AD Security: Best Practices for Your Active Directory!

The fundamental role Active Directory plays in Windows environments also makes it one of the most popular targets for hackers and cybercriminals. Protecting your AD from attacks is a top priority for any organization. But what does good Active Directory security look like in practice? Our guide explains the best practices for AD security, as well as how to avoid common mistakes.

What Is AD Security?

The term AD security refers to any steps, settings and safety measures used to protect Microsoft’s directory service Active Directory from attacks and data breaches. Aside from installing official security patches that address the latest vulnerabilities and exploits (just ask your admins about Patch Tuesday), Active Directory security is primarily a question of applying best practices and secure configurations. In practice, how organizations use and configure their AD is the biggest factor in the overall security of Active Directory.

As a key part of the Windows infrastructure, Active Directory is widely used across businesses, government agencies and other organizations in both the public and private sector. The vast majority of organizations with more than a handful of users rely on Active Directory to manage user accounts and access to digital resources.

As an omnipresent part of IT departments around the world, AD is also one of the main targets for cyberattacks, especially since many companies fail to implement safety measures or follow the best practices Microsoft provides for securing your AD. Unfortunately, errors and misconfigurations can leave you wide open to leaks, employee data theft and ransomware.

Note: Active Directory is not a single piece of software, but consists of multiple different services. The central component is known as Active Directory Domain Services (AD DS). Learn more about the different Active Directory services.

Active Directory Security: Frequent Mistakes & Vulnerabilites

IT security is a constant arms race: criminals and security researches discover new exploits and vulnerabilities and software companies quickly patch any known issues. Like most software products, Active Directory has been known to suffer the occasional critical vulnerability. To prevent attackers from exploiting these flaws to gain access to your network, it is essential for organizations to apply security patches in a timely manner and on all potentially at-risk devices.

The grim reality, however, is that most successful Active Directory attacks don’t rely on an unforseeable zero day vulnerability, but long-standing flaws in the security configuration and policies of an organization. The table below provides an overview of common AD security mistakes that a shocking number of companies suffer from. Is yours among them?

AD Security IssuesHow to solve the problem
Weak CredentialsWeak, common or reused passwords make it easy for attackers to hijack accounts. To stop credential-based attacks, implement password policies, limits for login attempts and multi-factor authentication.
Legacy Services and ProtocolsLegacy authentication protocols such as NTLM authentication are a major security risk. They should be replaced with current standards such as Kerberos.
Too Many Privileged UsersAttackers that gain control of privileged accounts such as domain admins can cause significant harm. Administrator accounts must be strictly limited and their usage monitored.
Incorrectly Configured Service AccountsService accounts are often not properly protected and given more permissions than are needed to fulfil their intended task. Follow the principle of least privilege and replace normal service accounts with managed service accounts.
Not Securing Built-in Admin AccountsEvery AD domain includes a built-in admin account for maintenance and recovery purposes. To prevent abuse, limit logons and usage through group policy objects (GPO). More information.
Inactive and Abandoned AccountsSince orphaned accounts are neither used nor maintained, their outdated security configuration can make them particularly vulnerable. With no account owner, there is no one to raise the alarm in response to suspicious activity. Accounts that are no longer needed must be removed.
No permission reportingPrivileges granted to users must be reviewed and controlled to to limit the exposure of sensitive data and systems. Since Microsoft’s default tools are severely limited, using a third-party solution for permission reporting is highly recommended.

What Makes Active Directory Security So Important?

The importance of securing your AD can be summarized quickly: Microsoft Windows is the foundation of nearly all IT environments worldwide and Active Directory is the foundation of Windows networks. Consequently, the threat posed by a compromised AD is huge: Once an attacker gains access to your network, they can use a variety of tools and techniques to either access higher permission tiers (privilege escalation) or spread to additional systems and devices (lateral movement).

If a hacker manages to spread across your AD or gain administrator privileges, they can cause enormous damage. Intruders with control of your Active Directory can not only steal and destroy large amounts of data, but also shut down your IT operations entirely. No one in your entire network can use their PC or log in to Windows until the attack has been fought off and your AD has been restored. Depending on your level of preparation, that can take quite a while.

