration. For example, use build automation through deployment tools such as System
Center Configuration Manager.

Establish a Robust Password Policy

Microsoft Active Directory allows you to define fine-grained password policies that control factors like password
length and complexity requirements.

One way you can use password policy to better secure your network is to apply stricter account lockout settings
to accounts that have access to valuable data and critical applications. That way, for example, an attacker who
attempts to compromise an admin account will be locked out after just a few failed attempts, but a regular user
who mistypes their password a few times will not get locked out and need to reset their password before they can
get back to work.

3
Best Practices

Follow the following NIST password guidelines:

ƒ Passwords should contain at least eight characters when set by a human and six characters when set by an
automated system or service.

ƒ Using one strong password is more effective than regularly updating weak passwords.

ƒ Avoid complexity requirements that are not user-friendly, since they can lead to users creating weak passwords
or storing their passwords in a non-secure way (such as on a sticky note on their desk).

ƒ Monitor administrative password resets. Unusual password reset activity can signal a compromise of the
administrator account.

Use a Local Administrator Password Solution

All too often, organizations create a generic local admin user ID with the same password on every machine. This
approach increases the organization’s vulnerabilities — bad actors who compromise one machine can easily at-
tack every machine. A local administrator password solution (LAPS) mitigates this risk by forcing each device to
have a different local admin password.

Best Practices

ƒ Do not run the LAPS client-side extension (CSE) on domain controllers.

ƒ Do not use additional local admin passwords on domain-joined devices.

ƒ Do not use Group Policy to set local administrator passwords.

4
Enable Visibility into Group Policy
Group Policy is a tool for enforcing a consistent and secure setup across multiple devices. However, Group Policy
tends to be tangled and messy; some organizations even have Group Policy settings that are mutually exclusive. To
avoid this weak link in your security posture, you need to have visibility into your Group Policy structure and changes.

Group Policy best practices can be grouped into those for security groups and those for roles and accounts:

Security Groups

Security groups are the recommended way to control access to resources and enforce a least-privilege model.
Instead of assigning access rights to individuals one by one, you assign permissions to security groups and then
make each user a member of the appropriate groups.

Best Practices

ƒ Closely monitor changes to the membership of security groups, especially groups that have permissions to
access, modify or remove sensitive data.

ƒ Have data owners regularly review security group membership to ensure that only the right users are members
of each group.

5
Accounts

Best Practices for All Accounts

ƒ Do not assign privileges directly to user accounts; use security groups.

ƒ Rigorously follow a least privilege model, giving each user only the minimum permissions they need to complete
their tasks.

ƒ Establish a delegation model following best practices

ƒ Immediately disable accounts for employees who leave the organization.

ƒ Monitor inactive accounts and disable them if necessary.

ƒ Create guest accounts with minimum privileges.

ƒ Monitor for unauthorized modifications to AD accounts.

Additional Best Practices for Administrative and Other Powerful Accounts

Naturally, attackers are particularly interested in gaining access to accounts that have administrative privileges or
access to sensitive data, such as customer records or intellectual property. Therefore, it’s critical to be especially
vigilant about these powerful accounts.

Best practices for domain administrator accounts and other privileged accounts include the following:

ƒ Train admins to use their administrative accounts only when absolutely necessary to reduce the risk of credential theft.

ƒ Ideally, implement a privileged account management (PAM) solution. If that is not possible, keep only the
default domain admin in the Domain Admin group and place other accounts in that group only temporarily,
until they have completed their work.

6
Monitor Active Directory for Signs of
Compromise
Active Directory is a busy place. To spot attacks, it’s essential to know what to look for in all the event data. Here are
the top five things to monitor:

User Account Changes

Be on the lookout for unusual modifications to an AD user account. Consider investing in a tool that can help you
answer the following questions:

ƒ What changes were made to which user accounts?

ƒ Who performed each change?

ƒ When did the change happen?

ƒ Where was the change made from?

Password Resets by Administrators

Domain admins should always follow established best practices when resetting user credentials. A robust
monitoring tool helps answer questions like:

ƒ Which user accounts had their passwords reset?

ƒ Who reset each password?

ƒ When did the reset happen?

ƒ Where did the admin reset the password?

7
Changes to Security Group Membership

Unexpected changes to security group membership can indicate malicious activity, such as privilege escalation or
other insider threats. You need to know:

ƒ Who was added or removed?

ƒ Who made the change?

ƒ When did the change happen?

ƒ Where was the security group change made?

Logon Attempts by a Single User from Multiple Endpoints

Attempts by a single user to log on from different endpoints is often a sign that someone has taken control of
their account, or is trying to. It is vital to flag and investigate this activity to find out:

ƒ Which account attempted to log on from multiple endpoints?

ƒ What were those endpoints?

ƒ How many attempts were made from each endpoint?

ƒ When did the suspicious activity begin?

8
Changes to Group Policy

A single improper change to Group Policy can dramatically increase your risk of a breach or other security incident.
Using a tool to monitor this activity will make it easy to answer pressing questions like:

ƒ What changes have been made to Group Policy?

ƒ Who performed each change?

ƒ When was each change made?

Conclusion
The Active Directory security best practices laid out here are essential to strengthening your security posture.
Careful management of activities across the entire network that affect AD security will enable you to reduce your
attack surface area and to promptly detect and respond to threats, dramatically reducing your risk of suffering a
disastrous security incident.

9
Secure your Active Directory
from end to end
with Netwrix solutions

ƒ Uncover security risks in Active Directory and prioritize

your mitigation efforts

ƒ Harden security configurations across your IT

infrastructure

ƒ Promptly detect and contain even advanced threats, such

as DCSync and Golden Ticket attacks

ƒ Respond to known threats instantly with automated

response options

ƒ Minimize business disruptions with fast Active Directory

recovery

Request One-to-One Demo

10
 About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim control
over sensitive, regulated and business-critical data, regardless of where it resides. Over 11,500 organizations
worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content,
pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge
workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc.
5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S. For more information,
visit www.netwrix.com.

Next Steps
See Netwrix products — Explore the full Netwrix portfolio: netwrix.com/products

Get a live demo — Take a personalized product tour with a Netwrix expert: netwrix.com/livedemo

Request a quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539 11