Solved

Active Directory Security

Posted on 2014-02-18
8
168 Views
Last Modified: 2014-02-25
there are many docs about this topic,but i havent seen one that exactly shows HOW things should be done.
i.e. how can i protect our KDC for not getting compromised? how about other critical parts in AD? its obvious,to use strong passwords,etc. but i need to have info about infrastructure security.
anyone an idea?
0
Comment
Question by:DukewillNukem
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867431
First, start with a complete and regular backup regimen for the DC's. If the worst were to happen, there is already a know path to recovery in those cases.

Place domain controllers behind firewalls. It is not enough that Windows Server has its own firewall, a third-party device should be used to secure all DC's from web connection attempts. No DC should be internet-facing, SBS is the exception there. A firewall can be used to restrict connections on the LAN as well. This could serve to protect your DC's from mal-ware brought onto the network by visiting devices. Best that visiting devices have their own subnet, separated from the infrastructure servers.

Document as much as you can about the setup of the servers and active directory. Restrict membership in the domain/enterprise admins groups to those folks that absolutely need that type of access. AD restricted groups can help with that task.
0
 

Author Comment

by:DukewillNukem
ID: 39867468
thats not specific at all.
how can i protect our KDC for not getting compromised?

"a third-party device should be used to secure all DC's from web connection attempts." which one?
"regular backup regimen for the DC's": how about the USN?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867490
What about the USN? The procedures and best-practices for securing your environment are going to have to be developed on your end. There is no "one-size-fits-all" approach to computer security, which is a balance between functionality and security. Also, a security policy should be drawn-up, outlining the goals of the security effort.
0
 

Author Comment

by:DukewillNukem
ID: 39867583
yes,What about the USN? you cannot backup a DC without having a USN history.
"there is already a know path to recovery in those cases"  great. which ones?

but i see, you are not capable answering my questions such as:

how can i protect our KDC for not getting compromised? etc.

pls provide valuable info.thank you
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39867607
I am more than capable of answering your question, but am trying to suggest choices that would encompass backing up the KDC and the USN (why back up just those things without backing up the whole DC?). Isolate your KDC, limit admin access to it, run A/V software, do not surf the web on it, that is how you keep the KDC from being compromised.

http://technet.microsoft.com/en-us/library/cc755494(v=ws.10).aspx
0
 

Author Comment

by:DukewillNukem
ID: 39867998
im sorry to questioning your capabilities,but:
those proposals you made are already in place.
thx for the link
0
 

Author Comment

by:DukewillNukem
ID: 39881941
any other solutions how to harden our AD forest?
0
 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 39882452
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now