Admin discovers vulnerability in AD security settings.
Protect your Active Directory with these 7 tips! Adobe Stock, (c) SomYuZu

AD Security: 7 Best Practices to Secure Your Active Directory!

Given the central role Active Directory plays for IT departments around the world, the best ways to secure AD are much discussed topic among admins and experts. Microsoft itself offers a list of Best Practices for Securing Active Directory as part of its official documentation. Beyond that, there are a wide variety of cybersecurity experts and third-party services that deal with AD security.

Organizations that want to secure their AD should approach the issue in two stages: First, adjust the policies and settings included in Active Directory to achieve the best level of security that your business needs and the tools provided by Microsoft allow for. Next, consider using third-party solutions to expand upon to the existing AD security features in areas where Microsoft’s default tools are not up to the task. For example, the severely limited Active Directory permission reporting.

To help you get started, we have compiled a quick overview of the most important best practices and security goals for your AD.


Reduce Your AD Attack Surface

The attack surface of an IT environment refers to the sum of all potential entry points for attackers, such as devices, user accounts and connected services. Simply put, the fewer entryways your network provides for hackers, the lower the risk of a successful cyberattack. This has two reasons: 1) Adding more services and devices to your IT brings new dependencies, vulnerabilities and security holes with it and 2) The more accounts your admins have to manage, the higher the risk of mistakes.

Consequently, practicing good cyberhygiene by keeping the number of accounts in your AD as low as possible is a proven way of stopping attackers. On a technical level, deleting unused or inactive accounts is a simple process. But admins can only carry it out if they are kept in the loop regarding any staff or role changes. Unfortunately, problems with internal communication often lead to stale, outdated and abandoned accounts: ones that were created with a specific goal or timeframe in mind and then simply forgotten about once they served their purpose.

The easiest way to ensure that any changes to user accounts are implemented swiftly and correctly is to automate the entire process, also known as user lifecycle management. This approach guarantees that employees have the exact resources and accounts they need from their first to last day at your company. And the best part? It does so without any effort from your IT staff.


Enforce Least Privilege Access

If an attacker manages to hijack one of your AD accounts, they will use any permissions and privileges it holds against you by stealing shared files, spreading to connected services or changing security settings to their advantage. In the wrong hands, any permission you grant one of your users can become a threat. This applies to insider threats like employee data theft just as much as it does to outside forces.

To prevent abuse, accounts should only be given the minimum amount of access needed to perform their intended role. This goes for application and service accounts, too. Limiting access rights to the bare minimum is a best practice also known as the principle of least privilege or POLP.

One common problem with implementing least privilege access is that organizations often do not know which assets their users can currently access and which ones they actually need for their job. To remedy this, you need to establish an access control policy that clearly defines the intended permissions for every user in your company. This can be done by grouping users based on factors like department or position and setting default permissions for these different roles. Learn more about this approach in our article on role-based access control.

However, enforcing least privilege access takes more than a one-time fix: Since both the responsibilities of your users and the structure of your IT change regularly, maintaining safe, minimal access requires ongoing checks and controls during which any unnecessary privileges users may have accrued are removed. This process is also known as a user access review. Once again, an automated platform is the easiest way to guarantee that reviews are carried out consistently.

Least privilege access is one of the cornerstones of the modern zero trust security framework alongside internal and external network controls.

Car in wind tunnel, concept of efficient management
By streamlining your AD, you can eliminate points of entry for hackers. Adobe Stock, (c) Piotr Adamczyk

Secure Privileged Accounts

The sensitive permissions administrative accounts are equipped with make them a very attractive target for hackers. Consequently, the security level for privileged accounts should be equally high. During everyday operations, IT staff must keep privileged accounts and their regular accounts strictly separate. As tempting as it may be, privileged accounts must never be used for normal work tasks, such as for routine maintenance and help desk tickets.

