The security of your Windows environment is constantly changing. Whether a computer has just been installed or if it has been running for years, there is a great chance that it does not meet the security standards that you have for computers in your organization. To discover these incorrect security settings, you typically need to provide an internal or external security audit. When there is just a short amount of time, there are some key security settings that need to be audited for your Windows Active Directory enterprise. Here, we will investigate 5 of the more important security settings that need to be audited to protect your investment at the highest level.
Windows Active Directory Security
I have chosen these security settings for a few reasons. First, there are standard attacks that are launched on Windows environments which these security settings can help protect against, if configured correctly. Second, at the core of Windows are some security settings that are historically not configured to be secure by default. Without initial and routine checks of these settings, you might still be running one or more of your computers with these insecure default settings. Finally, from experience, these settings are often overlooked and not configured correctly, even on the most “secure” and seasoned networks.
#1 Password Policies
The password policies for an Active Directory domain are initially configured in the Default Domain Policy Group Policy Object (GPO). There are multiple settings under this category, which should be set to at least a standard level of security. You will need to check with your security policies to determine what these values have been set to for your enterprise. If you have not set these values in your security policies, here are some recommended values:
Table 1
Password Policy Setting
Recommended value range
Enforce password history
12 to 24 passwords remembered
Maximum password age
30 to 90 days
Minimum password age
1 to 3 days
Minimum password length
7 to 14 characters
Password must meet complexity requirements
Enabled
Store password using reversible encryption
Disabled
These settings are stored in the Default Domain Policy GPO by default, but they should not be audited there. Instead, a tool such as DUMPSEC or a domain controllers’ Local Security Policy (run GPEDIT.MSC from the Run command on a domain controller) should be analyzed. If DUMPSEC is used, the complexity requirements for the password won’t be gathered, causing another method to be used to get this information. The Local Security Policy provides all information for the audit of these settings.
#2 Account Lockout Policy
The account lockout policy controls what happens when a user fails to remember their password. Of course, to combat against attacks that try to guess and brute force attack these passwords, it is best to ensure the settings are configured to work with your security policy. If your security policy is not defined for these settings, the following table illustrates some best practice values for these settings.
Table 2
Account Lockout Policy Setting
Recommended value range
Account lockout duration
9999 (this can also be set to a lower number, such as 5, but should never be 0)
Account lockout threshold
3 to 5
Reset account lockout counter after
9999
These settings are stored in the Default Domain Policy GPO by default, but they should not be audited there. Instead, a tool such as DUMPSEC or a domain controllers’ Local Security Policy (run GPEDIT.MSC from the Run command on a domain controller) should be analyzed.
#3 Enterprise Admins Group Membership
The members of the Enterprise Admins is an essential group for an Active Directory enterprise. Members of this group can perform global changes to “enterprise” type of functions. These changes include modifying the Active Directory sites, enterprise DFS configurations, and the like. Members of this group also have control over all user accounts, group accounts, and computer accounts in the entire domain.
This group only exists in the root domain (first domain in Active Directory forest). Therefore, to audit this group, you only need to check in one domain of the Active Directory forest. This group should be limited to only a few administrators, if any at all. Since the members of the Domain Admins group in the root domain can add and remove members to this group, I do suggest this group has no members on a daily basis.
DUMPSEC does an excellent job of auditing this group. You can also just use the Active Directory Users and Computers to view the groups and users that have membership in this group.
#4 Schema Admins Group Membership
The Schema Admins group is just as powerful as the Enterprise Admins group, but over a totally different aspect of Active Directory. Members of the Schema Admins group can modify the Active Directory schema, which affects all domains in the forest. An errant modification to the schema could riddle the entire Active Directory enterprise crippled and corrupt.
This group also only exists in the root domain. Again, this group can have no members on a daily basis, as schema changes are rare and typically very controlled. By limiting the members, or eliminating them, changes can be better managed and controlled.
DUMPSEC does an excellent job of auditing this group. You can also just use the Active Directory Users and Computers to view the groups and users that have membership in this group.
#5 Domain Admins Group Membership
The one group that has global control over all users, groups, and computers in a single domain is the Domain Admins group. This group is very powerful and used on a daily basis. The members of this group should also be limited, but typically not empty. Instead of adding users to this group for domain functions, you should use Active Directory delegation. This provides granular control over all Active Directory functions, without giving away too much power like the Domain Admins group does. This group exists in all Active Directory domains and needs to be audited as such.
DUMPSEC does an excellent job of auditing this group. You can also just use the Active Directory Users and Computers to view the groups and users that have membership in this group.
Summary
Controlling the Active Directory environment at the basic level is essential. If the passwords associated with user accounts are too weak, can be compromised easily, are not changed often enough, or are not set at all, the network and enterprise is left vulnerable. Ensuring that these values in the password and account lockout policy are set appropriately and to best practice values will help prevent attacks on the passwords. In a like manner, the membership in the top three groups for the Active Directory enterprise need to be controlled and constantly monitored. If a user has this power of the Enterprise, Schema, or Domain Admins groups, severe damage and issues can be arise.
