Security is always a HOT topic.

Recently we had lots of global attacks. Daily we have to deal with those as an IT Professional. There are lots of components involved with security and all are maintained by not a single person but here our concern is Active Directory Infrastructure security. We have created a list of Active Directory Infrastructure security.

 

Table of Contents



WorkStation

1) Windows 10 – PAW
2) Limit WorkStations to WorkStations communication
3) Restrict permissions on critical GPOs

Domain Controller

1)At least Windows 2012 R2 FFL & DFL
2) Active Directory Three Tier design.
3) Implement Secure LDAP (Required internal PKI infrastructure)
4) Implement  DAC 
5) Implement Authentication Policy & Authentication Policy SILO.
6) Implement  Applocker.
7) Implement  Fine Grained Password Policy.
8) Remote Desktop Gateway for isolate Terminal server login along with MFA
9) Privileged Group membership monitoring.
10) Critical Events monitoring.
11) Domain Controllers \ Critical servers services monitoring
12) Software Restriction Policy
13) PowerShell Logging
14) Implement gMSA & remove normal service account (If supported by application)
15) Implement Microsoft ATA
16) Restrict permissions on critical GPOs
17) Limit Server to Server communication using Windows Firewall
18) Use HTTPS WINRM for remoting
19) Use Certificate everywhere (Not Self Signed certificate)
20) Disable SMB1 
21) Implement IPSEC on ADDS Environment

22) Implement Smart Card (PKINIT)