Re: [Q] Beef Up Active Directory

From: Danny (
Date: 06/09/05

  • Next message: Casey DeBerry: "Windows Server 2K Lockdown"
    Date: Thu, 9 Jun 2005 10:55:36 -0400
    To: Howard Sheen <>

    On 6/8/05, Howard Sheen <> wrote:
    > Hi!
    > First post to the list. :)
    > Now, I'm trying to find some solutions to beef up my Active Directory
    > environment.


    > But, I think there is something in need, like controlling peripheral
    > devices such as removable storage, NIC, and CD-RW.

    Go to, and search for a new GPO ADM file that was just
    released, or download it directly:

    > In addition, as you know, Domain Administrators' rights are so strong
    > and I think those accounts should be managed carefully
    > with some powerful authenticating method like OTP, Smartcard, Dongle
    > Key..whatever.

    RunAs is a powerful tool for elminiating administrator account over usage.

    > I found some, commercial, solutions for above requirements and in the
    > progress of testing
    > Device Lock from SmartLine :
    > Advanced authentication from Protocom :
    > What I wnat to know is
    > 1. Any other solutions for these requirements???
    > 2. Any BP(Best Practice) for beefing up AD ??
    > 3. Anything I need to consider more ???

    From an MS AD security Chat:

    Proactive Measure #1 Establish Secure Boundaries

    In Active Directory, the forest is the security boundary
    To establish secure boundaries carefully design your Active Directory
    logical structure:
    Identify all Active Directory deployment participants (business units
    / entities)
    Assess organizational, operational & legal requirements of all participants
    For each requirement, determine autonomy and isolation needs
    Assess level of trust that you can bestow in your service
    administrators (forest owners and domain owners). Use "Designing the
    Active Directory Logical Structure" document to design your Active
    Directory logical structure
    Document location:

    Proactive measure #2 Establish Secure Collaboration

    Establish secure collaboration with other forests
    Create a forest trust relationship only when all forest and all domain
    administrators are trusted individuals

    Do not include users from other forests in any group that:

    1) is responsible for service management
    2) can manage membership of service administrator groups
    3) has admin control over computers that store protected data or
    4) has access to protected data / is responsible for management of
    users/groups that have acce

    Establish secure collaboration with external domains

    Consider risk of using SID History & impact of enabling SID filtering
    and remember, SID History is only meant to be an interim state of a
    user object to preserve access during migration

    Proactive Measure #3 Deploy DCs Securely

    Establish secure DC build practices and as far as possible, automate
    the build process
    Build your DCs in a secure environment, limit physical access to DCs
    to trusted personnel only, Promote and operate new DCs in a restricted
    access area.
    Ensure predictable, repeatable & secure DC deployments by Installing
    Windows Server 2003 with latest service packs & hot-fixes, creating
    strong password for the Administrator account on DCs, running
    virus-scanning software on the server
    |Virus scanning recommendations on DCs: MS KB Article ID 822158

    Proactive Measure:4

    Physically secure every Domain Controller in your organization
    Secure DCs against physical access
    Prevent DCs from booting into alternate OS
    Protect DCs on restart by using SYSKEY
    Secure all backup media against physical access
    Enhance network infrastructure security
    Secure the remote restart of domain controllers

    #5 Strengthen Policy Settings:

    Increase domain security by establishing: Password policy, Account
    lockout policy and Kerberos policy settings

    #6 Establish Secure Administrative Practices

    Make only the most highly trustworthy personnel Service Admins,
    Perform rigorous background checks and require high security
    clearance, Minimize total number of Service Admins to a bare minimum,
    Delegate data administration to data admins

    Establish & enforce an admin code of ethics & policies that clearly
    state consequences of abuse of admin power

    #7 Secure Service Administrator Accounts and Workstations

    Secure Service Administrator accounts: Limit exposure of Service Admin
    accounts, Hide Service Admin group memberships, Only assign
    trustworthy personnel from within the forest, Control administrative
    logons by requiring smart cards and sharing logons for

    Secure Service Administrator workstations: Restrict service admin
    logon to admin workstations, Prohibit use of cached credentials in
    unlocking administrative workstations, Avoid running applications in
    Service Admin contexts, Run antivirus software on adm

    #8 Delegate Administrative Authority Securely

    Delegate administrative authority based on principle of least
    privilege Use administrative roles to delegate admin authority
    Additionally, Restrict Group Policy mgmt to highly trusted individuals
    Delegate group creation ability to trusted individuals

    Understand ramifications of creator-owner concept Ensure that Service
    Administrators own partition roots

    Read "Best Practices Guide to Delegating Administration in Active
    Directory" whitepaper .

    #9 Secure your DNS Infrastructure

    Using Active Directory–integrated DNS is highly recommended Implements
    secure dynamic update Integrated Windows Security protection In
    Windows Server 2003, offers quotas to limit number of DNS resource
    records that can be registered

    #10 Restrict Anonymous Access

    Ability to restrict anonymous access is dependent on existing need to
    allow anonymous access Some traditional services & programs rely on
    Anonymous access to DCs Applications and services running on machines
    in System security context on NT 4.0 machines,

    Determine whether any applications require anonymous access to Active
    Directory data If possible, eliminate requirement for anonymous Active
    Directory Access Proceed to restrict anonymous access to Active
    Directory data only after eliminating all requirements


  • Next message: Casey DeBerry: "Windows Server 2K Lockdown"