- Related Products
- EventLog Analyzer
- ADManager Plus
- ADAudit Plus
- ADSelfService Plus
- Exchange Reporter Plus
- AD360
Click here to expand
The main factor that makes Active Directory security, or AD security, uniquely important in a business's overall security posture is that the organization's Active Directory controls all system access. Effective Active Directory management helps protect your business's credentials, applications and confidential data from unauthorized access. It's important to have a strong security system to prevent malicious users from breaching your network and causing damage.
This security rule determines the least number of characters that a password for a user account may contain. You can set a value between 1 to 14 characters, or you can establish that no password is required by setting the number of characters to 0.
Minimum password length policy setting determines the least number of characters that can make up a password for a user account. Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
Set minimum password length to at least a value of 8. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to remember easily. A minimum password length greater than 14 isn't supported at the moment. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see Password must meet complexity requirements.
Using GUI,
This security rule determines if passwords meet the complexity requirements. If this policy is enabled, passwords meet the following requirements: Not contain the user's account name or a part of the user's full name that exceeds two consecutive characters.
Complexity requirements are enforced when passwords are changed or created.
Enabled on domain controllers. Disabled on stand-alone servers.
Passwords that contain only alphanumeric characters are easy to discover with several publicly available tools.
Set "Passwords must meet complexity requirements" to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible.
This security rule checks if all the users have changed their password over the past 90 days.
Enabled on domain controllers. Disabled on stand-alone servers.
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password.
Set maximum password age to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time to compromise a user's password and have access to your network resources.
Set-ADAccountPassword -Identity <account name> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
Set-ADAccountPassword -Identity 'CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
This security setting determines whether the Guest account is enabled or disabled. This account allows unauthenticated network users to gain access to the system by signing in as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This privilege means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This accessibility can lead to the exposure or corruption of data.
Enabled on domain controllers. Disabled on stand-alone servers.
The default Guest account allows unauthenticated network users to sign in as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.
Set Guest account status to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and Network access: Sharing and security model for local accounts is set to Guest only, network logons—such as those logons performed by the SMB Service—will fail.
This security rule determines if all the inactive Active Directory users were disabled.
Active Directory has an account for every user. Over time, users leave the organization and those user accounts may not get removed from Active Directory. Stale user accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization. Stale accounts also use up space in the directory database that could be reclaimed.
You should carry out regular checks to look for any user accounts that have not changed their passwords the last three months, and then disable and remove those accounts from Active Directory. Users who are inactive for a period of 90 days need to be removed from the organization.
Remove-ADUser -Identity <account name>
Remove-ADUser -Identity "CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>"
This security rule determines whether the local administrator account is enabled or disabled.
Disabled.
The built-in administrator account cannot be locked out no matter how many failed logons it accrues, making it a prime target for brute-force attacks that attempt to guess passwords.The account has a well-known Security Identifier (SID), and many non-Microsoft tools allow authentication by using only the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on.
It is best practice that the local administrator account is disabled.
This security rule determines if the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.
Enabled.
If you disable this policy setting, users could receive session tickets for services that they no longer have the right to use because the right was removed after they logged on.
If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use. It is advisable to set Enforce user logon restrictions to Enabled.
This security rule determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for maximum lifetime for user ticket.
600 minutes (10 hours).
If you configure the value for the Maximum lifetime for service ticket setting too high, users might be able to access network resources outside their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled.
It's advisable to set "Maximum lifetime for service ticket" to 600 minutes.
This security rule determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, Windows security baselines recommend a value of 5 could be an acceptable starting point for your organization.
This security rule checks the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
None, because this policy setting only has meaning when an account lockout threshold is specified.
A Denial-of-Service (DoS) condition can be created if an attacker abuses the account lockout threshold policy setting and repeatedly attempts to sign in with a specific account. After you configure the account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts.
It's advisable to set Account lockout duration to approximately 30 minutes.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Not enforced.
Long session time out makes un-attended systems a potential end point for attackers. This policy setting helps you prevent unauthorized access to devices under your control when the currently signed-in user leaves without deliberately locking the desktop.
Set the time for elapsed user-input inactivity based on the device's usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity. Setting the machine inactivity timeout seconds to 1000 is recommended.
This security rule determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the maximum password age policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
Set maximum password age to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
This security rule checks if any admin accounts are with passwords that were last set more than 90 days.
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the Admin, or by the Admin sharing the password.
Reset the password once every 90 days. Use the below steps to reset the password.
Set-ADAccountPassword -Identity <account name> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
Set-ADAccountPassword -Identity 'CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
This security rule determines if any built-in administrator accounts have been active over the last 14 days.
Active Directory has an Administrator account for several needs but it should not be used regularly. If the administrator account is used regularly, it must be monitored. If any malicious activity is found, immediate action must be taken to prevent attackers from attacking the organization.
You should carry out regular checks to look for any Administrator accounts that have been active within the last 2 weeks and ensure that the built-in Domain Administrator account is legitimate and accounted for. If not accounted for, a breach is likely to occur and should be investigated. Take action for those administrator accounts, if any malicious activity is found.
This security rule determines the period of time (in days) that a password can be used before the system requires the built in administrator user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the Administrator, or by the Administrator sharing the password.
Reset the password once every 90 days.
Set-ADAccountPassword -Identity <account name> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
Set-ADAccountPassword -Identity 'CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<new password>" -Force)
This security setting displays all the admin accounts that are disabled.
Admin user accounts which are disabled use up unwanted space in the directory database that could be removed from the database.
You should carry out regular checks to look for privileged users which are all disabled and remove the disabled privilege users from Active Directory.
Remove-ADUser -Identity <account name>
Remove-ADUser -Identity "CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>"
This security rule checks if all the enabled admin accounts are active over a specified time period.
Inactive admin accounts are a significant security issue, as former employees and external attackers could use those accounts to attack the organization. Inactive admin accounts also use up space in the directory database that could be reclaimed.
You should carry out regular checks to look for any admin accounts that have not active for 90 days and remove those Admin accounts from Active Directory.
Remove-ADUser -Identity <account name>
Remove-ADUser -Identity "CN=<Common Name>,OU=<Organizational Unit>,DC=<Domain Component>,DC=<Domain Component>"
This security rule checks if any users are configured with Password Never Expires Option.
Enabling the "Password Never Expires" option could lead to being compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password.
Disable the Password never expires option. It is best practice to uncheck the "Password never expires" check box while creating the user account.
set-aduser <account name> -PasswordNeverExpires $false
This security rule checks if the active directory was configured to prevent password reuse.
If password changes are required but password reuse isn't prevented, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly.
You can specify a number from 0 to 24
Set Enforce password history to 24. This setting will help mitigate vulnerabilities that are caused by password reuse.
Copyright © 2020, ZOHO Corp. All Rights Reserved.
Download PDF