Skip to content

Active Directory Security Best Practices - Building a Secure Foundation

Securing Active Directory isn't about installing one tool or applying one setting. It's about building multiple layers of security, monitoring everything, and maintaining vigilance over time. This guide distills years of security research, incident response lessons, and real-world hardening into actionable best practices.

What This Guide Provides:

Practical, implementable security guidance for Active Directory environments. Not theoretical ideals - real strategies that work in production environments with legacy systems, compatibility requirements, and business constraints.

The Security Mindset:

Security isn't a destination - it's a process. You'll implement these practices, test them, monitor them, adjust them, and repeat. Active Directory security requires ongoing attention because: - Environments evolve (new users, new systems, new requirements) - Attackers evolve (new techniques, new tools, new exploits) - Threats evolve (new malware, new attack campaigns, new vulnerabilities)

Table of Contents

  1. Active Directory Security Fundamentals
  2. Account Security and Password Policies
  3. Group Policy Security Configuration
  4. Privileged Access Management
  5. Monitoring and Auditing
  6. Network Security Considerations
  7. Backup and Recovery Strategies
  8. Incident Response Planning
  9. Compliance and Regulatory Requirements
  10. Continuous Security Improvement

Active Directory Security Fundamentals

Core Security Principles

Principle of Least Privilege:

This is the foundation. Users (and services) should have the minimum permissions necessary to perform their functions. Nothing more. The temptation is always there: "Just give them domain admin, it's easier." Resist it.

Why this matters: - A compromised low-privilege account limits damage - A compromised high-privilege account enables full compromise - Minimal permissions make attack paths harder - Audit logs are cleaner with fewer privileged actions

How to implement: - Start with no permissions, add only what's needed - Regular access reviews (quarterly at minimum) - Remove unused permissions aggressively - Document why each permission exists

Defense in Depth:

One security control will fail. Maybe the firewall. Maybe the password policy. Maybe the monitoring. Multiple layers ensure that when one fails, others catch the attack.

Layers to consider: - Network segmentation (isolate critical systems) - Authentication requirements (multi-factor where possible) - Access controls (permissions, group memberships) - Monitoring and alerting (detect attacks in progress) - Incident response (contain and remediate quickly)

The goal isn't perfection - it's making attacks difficult enough that most attackers move on to easier targets.

Secure by Default:

Default configurations should err on the side of security. If a feature isn't needed, it shouldn't be enabled. If a permission isn't required, it shouldn't be granted.

Windows default settings aren't always secure: - Some services enabled that aren't needed - Some permissions more permissive than necessary - Some authentication protocols enabled for compatibility

Your job is to lock things down explicitly, not rely on defaults.

Regular Auditing:

Security isn't "set it and forget it." Environments change. New users arrive. New systems join. New applications get installed. Each change creates potential security drift.

Auditing must be: - Continuous (not just annual assessments) - Comprehensive (all aspects of AD security) - Actionable (findings must be remediated) - Documented (track what was found and fixed)

Security Baselines

# Microsoft Security Baselines
# - Download and apply security baselines
# - Regularly update baselines for new OS versions

# CIS Benchmarks
# - Center for Internet Security benchmarks
# - Industry-standard security configurations

# Custom Baselines
# - Organization-specific requirements
# - Regulatory compliance needs

Account Security and Password Policies

Password Policies

# Domain password policy
Get-ADDefaultDomainPasswordPolicy

# Recommended settings:
# - Minimum password length: 14 characters
# - Password history: 24 passwords remembered
# - Maximum password age: 90 days
# - Minimum password age: 1 day
# - Password complexity: Enabled
# - Reversible encryption: Disabled

# Fine-grained password policies
Get-ADFineGrainedPasswordPolicy -Filter *

Account Lockout Policies

# Account lockout settings
# - Account lockout threshold: 10 invalid attempts
# - Account lockout duration: 15 minutes
# - Reset account lockout counter: 15 minutes

# Monitor lockout events
# Event ID 4740: Account was locked out

Service Account Security

# Service account best practices
# - Use managed service accounts (gMSA) where possible
# - Regular password rotation
# - Minimal privileges
# - No interactive logon rights

# Find service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet, LastLogonDate

# Managed service accounts
Get-ADServiceAccount -Filter *

Administrator Account Protection

# Admin account best practices
# - Separate admin and user accounts
# - No email or internet access for admin accounts
# - Regular credential rotation
# - Monitor admin account usage

