Solved

Active Directory Security

Posted on 2014-02-18
8
187 Views
Last Modified: 2014-02-25
there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867431
First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.
0
 

Author Comment

by:DukewillNukem
ID: 39867468
thats not specific at all.
how can i protect our KDC for not getting compromised?

"a third-party device should be used to secure all DC's from web connection attempts." which one?
"regular backup regimen for the DC's": how about the USN?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867490
What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:DukewillNukem
ID: 39867583
yes,What about the USN? you cannot backup a DC without having a USN history.
"there is already a know path to recovery in those cases"  great. which ones?

but i see, you are not capable answering my questions such as:

how can i protect our KDC for not getting compromised? etc.

pls provide valuable info.thank you
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867607
I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

http://technet.microsoft.com/en-us/library/cc755494(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39867998
im sorry to questioning your capabilities,but:
those proposals you made are already in place.
thx for the link
0
 

Author Comment

by:DukewillNukem
ID: 39881941
any other solutions how to harden our AD forest?
0
 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 39882452
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A hard and fast method for reducing Active Directory Administrators members.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question