For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Active Directory Security

Best practices for securing your AD and maintaining compliance.

Current state of AD security 03:01

Current state of AD security

Active Directory security is often described as a way of controlling the keys to your IT castle — a metaphor that has merit but also important limitations. Active Directory does function as a gatekeeper, determining who has which keys for entering your network, as well as which data and other resources each of those keys can unlock. But unlike a stone building, your IT environment is an incredibly dynamic place, with users constantly coming and going, employees taking on new roles, new applications being added and other being retired, and so on. Therefore, Active Directory security is not a once-and-done event, like changing the locks on a castle, but an ongoing process.

Read on for more tips on securing your Active Directory.

Balancing act

Balancing act

Balancing act

Active Directory security is a delicate balancing act. Continuing the castle metaphor, while a king or queen is free to mandate whatever security measures they desire from their subjects, IT pros must keep business needs firmly in mind. If security measures are too arduous, they will slow critical business processes and drive away talented staff. For example, it’s crucial to ensure that only the right people can access each person’s medical data — but it’s equally essential to ensure that medical teams can see a patient’s diagnoses and prescriptions in time to provide proper care. Plus, users find ways to work around security measures they find too inconvenient: Require them to create complex passwords that must be changed every thirty days, and you’ll soon find a lot of sticky notes on their desks, which undermines your goal of protecting their accounts from unauthorized access.

Security vs. compliance

Security vs. compliance

Security vs. compliance

It’s important to understand that while Active Directory security is closely tied to regulatory compliance, the two things are not identical. Many compliance regulations include requirements that directly affect AD security policies and procedures, but these mandates often extend into many other areas as well, such as physical access to office buildings, workforce training, and executive accountability. On the flip side, comprehensive AD security involves more than merely achieving compliance with one or more regulations.

Active Directory security is an essential part of many compliance regulations, including GDPR, CCPA, HIPAA, SOX and PCI-DSS. Failure to secure your Active Directory properly can result in a wide range of unpleasant consequences, including steep fines from regulators, jail time for executives, inability to process credit card transactions and loss of customer trust.

Security’s crucial role

Security’s crucial role

Security’s crucial role

Securing your Active Directory security has to be a top priority because AD plays such a critical role in your IT infrastructure — literally controlling who can get into your network and what they can do once they’re inside. Failure to implement and maintain strong AD security dramatically increases your risk of users accessing data and applications they shouldn’t be able to use, either deliberately or accidentally. It also increases your vulnerability to attackers and malware taking over a user’s account — or, even worse, an administrator’s account — to steal your sensitive data, encrypt it for ransom, or simply wreak havoc on your IT systems. Even one successful attack on your Active Directory can cause long-lasting damage to your organization, or even put it out of business altogether.

Common security risks

Common security risks

Common security risks

Active Directory security risks arise primarily from lack of insight into and control over three key factors: who gets into your network, what they are permitted to do once they’re inside, and what activity is actually taking place. Some of these security risks have specific names, such as insider threats, spear-phishing, privilege escalation and lateral movement. However, the best way to address AD security risks is to not to battle each of them individually; that scattershot approach only serves to drive up costs and add to IT system complexity, which actually compounds the problem instead of solving it.

Instead, the best strategy is to clean up your Active Directory and keep it orderly, and gain clear visibility into activity across your IT environment. Native tools give you only a small fraction of the functionality you need and require a great deal of time and effort to use, so it’s smart to invest in comprehensive solutions that automate and simplify the core processes required for strong Active Directory security.

Best practices for Active Directory

Active Directory has been around for a long time, so best practices are readily available that are proven to dramatically strengthen AD security and compliance. Implementing the following best practices will take you a long way towards your goal of minimizing the risks to your IT data and systems — and your organization’s future success.

Regular assessment

Regular assessment

Regular assessment

One of the most important Active Directory security best practices is to regularly review the state of your IT environment and proactively look for potential security and compliance issues. In particular, you should periodically compare the configuration settings on your Windows endpoints, domain controllers and other systems to a known good state, and then promptly remediate any unintended drift or malicious changes.

Also be sure to regularly review your Group Policy, which is used to apply standard settings across your users and computers. Group Policy can be used to control a wide range of activity; for example, you can prohibit users from accessing the Control Panel, using the command prompt or installing software. Even a single improper change to a Group Policy object (GPO), whether deliberate or accidental, could cause a great deal of damage. For instance, users might suddenly be able insert USB drives and thereby release ransomware or other malware into your systems. Therefore, you need to make sure that your GPOs work as intended and be able to quickly spot and revert any improper or unauthorized changes to them.

In addition, ensure that your Windows Server operating systems and other software are up to date on patches and that you’re using only versions that are fully supported by the vendor.

Minimize user permissions

Minimize user permissions

Minimize user permissions

Perhaps the most fundamental bedrock best practice for IT security is the least-privilege principle. Give each user exactly the access they need to do their job, no more, no less. AD allows you to put users with similar roles (such as all helpdesk admins or all HR staff) into an AD security group and manage them together. Users can be — and usually are — members of multiple AD groups, such as project-based groups.