# Protected Users group
# - Adds additional protections for members
Add-ADGroupMember -Identity "Protected Users" -Members "adminaccount"

# Admin account monitoring
# Event ID 4672: Special privileges assigned to new logon

Group Policy Security Configuration

Security Settings

# Account Policies
# - Password policy
# - Account lockout policy
# - Kerberos policy

# Local Policies
# - Audit policy
# - User rights assignment
# - Security options

# Event Log settings
# - Log size and retention
# - Log access permissions

# Disable NTLMv1
# Network security: LAN Manager authentication level = Send NTLMv2 response only

# Enable SMB signing
# Microsoft network server: Digitally sign communications (always) = Enabled
# Microsoft network client: Digitally sign communications (always) = Enabled

# Enable LDAP signing
# Domain controller: LDAP server signing requirements = Require signing

# Disable LLMNR
# Enable Multicast Name Resolution = Disabled

# Disable NBT-NS
# NetBT NodeType = P-node (or use DHCP to disable NetBT)

Administrative Templates

# Windows Components
# - Windows Defender settings
# - Internet Explorer security
# - Windows Update settings

# System
# - Device installation restrictions
# - Power management settings

# Network
# - Network isolation settings
# - Windows Firewall configuration

Privileged Access Management

Tiered Administration Model

# Tier 0: Direct control of AD and critical systems
# - Domain admins, enterprise admins
# - Highly restricted access

# Tier 1: Server administration
# - Server administrators
# - Controlled access to servers

# Tier 2: Workstation administration
# - Workstation support
# - Limited server access

# Tier 3: User accounts
# - Regular user accounts
# - No administrative privileges

Just-In-Time Administration

# Implement JIT access
# - Temporary elevation of privileges
# - Time-limited access
# - Approval workflows

# Tools for JIT:
# - Microsoft PIM (Privileged Identity Management)
# - Third-party PAM solutions
# - Custom PowerShell automation

Privileged Access Workstations

# PAW requirements
# - Dedicated hardware for administrative tasks
# - Enhanced security configuration
# - Limited internet access
# - Regular security updates

# PAW configuration
# - Application whitelisting
# - Enhanced monitoring
# - Restricted network access

Monitoring and Auditing

Essential Auditing Policies

# Account Logon Events
# - Success and failure auditing

# Account Management
# - User account changes
# - Group membership changes
# - Password changes

# Directory Service Access
# - AD object modifications
# - Schema changes

# Logon/Logoff Events
# - Successful and failed logons
# - Account lockouts

# Object Access
# - File and registry access
# - AD object access

# Policy Change
# - Audit policy changes
# - User rights changes

# Privilege Use
# - Sensitive privilege use
# - Backup and restore operations

# System Events
# - System startup/shutdown
# - Security log changes

Critical Security Events

# Event ID 4624: Successful logon
# Event ID 4625: Failed logon
# Event ID 4634: Account logoff
# Event ID 4648: Logon with explicit credentials
# Event ID 4672: Special privileges assigned
# Event ID 4688: Process creation
# Event ID 4700: Scheduled task created
# Event ID 4719: System audit policy changed
# Event ID 4720: User account created
# Event ID 4722: User account enabled
# Event ID 4724: Password reset attempt
# Event ID 4726: User account deleted
# Event ID 4728: Member added to security-enabled group
# Event ID 4732: Member added to security-enabled local group
# Event ID 4738: User account changed
# Event ID 4740: User account locked out
# Event ID 4767: User account unlocked
# Event ID 4776: NTLM authentication
# Event ID 4781: Account name changed

SIEM Integration

# Centralized logging
# - Collect events from all domain controllers
# - Correlate events across systems
# - Long-term storage for investigation

# Alerting and notification
# - Real-time alerting for critical events
# - Automated response workflows
# - Regular reporting

# Common SIEM platforms
# - Splunk
# - Elastic SIEM
# - Azure Sentinel
# - QRadar
# - ArcSight

Network Security Considerations

Network Segmentation

# Network zones
# - Internet-facing DMZ
# - Internal network segments
# - Management network
# - User network

# Firewall rules
# - Restrict traffic between segments
# - Allow only required protocols
# - Regular rule reviews

# VLAN configuration
# - Separate traffic types
# - Control broadcast domains
# - Implement ACLs

DNS Security

# DNS best practices
# - Secure dynamic updates
# - DNSSEC implementation
# - DNS monitoring
# - Regular DNS health checks

