Active Directory Security

there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?
DukewillNukemAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Jason WatkinsIT Project LeaderCommented:
First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.
0
 
DukewillNukemAuthor Commented:
thats not specific at all.
how can i protect our KDC for not getting compromised?

"a third-party device should be used to secure all DC's from web connection attempts." which one?
"regular backup regimen for the DC's": how about the USN?
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
Jason WatkinsIT Project LeaderCommented:
What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.
0
 
DukewillNukemAuthor Commented:
yes,What about the USN? you cannot backup a DC without having a USN history.
"there is already a know path to recovery in those cases"  great. which ones?

but i see, you are not capable answering my questions such as:

how can i protect our KDC for not getting compromised? etc.

pls provide valuable info.thank you
0
 
Jason WatkinsIT Project LeaderCommented:
I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

http://technet.microsoft.com/en-us/library/cc755494(v=ws.10).aspx
0
 
DukewillNukemAuthor Commented:
im sorry to questioning your capabilities,but:
those proposals you made are already in place.
thx for the link
0
 
DukewillNukemAuthor Commented:
any other solutions how to harden our AD forest?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.