How do you secure Active Directory and Windows Servers? ~ My blog about Active Directory and everything else

Thursday, April 30, 2009

How do you secure Active Directory and Windows Servers?

Computer security is a big concern these days and securing your Active Directory and Windows Servers is one of the most important things we can do as admins and engineers.

I also see questions come up all the time about people wanting to know how to secure their machines.

Although there is not one answer for every environment there are some good guidelines that have been released by Microsoft and various US Federal agencies that can help out.


In my opinion there are a handful of universal rules that apply to any Active Directory environment.

UNIVERSAL RULE#1:

Limit the number of enterprise and domain administrators. I've seen plenty of organizations lock down their systems and take a lot of good security measures and then you look and there could be 50-100 (or more)domain admins.

Domain admins have control over every aspect of your domain, in fact a domain admin can have control of your entire forest.

It is important to limit these very powerful accounts. Limiting admins also limits the number of inadvertent mistakes that can cause issues

UNIVERSAL RULE#2:

See Rule #1 :)

UNIVERSAL RULE#3:

Don't give your users admin rights to their PCs. This seems like a no brainier but I was involved in a question on one of the boards recently and the admin's boss mandated that he make all the users admins on their machines.

So now you have limited admins and you have a good anti-virus program and are patching your servers with the appropriate patches.

What other guidelines are out there to help an admin secure AD and their servers?

The following is a list of some guides that should get most organizations going in the right direction


  1. NSA Security Guides
    Yes the NSA does more than electronic and their security guides are really in depth
    and have a lot of good information.

  2. DISA Security Checklists
    Defense Information System Agency (DISA) is another US Federal Agency.  These checklists are similar to the NSA guides.  

  3. DISA Active Directory STIG
    STIG's are DISA's Security Technical Implementation Guides and this one is particular to Active Directory.

  4. Microsoft Best Practice Guide for Securing Active Directory
    Microsoft's best practices for securing Active Directory

  5. Microsoft Server 2003 Security Guide
    Microsoft's guide on how to harden Windows Server 2003

  6. Microsoft Windows Server 2008 Security Guide
    Similar to the 2003 guide but for 2008

  7. Federal Dektop Core Configuration (FDCC)
    Although not for servers  FDCC is a mandate for US Federal agencies and these lock downs can help all organizations.



UPDATE via comments from Garrett - Thanks Garrett!!

The Active Directory STIG has been deprecated by the all encompasing Directory Services STIG. While it has sections for specific software (like AD), it also contains overarching security guidlines that trancends all implementations of Directory Services.

http://iase.disa.mil/stigs/stig/directory-services-stig-v1r1.pdf


Those guides are a really good place to start if you want to learn more about securing your Windows Servers and AD Infrastructure.

This all leads me to Universal Rule #4...

UNIVERSAL RULE#4:

Don't just blindly install security templates and don't lock down Active Directory or your servers without testing testing testing.  This may seem like common sense but again I've seen many incidents of servers or AD being hardened and then users may lose functionality or other major problems can arise because the lock downs were not tested.   It is important to be secure but at the end of the day it is also important for our users/customers to be able to function and do their jobs.

You say you don't have a test lab? To address that issue I'll defer to a quote by the great Don Hacherl - you can think of him as the godfather of Active Directory.

"You do, in fact, have a lab environment. What you do not have is a production environment."


These are by no means the only guides for securing AD or your Windows Servers. There are also good books and plenty of blogs and other guides. Please feel free to leave comments about your experiences with seucrity and AD

3 comments:

  1. Hey Mike,

    The Active Directory STIG has been deprecated by the all encompasing Directory Services STIG. While it has sections for specific software (like AD), it also contains overarching security guidlines that trancends all implementations of Directory Services.

    http://iase.disa.mil/stigs/stig/directory-services-stig-v1r1.pdf

    ReplyDelete
  2. Excellent comment Garrett - I've updted the blog with the new info. Thanks man!!

    ReplyDelete
  3. Hi Mike,

    I'm Sarah, Project Coordinator for ActiveDirSec.com a community based voluntary effort, commissioned by former Microsoft Program Manager for Active Directory security, that is aimed at helping organizations gain a better understanding of administrative delegation in Active Directory.

    The website currently helps IT admins and IT managers understand how to correctly verify assess, audit and report delegated access in Active Directory. It also provides a helpful reference section.

    In the spirit of collaboration, we're planning on introducing helpful articles and welcome informative contributions from IT admins and architects who have an interest in the field.

    The benefits of contribution include the opportunity to share you experience and knowledge with others, the opportunity to gain recognition within the community, and the opportunity to increase the visibility of your blog / website.

    We came across your blog and thought we'd drop you a note in case you might be interested. You're welcome to visit us online, and should you wish to contribute, please feel free to contact us (details on how to contact us are on the ABOUT page of the website.)

    We wish you all the very best and look forward to hearing from you.

    Kind Regards,
    Sarah

    ReplyDelete