Active Directory Security Best Practices
Making sure that your Active Directory is secure is one of the most important tasks for any Active Directory administrator. Without a proper security strategy in place, highly sensitive data and vital user credentials risk falling into the hands of unauthorized individuals. This can have a major impact on the entire organization.
In this article we’ll go through some Active Directory security best practices that you can employ to strengthen the security of your Active Directory. But before we dive into the more advanced stuff, let’s go through some rudimentary tips that you should implement right away.
PUBLISHED 29 SEPTEMBER 2019
Helping you make the most out of vScope
6 Quick Active Directory Security Tips
1. Implement Principles of Least Privilege for Roles and Groups
Make sure that users in your environment follow the “Least Privilege Principle”. I.e. at any given point of time, all users must have the exact amount of permissions and access that they need. No more and no less.
This sounds like an easy task, but it can snowball into an avalanche when the number of users grows. Avoid this by applying a Role-Based Access model, which means that you don’t assign permissions straight to users. First, you assign permissions to a role and then assign that role to a user. So if you want to change a users access rights, you change their role. In the future, if you want to modify a role, you do it in a single place instead of doing it manually for each user.
2. Start using 2-factor Authentication
Using two-factor authentication (2FA) is a simple way to make your Active Directory more secure. 2FA is supported in the Active Directory and it basically means that users need to present something in addition to their password when logging in to their account to prove their authenticity. This prevents password theft by providing another layer of Active Directory security.
3. Use a Secure Admin Workstation (SAW)
When performing any administrative task with your admin account, it’s recommended to use a secure admin workstation, also known as a SAW. It’s basically a workstation where you pull out all connections to make it as secure as possible. This can mean anything from blocking internet access, restricting USB-ports, installing high-quality anti-malware and AV protection, enabling full disk encryption and much more. Learn more about SAW’s over at Microsoft IT Showcase.
4. Make sure your Domain Controllers stays up-to-date
Cyber attackers are getting smarter every day, that’s why you need to be one step ahead of the game by ensuring that you are protected against the latest vulnerabilities. It’s vital that your domain controllers, the backbone of your Active Directory, are running the latest patches. Head on over to my other post “Patch Management Best Practices” to learn more.
5. Disable all local “Administrator” accounts on your domain computers
Why? Well first off, you never want a hacker to gain admin rights in any shape or form, even if its limited to a single computer. In general these accounts are well known by hackers, making them targets for attacks. Even if you re-named the accounts, their SID (Security Identifier) will remain the same.
Additionally, these local admin accounts are often configured with the same password for every computer in the domain. That’s why it’s best to disable these accounts and instead use your own admin account to perform admin tasks on these computers.
Want some help along the way? Our Active Directory Optimization & Security pack for vScope includes analysis that finds these exact accounts.
6. Keep your Active Directory tidy!
I can’t stress this enough, by just keeping the Active Directory neat and tidy you can avoid many different issues. One of the biggest contributing factors to a messy Active Directory, are inactive accounts. So how about we start the deep dive by going through how you’re supposed to handle inactive accounts.
How to manage inactive accounts for optimal Active Directory Security
There are a lot of domains out there that have a high number of inactive accounts, user accounts that have not logged on in over 3-6 months. What’s even more frightening is that many organizations don’t have a policy or process in place on how to manage these old accounts. Sure these accounts may appear harmless, but it’s not that simple.
Potential intruders will most likely target these accounts as their malicious activity will go unnoticed. Furthermore, ex-employees can misuse their old login credentials to access network resources if a proper procedure isn’t in place.
Lastly, not only does removing inactive accounts help keeping your Active Directory secure from attacks, but it also makes your Active Directory less cluttered and easier to navigate.
To help our users, vScope Inventorying & Reporting features reports that list user accounts that have not logged in for 3 or 6 months. If the timespan is not suitable for your organization you can easily customize it.
What to do when an account passes your time limit and becomes inactive
When deciding the period of time before an account is removed after begin disabled, make sure to take into consideration that some employees can be on parental leave. However, by enabling the Active Directory Recycling Bin, and keeping the HR department up-to-speed with deletion activities, you can always restore accounts if any mistakes were to happen.
