Solved

Active Directory Security

Posted on 2014-02-18
8
192 Views
Last Modified: 2014-02-25
there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867431
First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.
0
 

Author Comment

by:DukewillNukem
ID: 39867468
thats not specific at all.
how can i protect our KDC for not getting compromised?

"a third-party device should be used to secure all DC's from web connection attempts." which one?
"regular backup regimen for the DC's": how about the USN?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867490
What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:DukewillNukem
ID: 39867583
yes,What about the USN? you cannot backup a DC without having a USN history.
"there is already a know path to recovery in those cases"  great. which ones?

but i see, you are not capable answering my questions such as:

how can i protect our KDC for not getting compromised? etc.

pls provide valuable info.thank you
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867607
I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

http://technet.microsoft.com/en-us/library/cc755494(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39867998
im sorry to questioning your capabilities,but:
those proposals you made are already in place.
thx for the link
0
 

Author Comment

by:DukewillNukem
ID: 39881941
any other solutions how to harden our AD forest?
0
 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 39882452
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question