Using AD security groups is not merely a convenience for administrators; it improves security by reducing errors in provisioning and deprovisioning, and by minimizing the complexity of the permissions structure so it’s easier to say with certainty who has access to what. Learn more.

Investigate security incidents

Investigate security incidents

Investigate security incidents

No matter how good your prevention efforts are, you will experience cybersecurity incidents, so you need to be prepared to investigate them quickly and respond appropriately. You need to be able to quickly determine where the breach originated, how it unfolded, and exactly what systems and data were involved. That way, you can hold individuals accountable for their actions and take steps to prevent similar incidents from occurring in the future.

Manage and monitor permissions

Active Directory has been around for a long time, so best practices are readily available that are proven to dramatically strengthen AD security and compliance. Implementing the following best practices will take you a long way towards your goal of minimizing the risks to your IT data and systems — and your organization’s future success.

Manage user and group permissions

Manage user and group permissions

Manage user and group permissions

As stated earlier, least-privilege principle is the most basic best practice for IT security. If you had to manually assign each user permissions to each resource individually — and keep those permissions up to date as users come and go and change roles within the organization — you’d be overwhelmed in no time flat, and your organization would be at high risk of data breaches and compliance failures.

The ability to create AD security groups and manage permissions for similar users together reduces the load. Users can be — and usually are — members of multiple AD groups, such as project-based groups. For example, a new sales manager can be given access to all the right resources just by adding them to both the Sales security group and the Sales Manager security group. Similarly, if there’s a new folder or file share that all salespeople need access to, you can simply grant the Sales group access to it, instead of having to add it to the individual user accounts one by one. Conversely, if a user moves from a Sales role to a different position in the organization, you can quickly remove their access to all Sales resources simply by removing them from the Sales group instead of having to painstakingly look at each resource they have permissions to use and determine whether that access is still legitimate.

Control admin permissions

Control admin permissions

Control admin permissions

Using AD security groups is not merely a convenience for administrators; it improves security by reducing errors in provisioning and deprovisioning, and by minimizing the complexity of the permissions structure so it’s easier to say with certainty who has access to what.

Of particular concern are Active Directory security groups that grant administrative-level privileges, such as the extremely powerful Enterprise Admins, Domain Admins and Schema Admins groups, as well as local Administrator account that is created during the Windows installation and that has full control of the files, directories, services and other resources on the local computer. Organizations need to tightly control who is in these privileged access groups and be alert for any changes to their membership, which could indicate an attacker or malicious insider attempting to escalate their privileges to gain access to additional systems or data.

Service account permissions

Service account permissions

Service account permissions

Service accounts are special user accounts that applications and services use log on and perform actions in your IT environment. Unfortunately, service accounts frequently have far more permissions than they actually need, increasing your security risks. Common reasons for overprovisioning include meekly accepting the requirements specified by the application vendor, failing to properly work through operational challenges, and simply cloning an existing service instead of taking the time to create a new one with the appropriate set of permissions.

The best practice, of course, is to ensure that all service accounts comply with the least-privilege principle. You also need to take special precautions whenever a service account needs administrative privileges. You should never make a service account a member of a standard administrative group, such as the local Administrator or Domain Admins group. Better options are to run the service under the LocalSystem account, or to create a custom group for the service account and explicitly deny access to other accounts for that group. In addition, whenever possible, it’s prudent to configure service accounts so they can log on only during a specified period during the day.

Where can I get help with my AD environment?

Where can I get help with my AD environment?

Quest is the go-to vendor for Active Directory solutions. We can help you manage, secure, migrate and report on your AD environment to drive your business forward. Here’s where you can learn more:

Resources

Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
E-book
Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
Nine Best Practices to Reduce Active Directory Security Breaches and Insider Threats
This ebook explores the anatomy of an AD insider threat and details the best defense strategies against it.
Read E-book
How to implement NIST, ESAE and Red Forest Cybersecurity Principles in Active Directory
White Paper
How to implement NIST, ESAE and Red Forest Cybersecurity Principles in Active Directory
How to implement NIST, ESAE and Red Forest Cybersecurity Principles in Active Directory
Smart companies are adopting NIST Cybersecurity and Microsoft’s ESAE (“Red Forest”) as models for protecting credentials, particularly those that reside in Active Directory. Download your complimentary copy of this white paper today to learn more.
Read White Paper
Enhancing Active Directory Security and Lateral Movement Security
E-book
Enhancing Active Directory Security and Lateral Movement Security
Enhancing Active Directory Security and Lateral Movement Security
Limit lateral movement by attackers inside your network with these best practices and Quest solutions.
Read E-book
Randy Franklin Smith white paper: Securing Active Directory by Using the NIST Cybersecurity Framework
White Paper
Randy Franklin Smith white paper: Securing Active Directory by Using the NIST Cybersecurity Framework
Randy Franklin Smith white paper: Securing Active Directory by Using the NIST Cybersecurity Framework
NIST cybersecurity framework enables organizations to create a secure environment. Learn how to apply this framework to your AD and Microsoft environment.
Read White Paper

Videos

TEC TALK - Office 365 & Azure Active Directory Security | Quest
TEC TALK - Office 365 & Azure Active Directory Security | Quest

01:03:26

Video
TEC TALK - Office 365 & Azure Active Directory Security | Quest

Learn how to prioritize Office 365 & Azure AD security for your remote workforce in this TEC Talk presented by Microsoft Certified Master, Sean Metcalf.