Password Best Practices for improved Active Directory Security
By now most hackers are very familiar with the default settings in the Active Directory, and they know how to navigate around them. It’s therefore highly advised to implement some changes to make it a little harder for potential intruders.
When we are talking about security, the first thing that comes to mind are passwords. There are a several different settings and policies that can be implemented to strengthen the password quality across the organization. Here’s the most common and important ones:
1. Enforce password history
This decides the number of old passwords that are stored in the Active Directory. Preventing users from reusing old passwords. Default value: 24 passwords.
2. Maximum password age
Pretty self-explanatory. After a password’s age reaches the maximum password age the system will prompt the user to change the password, ensuring that users regularly change the password. Default value: 42 days, however, many organizations have policies stating that passwords need to be changed monthly.
3. Minimum password length
Also self-explanatory, but bear in mind that if you specify this value to be =0, no password while be required. Default value: 7 characters. Most experts recommend having a 8-10 characters minimum. However more and more experts are recommending passphrases instead, read more about that at Password Dragon.
4. Minimum password age
This is a setting that some people have a hard time understanding, why is it even needed? Well, this goes hand in hand with the “Enforce password history” setting. If a user can change their password back to back it doesn’t matter how many old passwords you log in your Active Directory. Users simply need to change enough times until they can use their old password again Default value: 1 day. There is no point in having a value higher than this, the only thing that you will achieve is more work for the administrator as people won’t be able to change their password themselves if it gets compromised.
5. Password must meet complexity requirements
If the policy is enabled, a user cannot use the account name in a password (not more than 2 symbols of a username or firstname in a row), 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters and special characters ($, #, %, etc.). Default value: Enabled.
6. Account Lockout Threshold
This setting decides the number of failed sign-in that can be made by a user before they are locked out of their account. Default value: 0. As this setting protects your user accounts from being brute-forced it’s definitely one of the default values that you should change.
7. Account Lockout Duration
This decides the duration of the lockout that occurs. Default value: Not Set. Make sure to change this to a reasonable duration, to protect from brute-force attacks.
For large organizations with several group policies and even more user accounts to keep track of all these settings, and every once in awhile, mistakes happen. If you’re comfortable with scripting there are several ways for you to check your Active Directory for any wrong configurations.
If not, you can use vScope to do the job for you. Not only does vScope have pre-packaged analyses that check for user accounts with riskful passwords settings, but you can also create custom analyses that fit your internal policies. Check out the Active Directory Optimization & Security pack to see all the possibilities.
High-risk configurations in the Active Directory
The Active Directory is highly flexible, but this flexibility also means that you need to be careful with certain settings & configurations. For example, something that’s not widely known is that you can have a blank password on an Active Directory user account despite having a password policy in place. The attribute named “UserAccountControl” is the culprit in this case. It contains flags that have the ability to override standard behavior.
UserAccountControl Flag – UF_PASSWD_NOTREQD
This is the name of the flag that let users have a blank password. It’s intended to be used for guest accounts, but even then you should be careful. With vScope you can find accounts with this flag in an instance by using our prepackaged analysis, otherwise, you can head on over to Microsoft TechNet to learn how to do the same with some complicated scripting.
Store passwords using reversible encryption policy
This is another risky configuration that you should avoid at all costs. User passwords are normally stored encrypted in the Active Directory database, but in some cases you have to grant access to user passwords for some applications. Storing encrypted passwords in a way that’s reversible means that the encrypted passwords can be decrypted. It doesn’t really take a genius to figure out how dangerous this can be. A skilled attacker with decrypting knowledge can easily gain control of the account with this policy in effect.
The only thing left now is for you to improve the security of your Active Directory. Hopefully you’ll be walking away with some fresh ideas and if you’re tired of scripting to get the answers you’re looking for check out vScope Inventorying & Reporting. A market leading inventory software that puts you in control of your IT. With vScope you finally can get an up-to-date digital copy of your IT environment, whenever you need it!