Security Hardening for
Active Directory and Windows Servers

Derek Melber, Active Directory MVP


Security Hardening for Active Directory and Windows Servers


Security Hardening for Active Directory and Windows Servers

Security is finally getting the attention that it deserves with regard to Microsoft Windows environments. We have turned our heads to inappropriate, weak, and soft security settings for too long. The result is that the attackers are now more successful than ever before. With attacks such as Pass-the-hash, Pass-the-ticket, and other corporate attacks that take advantage of privilege access our company assets are now at risk.

In order to fix our current security issues we must take action. Unfortunately, the fix for our security situation is not a quick and immediate one. If we consider it took us a long time to get into this situation, it makes sense that the fix is not immediate either.

I don't believe that the fix is software or an application. This is like putting a band aid on a finger that has been cut off. It might help for the immediate, but in the end the solution must be much more severe. If you go with a larger, more intrusive solution, you could go with the "future" solution that Microsoft is suggesting, which is a combination of Just In Time (JIT) and Just Enough Access (JEA), which you can see first hand by watching this video. After watching this video, we at ManageEngine felt the need to develop this site, which is to guide you to a more realistic and solid solution. I give you a little insight into my views of JIT and JEA here.

If technology from Microsoft or
any other vendor is not the fix, then what is the fix?

I believe that the fix is a complete investigation into who has elevated privileges throughout the Microsoft Windows
environment, then a reconfiguration of these settings to ensure only the correct users have the appropriate access.
This is a multistep, yet straightforward process:

     Use builtin, free, and inexpensive tools to report on the current configurations that grant privileges.

     Analyze the reports to discover who has privileges.

     Configure the appropriate areas that grant privileges to ensure only the correct users have privlleges.(This is the security hardening!)

     Now that the security hardening is in place, we know that only the correct users have elevated privileges. We only need to monitor changes to who has privileges to ensure there is no drift from our security hardening.

In order to secure your Windows servers and Active Directory, you will need to cover a lot of areas.
The areas that we will cover on this site to help you create security hardening include:

 Security Hardening 
 Local users and groups 
 Active Directory Users 
 Efficient Active Directory User Management 
 Active Directory groups 
 User Rights  
 Active Directory Delegation  
 Group Policy Delegation  
 Password Management 
 Auditing and Monitoring of Active Directory 
 Service Accounts 
Again, this list seems short, but the effort will not be. Even for a medium sized organization with a few hundred servers, this task should take you approximately 2 to 3 weeks of semi-dedicated time. In order to guide you through the process, let me give you some insight into the concepts of security hardening located here.