# DNS attack prevention
# - Disable recursion for external clients
# - Rate limiting
# - Response policy zones (RPZ)

Certificate Services

# PKI best practices
# - Offline root CA
# - Online issuing CAs
# - Regular CRL publication
# - Certificate template security

# Certificate monitoring
# - Expiration alerts
# - Revocation checking
# - Template misuse detection

Backup and Recovery Strategies

AD Backup Types

# System State backup
# - Includes AD database, SYSVOL, registry
# - Essential for disaster recovery

# Critical volume backup
# - System volume
# - Boot volume

# Full server backup
# - Complete system backup
# - For bare metal recovery

Backup Schedule

# Recommended backup frequency
# - System State: Daily
# - Critical volumes: Daily
# - Full server: Weekly

# Retention policy
# - On-site: 30 days
# - Off-site: 90 days
# - Long-term archive: 1 year

Recovery Procedures

# Authoritative restore
# - For accidental object deletion
# - Requires System State backup

# Non-authoritative restore
# - For corrupted AD database
# - Replication will repopulate data

# Forest recovery
# - Complete AD forest restoration
# - Complex procedure requiring planning

Incident Response Planning

Incident Response Team

# Team composition
# - Security analysts
# - System administrators
# - Network engineers
# - Management representatives
# - Legal counsel

# Contact information
# - Maintain updated contact lists
# - Include after-hours contacts
# - External contacts (law enforcement, vendors)

Incident Classification

# Severity levels
# - Critical: Domain compromise, data breach
# - High: Privilege escalation, lateral movement
# - Medium: Reconnaissance, failed attacks
# - Low: Suspicious activity, false positives

# Response procedures
# - Documented steps for each severity level
# - Escalation paths
# - Communication plans

Forensic Readiness

# Evidence collection
# - Memory capture tools
# - Disk imaging capabilities
# - Network capture tools
# - Log preservation procedures

# Chain of custody
# - Documentation procedures
# - Evidence handling protocols
# - Legal requirements

Compliance and Regulatory Requirements

Common Frameworks

# NIST Cybersecurity Framework
# - Identify, Protect, Detect, Respond, Recover
# - Risk management approach

# ISO 27001
# - Information security management
# - Certification requirements

# PCI DSS
# - Payment card industry security
# - Specific technical requirements

# HIPAA
# - Healthcare information security
# - Privacy and security rules

# GDPR
# - European data protection
# - Privacy by design

Audit Preparation

# Documentation requirements
# - Policies and procedures
# - Configuration documentation
# - Change management records
# - Incident response documentation

# Evidence collection
# - Log samples
# - Configuration exports
# - Interview preparation
# - Remediation evidence

Continuous Compliance

# Automated compliance checking
# - Regular configuration scans
# - Policy compliance monitoring
# - Exception management

# Compliance reporting
# - Regular status reports
# - Management dashboards
# - Audit readiness reports

Continuous Security Improvement

Security Assessment

# Regular penetration testing
# - External penetration tests
# - Internal penetration tests
# - Red team exercises

# Vulnerability scanning
# - Regular network scans
# - Credentialed scans
# - Web application scans

# Configuration reviews
# - AD configuration reviews
# - GPO configuration reviews
# - System hardening reviews

Security Metrics

# Key performance indicators
# - Time to detect incidents
# - Time to respond to incidents
# - Number of security incidents
# - Patch compliance percentage

# Risk metrics
# - Risk assessment scores
# - Vulnerability severity trends
# - Control effectiveness measures

Training and Awareness

# Security training
# - Regular security awareness training
# - Role-specific security training
# - Phishing simulation exercises

# Technical training
# - AD security training for admins
# - Incident response training
# - Forensic investigation training

Conclusion

Active Directory security requires a comprehensive, defense-in-depth approach that combines technical controls, administrative processes, and continuous monitoring. By implementing these best practices, organizations can significantly reduce their attack surface and improve their ability to detect and respond to security incidents.

Remember that AD security is not a one-time project but an ongoing process that requires regular assessment, updating, and improvement to address evolving threats and changing business requirements.

Key success factors include: - Executive support and adequate resources - Skilled and trained personnel - Regular security assessments - Continuous monitoring and improvement - Integration with overall security program