I also see questions come up all the time about people wanting to know how to secure their machines.
Although there is not one answer for every environment there are some good guidelines that have been released by Microsoft and various US Federal agencies that can help out.
In my opinion there are a handful of universal rules that apply to any Active Directory environment.
Limit the number of enterprise and domain administrators. I've seen plenty of organizations lock down their systems and take a lot of good security measures and then you look and there could be 50-100 (or more)domain admins.
Domain admins have control over every aspect of your domain, in fact a domain admin can have control of your entire forest.
It is important to limit these very powerful accounts. Limiting admins also limits the number of inadvertent mistakes that can cause issues
See Rule #1 :)
Don't give your users admin rights to their PCs. This seems like a no brainier but I was involved in a question on one of the boards recently and the admin's boss mandated that he make all the users admins on their machines.
So now you have limited admins and you have a good anti-virus program and are patching your servers with the appropriate patches.
What other guidelines are out there to help an admin secure AD and their servers?
The following is a list of some guides that should get most organizations going in the right direction
- NSA Security Guides
Yes the NSA does more than electronic and their security guides are really in depth
and have a lot of good information.
- DISA Security Checklists
Defense Information System Agency (DISA) is another US Federal Agency. These checklists are similar to the NSA guides.
- DISA Active Directory STIG
STIG's are DISA's Security Technical Implementation Guides and this one is particular to Active Directory.
- Microsoft Best Practice Guide for Securing Active Directory
Microsoft's best practices for securing Active Directory
- Microsoft Server 2003 Security Guide
Microsoft's guide on how to harden Windows Server 2003
- Microsoft Windows Server 2008 Security Guide
Similar to the 2003 guide but for 2008
- Federal Dektop Core Configuration (FDCC)
Although not for servers FDCC is a mandate for US Federal agencies and these lock downs can help all organizations.
UPDATE via comments from Garrett - Thanks Garrett!!
The Active Directory STIG has been deprecated by the all encompasing Directory Services STIG. While it has sections for specific software (like AD), it also contains overarching security guidlines that trancends all implementations of Directory Services.
Those guides are a really good place to start if you want to learn more about securing your Windows Servers and AD Infrastructure.
This all leads me to Universal Rule #4...
Don't just blindly install security templates and don't lock down Active Directory or your servers without testing testing testing. This may seem like common sense but again I've seen many incidents of servers or AD being hardened and then users may lose functionality or other major problems can arise because the lock downs were not tested. It is important to be secure but at the end of the day it is also important for our users/customers to be able to function and do their jobs.
You say you don't have a test lab? To address that issue I'll defer to a quote by the great Don Hacherl - you can think of him as the godfather of Active Directory.
"You do, in fact, have a lab environment. What you do not have is a production environment."
These are by no means the only guides for securing AD or your Windows Servers. There are also good books and plenty of blogs and other guides. Please feel free to leave comments about your experiences with seucrity and AD