I have been working for the last number of weeks on a project to secure AD, and to reduce the Attack Surface of AD.
If you are not on board with why you need to secure AD from compromise, and to establish good security work habits, please view one or more of the following videos. These show how incredibly easy it is for a hacker to break in to your systems.
From Microsoft Ignite 2015.
- How You Can Hack-Proof Your Clients and Servers in a Day
https://channel9.msdn.com/Events/Ignite/2015/BRK2346
This is an excellent technical article with hands-on demo of tools, password decodes, remote code execution, enable webcam, etc.
. - Detecting the Undetectable
https://channel9.msdn.com/Events/Ignite/2015/BRK2344
.
Next step is to review and become familiar with Microsoft's Best Practices for Securing AD.
http://www.microsoft.com/en-ca/download/details.aspx?id=38785
Some of the key components of these documents and video's are:
- Set up your Active Directory so that there are normally ZERO members of the privileged groups.
Use Role-Based "Least Privileged Principle" and elevate the role of your senior Admin to Domain Admins just for the duration required to perform the task. - Never assign a Service Account to the Privileged Groups (Domain Admin).
It is easy for a hacker to ask a server what Service Accounts exist, and then they can focus their attack on those accounts. - Never log in to a workstation with a Domain Admin ID.
- Set up Alerts for logins to workstations from any members of the AD Privileged groups.
- Restrict access to back-end servers from anything but their corresponding front-end servers.
- Enable Filewall and IPSEC rules to only allow access to important servers from trusted hosts using trusted ID's.
- ...
