Top 10 Security Settings to make directly after Installing Active Directory
Installing Active Directory is not all that difficult. However, once you get it installed, there is still plenty of work that needs to be done. The first stage of configuration of Active Directory is securing it. There are many areas that need attention and many settings that need to be altered to prepare it for secure action on your network. Let's take a look at the initial settings that you should make to get Active Directory secure for your network before you dive into setting up the entire structure.
Create an Administrative Account for Yourself
After you install Active Directory, you must take immediate action to protect your asset. Not only do you need to protect your new Active Directory asset, you must create a world from which you can administer from safely. To do this, you will need to create a new user account that is used by you when administering anything related to Active Directory.
This means that you should NOT use the built-in Administrator account for routine or otherwise normal administration of Active Directory!
Once this new user account is created, you will need to add it to the Domain Admins group. Since you only have the single domain at this point, this will provide you with the ability to do anything within this domain that you need to.
By having membership in the Domain Admins group in the root domain (first domain in the forest), you will have the ability to add or remove users from the Schema Admins and Enterprise Admins groups. Therefore, there is no reason to have membership in these groups until you need to perform an action requiring this level of privilege.
During the creation of your user account, you should make the password long and complex. This will help protect the account against would be attackers and hackers. If the password is weak, it will be too easy to hack the password and gain access to the domain as an administrator.
Set a Complex and Long Password for the Administrator Account
Now that you have an account to administer the domain, you should protect the built-in Administrator account to the fullest. Initially, you need to protect this accounts password. At the minimum, you need to make the password to this account long (preferably 15 to 20 characters) and complex. Examples of such passwords include:
- I wish I drove a Porsche 930 Turbo.
- Pizza is best with hot Italian sausage.
- There is no better sport than NCAA Final Four basketball.
Note that all of these are very long and use at least three types of characters in each password.
Rename the Administrator Account in first AD Domain
This tip will not be the most technical or advanced that you will hear, but you should do it anyway. Change the name of the built-in Administrator account to something else. Suggestions include a similar format to the other user accounts (JohnDoe, GatesBill, SLJackson, etc.) This will help protect the account from the routine and simpleton hackers. Of course, this does not alter the SID for the account, but at least a quick browse of the user list won't make it too easy to spot.
Set Password Policy in Default Domain Policy
There have been articles upon articles written on how to correctly set the password policy for a domain to reduce the attack surface for an attacker. Unless these measures are taken, the network is vulnerable. Therefore, in the Default Domain Policy the Password Policy settings must be set, as shown in Figure 1.
Here are some guidelines to follow for setting these policies:
Min Password Age
Max Password Age
Min Password Length
Set Account Lockout Policy in Default Domain Policy
The account lockout policy settings have been a debatable topic for a long time. There are really two sides to this debate. The first side says that the password must be locked out from the user if there are 3 or more failed attempts to input the password. The second side says that there should be an unlimited number of password attempts given for a user to logon, even if they don't remember their password at all.
The debate is rather simple in nature, as are the points on each side. The issue with having the password being locked out only after a few attempts is that an attacker or disgruntled employee could lock out other accounts, including IT staff, executives, etc with just a simple script.
For the second side, the debate is that an unlimited number of attempts allows a would be attacker an open slate to hack into the account, by guessing many passwords.
From my standpoint, the option to allow a near unlimited number of password attempts is better and more secure. If you follow good password restrictions for complexity and length, it would be nearly impossible for someone to guess the password using a method where they must input the password to a graphical interface, or even put a script to it. Therefore, I suggest that a good secure setting is somewhere in the 100's of attempts before the account becomes locked out.
Figure 2 shows the options for setting the Account Lockout Policy.
Create Organizational Unit(s) for User Accounts
In order for user accounts and their settings on their desktop to be controlled you will need to create an organizational unit (OU) for the user accounts. The user accounts by default are all located in a container named "Users", which can't have any Group Policy Objects (GPOs) linked to it.
You will not only want to create a single OU for user accounts, but in most cases, you will want to create a hierarchy or logically structured OUs for the user accounts. This will allow you to control which GPO settings affect which user accounts. Ideas for logical structures of OUs for user accounts include OUs for:
- Departments such as HR, IT, Finance, etc.
- Regions such as NorthEast, Asia, Branch1, etc.
- Job Roles such as Managers, Executives, HelpDesk, etc.
Create Organizational Unit(s) for Computer Accounts
You will want to create OUs for your computer accounts too, for the same reason as the user accounts. Here, you will want to consider the types of computers that you have, which might fall under these different categories:
- Servers such as IIS, Exchange, application, etc.
- Desktops such as IT, HR, mobile, etc.
Create a GPO and link to new OU for Computer Accounts
To ensure that computers are secure when they come into the domain, it is ideal to have a set of security settings waiting for when they join the domain. To do this, you only need to create a GPO and link it to the OU(s) for the computer accounts that you just created. Ideas for the settings that you should include in the GPO include:
- Enable UAC
- Reset local Admin password
- Control membership of Administrators group
- Control anonymous connections
- Control logon authentication protocols supported
Configure DNS properly to Forward
Most companies will need this setup, but not all. However, based on what I have seen in the field, most companies need to address their DNS configuration immediately to allow access to the Internet, but to also protect DNS that supports AD. In order to do this, you need to configure DNS that supports the Active Directory environment such that it forwards all Internet requests to a DNS server that supports the Internet. This will require the following settings:
- Configure all clients of domain to use AD based DNS
- Configure AD DNS servers to forward requests to outward facing DNS servers.
Rename all Administrator Accounts in all Domains
You should rename the Administrator account in the local Security Accounts Manager (SAM) of every computer (server and desktop) in the domain, as well as for every new domain that you add to the forest. You can do this via a GPO, shown in Figure 3, which will make the configuration easy and efficient. Again, this will not eliminate an attacker finding out the new name, but it will go a long way in reducing the weekend attackers from just getting into the system with the default name.
When you get Active Directory installed and running, you are only just beginning your configurations. To ensure that you have a stable and secured Active Directory, you must make some immediate settings to get things correctly secured and configured. You need to address the administration of the domain, including the built-in Administrator account and the accounts that will be used to manage Active Directory on a daily basis. For controlling users and desktops in the environment, you need to make settings that allow you to secure the password of the user, as well as control the desktops and user accounts via Group Policy. If you make these important security related settings after you install Active Directory, you will have done yourself well in helping secure your network and company.