Aug 2, 2021

AD Security Administration Best Practices

Tags:

Secure AD Administration

  • Separate accounts for each administrative tier
    • Tier 2: workstations
    • Tier 1: servers
    • Tier 0: AD/DC, PKI, ADFS, AAD connect, etc.
  • AD admins only use admin workstations
  • AD admins only logon to admin servers/DC
  • Block AD admin groups from logging on to workstations & servers via Group Policy
  • Limit DC management protocols (RDP, WMI, WinRM) to AD admin systems/subnets
  • Limit service accounts with privileged AD rights

Secure AD Admin OU

  • Create a new top-level OU in the domain
    • Eg.: Management, AD Management, Administrative, etc
  • Modify security so Authenticated Users don't have view access
    • Remove Authenticated Users from OU permissions.
  • Block GPO Inheritance. Create, apply & link Admin OU specifics GPOs.
  • Create child OUs
    • Admin Servers
    • Admin Workstations
    • Admin Accounts
    • Admin Groups
  •  Place all AD Admin related objects (users/groups) in this OU structure
  • Only AD Admin have:
    • Modify rights to this OU structure
    • Modify/Owner rights to GPOs linked to this OU

 Securing AD: Level 1

  • Randomize computer local Administrator account passwords. (MS LAPS)
  • Minimize groups/users with DC admin/logon scripts.
  • Separate user and admin accounts
  • No user accounts in admin groups
  • Admin accounts = "sensitive and cannot be delegated"
  • All AD Admin accounts added to "Protected Users" group
  • Long and complex (> 25 characters) passwords for SA
  • Set GPO to prevent local accounts from connecting over network to computers.

 Securing AD: Level 2

  • Service Accounts (SA):
    • Leverage "(Group) Managed Service Accounts"
    • Implement Fine-Grained Password Policies (DFL > 2008)
    • Limit SA to systems of the same security tier, not shared between workstations and servers.
    • Ensure passwords are >25 char
  • Ensure all computers are talking NTLMv2 & Kerberos, deny LM/NTLMv1
  • Disable SMBv1
  • Separate Admin workstations for administrators (locked-down and no Internet)
  • No Domain Admin service account on non-DCs
  • Limit management protocol access on DC to admin subnets
    • RDP, WMI, WinRM, etc.

Securing AD: Level 3

  • Complete separation of administration
  • AD Admin never logon to other security tier
  • AD Admin should only logo to a DC (or admin workstation or admin server)
  • Time-based, temporary group membership
  • Restrict workstation to workstation communication with host firewalls
    • AD clients don't need special rules, default Block All Inbound works (add exceptions for authorized management systems)
  • Implement network segmentation
    • Start by reserving IP ranges/VLAN by device type (routers, switches, DC, servers, workstations, printers,etc).

Protect Admin Creds

  • Ensure all admin only log onto approaved admin workstations and servers.
  • Add all admin accounts to Protected Users group (requires Windows 2012 R2 DC).
  • Admin workstation and server:
    • Control and limit access to admin workstations and servers.
    • Remove NetBIOS over TCP/IP.
    • Disable LLMNR.
    • Disable WPAD. 

Additional Mitigations

  • Enable NTLM Auditing on DC.
  • Enable SMB Auditing on DC and file servers.
  • Enable PowerShell logging everywhere and send to SIEM.
  • Monitor scheduled tasks on sensitive systems (DC, etc)
  • Block Internet access to DC and servers.
  • Change the KRBTGT account password (twice) every year and when an AD admin leaves
  • Use Invoke-TrimarcADChecks (https://trimarc.co/ADCheckScript) to help identify problematic AD configurations.