Geeks With Blogs
Technically Speaking All in on IT

From the Microsoft TechNet Security newsletter! For more detail on each item, read the full post here from an article by Sean Deuby. The enlightening tidbits below are my own two cents …

1. Document What You Have – you will forget it or leave the company!
2. Control Your Administration – a solid foundation makes everything more secure.
3. Limit the Number of Administrators – the fewer the chefs the better the dish.
4. Test Group Policy Settings – it does what you wanted it to do, right?
5. Use Separate Administrative Accounts – dang, that Trojan went from my desktop to the domain controller!
6. Restrict Elevated Built-In Groups – GPO restricted groups are great at making sure the local admin group membership stays as you intended.
7. Use a Dedicated Terminal Server for Administration – I hadn't been exposed to this idea before but it is a good one.
8. Disable Guest and Rename Administrator – we all do this, right?
9. Limit Access to the Administrator Account – say no more.
10. Watch the DSRM Password –  local operators can copy your ntds.dit and then your AD is mine …
11. Enforce Strong Password Rules – does this need explaining?
12. Protect the Service Account’s Password – more great advice for managing with OUs.
13. Make Sure that Each DC is Physically Secure – if I have physical access to your AD it is mine!
14. Minimize Unnecessary Services and Open Ports – reduce your attack surface at every opportunity.
15. Make the DC Time Source Secure – time impacts authentication.
16. Audit Important Events – does your company get audited? How will you know what is happening to your servers?
17. Use IPsec – keeps the bad traffic away from your domain controllers. Think Trojans and malware.
18. Don’t Store LAN Manager Hash Values
19. Don’t Forget Your Business Practices

Posted on Thursday, July 13, 2006 5:49 AM | Back to top

Comments on this post: 19 Smart Tips for Securing Active Directory

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Chris Haaker | Powered by: