Scribd
Upload
1K views2 pages

Active Directory Hardening

This document outlines an Active Directory hardening plan with the goal of resolving security configurations to meet compliance standards. It discusses key areas such as security groups, password policies, account lockouts, and delegations. The plan also addresses managing local and domain users/groups, tracking inactive accounts, securing default groups, updating user rights, and securing service accounts. Additional sections cover password management, auditing, best practices, DNS configuration, site topology optimization, and Active Directory backups.

Uploaded by

api-326180324
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views2 pages

Active Directory Hardening

This document outlines an Active Directory hardening plan with the goal of resolving security configurations to meet compliance standards. It discusses key areas such as security groups, password policies, account lockouts, and delegations. The plan also addresses managing local and domain users/groups, tracking inactive accounts, securing default groups, updating user rights, and securing service accounts. Additional sections cover password management, auditing, best practices, DNS configuration, site topology optimization, and Active Directory backups.

Uploaded by

api-326180324
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

~Active Directory Hardening

Prepared by, Moamen Hany


www.momenhany.com

• Security Hardening
o Resolving Security configurations that meet the compliance and overall security needed,
some of the key areas for this analysis and resolution would include:
▪ Security groups with privileges
▪ User rights
▪ Password policy
▪ Account lockout policy
▪ Active Directory delegations
▪ Group Policy delegations
o Group membership (default privileged groups)
▪ Domain admins
▪ Administrators
▪ Administrators (local)
▪ Backup operators
o OU Protection
▪ Protect Organizational Units from missing deletions
o Domain Controller runtime updates & Applied Security Patches
o Trusting DC’s using Microsoft Baseline Security Analyzer tool
• Local Users and Groups
o Solution to Manage Local Administrator Password
o Solution to Manage Local Group Memberships
• Active Directory Users
o Find and delete Never used accounts
o Tracking down no login users
o Solution to tracking inactive users
o Solution to tracking AD login attacks attempts
• Active Directory Computers
o Find and delete disabled computer accounts
• Active Directory Groups
o Securing default Groups memberships
o Security Nested administrators
o Solution for administrator modifications group membership
• Active Directory User Rights
o Update User Rights using Group Policy Management using most common rights as per
my experiences and according the business needed
• Active Directory Delegations
o Create two an Active Directory delegations’ templates
• Active Directory Service Accounts
o Securing Service Accounts
o Preventing Service Account to login or access another resource
• Password Management
o Define Default Domain Policy for Password policy
o Password policy must meet the complexity 3:4 characters
o For more Password policy recommended to meet 4:4 characters
o Provide users Self-reset password
o Password Policy in GPO must have high priority and enforced to discard any block
inheritance OU
• Audit and Alerting
o Force Login audit
o Force Object access audit
o Solution to find Active Directory Security Alerts
o Solution to monitor Active Directory objects changes\behavior
• Configuration and Best Practices
o Run MBPA tool and solve the findings
• Domain Name System DNS and Application Partition
o Secure DNS Zones by storing them in Active Directory Application Partition
• Active Directory Sites and Subnets Configuration Partition
o Optimize Logical Configuration Partition to match the physical status by:
▪ Structure Domain Controllers based on physical locations
▪ Applying Site Links Replication schedules and costs
▪ Bridge site reduce the replication traffic bottlenecks
▪ Site Subnets should be more customized as reality
• Active Directory Backup
o Solution to backup Active Directory Databases
o Solution to backup Active Directory Servers
o Solution to recover deleted items using Recycle Bin

You might also like