Watch Video
TEC Talk: Hardening Privileged Access
TEC Talk: Hardening Privileged Access

01:06:36

Video
TEC Talk: Hardening Privileged Access
Learn steps you can take to secure privileged Active Directory access.
Watch Video
Current state of AD security
Current state of AD security

03:01

Video
Current state of AD security
Join Sean Metcalf, Microsoft Certified Master, as he discusses what organizations are seeing and missing when it comes to Active Directory security.
Watch Video
Recovering from an AD security breach or disaster
Recovering from an AD security breach or disaster

04:15

Video
Recovering from an AD security breach or disaster
Join experts Sean Metcalf and Brian Desmond as they discuss the best practices for quickly dealing with and recovering from AD security breaches.
Watch Video
Common AD security pitfalls
Common AD security pitfalls

03:21

Video
Common AD security pitfalls
Join Sean Metcalf, Microsoft Certified Master, as he discusses the most common mistakes organizations make when it comes to Active Directory security.
Watch Video
Is your AD environment safe from the dark side?
Is your AD environment safe from the dark side?

03:10

Video
Is your AD environment safe from the dark side?
See how Quest Software and One Identity can protect your organization from Hank the Hacker and other forces poised to steal AD-controlled credentials and your valuable data.
Watch Video
Prepare for destructive AD cyber-attacks
Prepare for destructive AD cyber-attacks

10:59

Video
Prepare for destructive AD cyber-attacks
Learn how you can prepare for – and recover from – a destructive attack on your Active Directory.
Watch Video
How to reduce AD security risks and insider threats
How to reduce AD security risks and insider threats

01:32

Video
How to reduce AD security risks and insider threats

Hank the Hacker is back and he's ready to attack your Active Directory (AD) environment, whether on-premises or in the cloud. Worse yet, this time he brought friends. With Disgruntled Dan and Careless Craig, he has even more leverage to take control. That's why it's so important to get protected.

Read this informative e-book, Nine Best Practices for AD Security, and discover what you can do to protect your environment from insider threats. Explore:

  • Why attackers target AD and how the growing popularity of Office 365 increases the threat
  • What an AD security breach means to the organization
  • Why it is difficult to secure Active Directory using native auditing alone
  • How a typical insider threat unfolds and how to identify common insider threat indicators
  • How following nine critical security best practices will help you minimize the risk of the internal threats to the availability, confidentiality and integrity of your AD

Watch Video

Blogs

Quest Active Directory Security Assessments Reveal Top 4 Issues: #1 Service Accounts (Part 1 of 3)

Quest Active Directory Security Assessments Reveal Top 4 Issues: #1 Service Accounts (Part 1 of 3)

In Part 1 of our Quest Security Assessment series, we focus on the top vulnerabilities we have discovered in Active Directory: Service Accounts.

How to Continue Your AD Migration When Everyone is at Home

How to Continue Your AD Migration When Everyone is at Home

Some AD Migrations must continue, even in this health crisis. This post outlines how you can move your migration forward even with a remote workforce.

In the Fog of War, You Need Options…Not Just One but Many! Quest Has You Covered.

In the Fog of War, You Need Options…Not Just One but Many! Quest Has You Covered.

When it comes to disaster recovery, you need a solution that fits your situation. Find out how Recovery Manager for Active Directory delivers both power & flexibility.

Insider’s Guide to a Malware Event — In Case of Fire, Break Glass

Insider’s Guide to a Malware Event — In Case of Fire, Break Glass

Malware can spread at an alarming rate. To protect your organization from these attacks, having a comprehensive, flexible disaster recovery plan is essential. Learn more.

Be Very Afraid — When It Comes to AD Disaster Recovery, You Need Choices!

Be Very Afraid — When It Comes to AD Disaster Recovery, You Need Choices!

Learn about the true danger of malware attacks, why a solid disaster recovery plan is essential, and how to do AD recovery right the first time.

The Many Colors of AD Security – Microsoft Red Forest, Orange Forest, Greenfield or Blue?

The Many Colors of AD Security – Microsoft Red Forest, Orange Forest, Greenfield or Blue?

Discover the different models of Active Directory (AD) security, including the Red and Orange Forest models, Greenfield migrations, and Blue Team.

Get started now

Your go-to vendor for securing your Active Directory environment.