• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 211
  • Last Modified:

Active Directory Security

there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?
0
DukewillNukem
Asked:
DukewillNukem
  • 4
  • 4
1 Solution
 
Jason WatkinsIT Project LeaderCommented:
First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.
0
 
DukewillNukemAuthor Commented:
thats not specific at all.
how can i protect our KDC for not getting compromised?

"a third-party device should be used to secure all DC's from web connection attempts." which one?
"regular backup regimen for the DC's": how about the USN?
0
 
Jason WatkinsIT Project LeaderCommented:
What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
DukewillNukemAuthor Commented:
yes,What about the USN? you cannot backup a DC without having a USN history.
"there is already a know path to recovery in those cases"  great. which ones?

but i see, you are not capable answering my questions such as:

how can i protect our KDC for not getting compromised? etc.

pls provide valuable info.thank you
0
 
Jason WatkinsIT Project LeaderCommented:
I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

http://technet.microsoft.com/en-us/library/cc755494(v=ws.10).aspx
0
 
DukewillNukemAuthor Commented:
im sorry to questioning your capabilities,but:
those proposals you made are already in place.
thx for the link
0
 
DukewillNukemAuthor Commented:
any other solutions how to harden our AD forest?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now