The admin, domain admin and enterprise admin groups should have no permanent members aside from their built-in administrator accounts. Instead, users should only be granted temporary membership for specific tasks, after which they are removed from the group. Local administrator accounts must be protected through group policy objects and the use of Windows LAPS (Local Admin Password Solution) to manage credentials. You can find more information in these guides:

Note: Administrative accounts are not the only privileged accounts you need to secure. Device and service accounts, too, are often equipped with sensitive permissions that make them a potential security risk. Attack patterns like Kerberoasting aim to extract and crack the password hash for service accounts. Managed service accounts, which change their passwords automatically, can protect from attacks like these.


Educate Your Users

Cybersecurity is as much about people as it is about technology. To keep your Active Directory safe, everyone in your organization, from the CEO to the front desk clerk, needs to understand and follow fundamental guidelines and principles. Training your users to recognize suspicious activity or attempts at social engineering and avoid unsafe behaviors is one of the most effective ways to lower the risk of security incidents. Safety features such as automated phishing filters provide an additional layer of protection.


Understand Threats and Attack Vectors

To protect against the lastest threats and exploits, your information security team must stay up to date on new vulnerabilities and take appropriate steps to remedy them. In the best case scenario, this simply means installing the latest patch in a timely manner. However, if parts of your IT infrastructure suffer from (currently) unresolved vulnerabilities, it may be necessary to temporarily disable certain features and services until a solution can be found.

Aside from weaknesses in individual systems and software products, the specific structure of your network can also create unintended avenues of attack for cybercriminals. By analyzing their own network from a hostile perspective, admins can identify and close potential attack paths before they become a problem.

For example, the free tool BloodHound can be used to analyze relationships between AD groups and users to stop hackers from gaining access to protected functions. During penetration tests, the tool mimikatz allows you to test pass-the-hash, golden ticket or other complex attacks.

Cyber criminal writing malware code.
Keeping your network secure means thinking like a hacker. Adobe Stock, (c) Gorodenkoff

Log and Review Security Events

Continuous monitoring of certain system events allows you to identify early warning signs for possible attacks and prevent further harm. This requires you to set up and configure the relevant audit policies in order to track relevant changes. Events to monitor include:

  • Successful and unsuccessful logins

  • Attempted password resets

  • Creation, deletion or changes made to users and/or groups

  • Attempts to edit the SID history of an object

  • Attempts to activate Directory Services Restore Mode

  • Changes to domain or Kerberos policies

  • Changes to the audit policy

  • Attempts to clear the audit log

Keep in mind: the data collected this way is only useful if your admins have the time to review and respond to it. Since IT environments produce an enormous amount of log data even during normal operations, it is recommended to employ automated tools to help with analysis. Software solutions from the fields of security information and event management (SIEM) or extended detection and response (XDR) deal with this exact problem.


Prepare Emergency, Backup and Recovery Plans

While these tips and best practices while help you stop a lot of AD attacks, it’s important to remember that there is no such thing as 100% security. That’s why a successful Active Directory security strategy also requires you to plan for the worst case scenario: a successful attack on your AD.

Security trainings and simulated attacks can help your staff prepare for the real emergencies and help them react more quickly in the extremely stressful scenario of a security breach. Ideally, a swift response can limit the scope of the attack, but your emergency plan shouldn’t depend on this outcome. Your emergency and recovery strategy should cover every scenario, up to and including a complete compromise of your AD. There are two separate areas you need to plan for:

  • Business continuity: How can your business continue to operate in a limited capacity during an ongoing attack? What channels do you use for emergency communications when your business email and office chat are unavailable? Even low-tech solutions, such as ensuring that all members of your security team have each other’s phone number, can save valuable time during a crisis.

  • Recovery: What are the necessary steps to restore your IT infrastructure to its prior state after your network was breached? Many organizations prepare backups of critical business data but never back up their domain controllers, even though a copy of your domain controller is crucial to restoring Active Directory. Make sure to follow the best practices for secure backups, however: maintain at least three separate copies on different storage media, one of which is stored off-premise (in a remote facility or a secure cloud service).

Maintaining Active Directory Security with tenfold Access Management

Protecting your Active Directory requires constant vigilance and ongoing adjustments, that must be implemented both swiftly and accurately. To reduce the risk of successful attacks, organizations must limit accounts and permissions, manage their security settings and track and document changes. The easiest and safest way to ensure your AD follows best practices and security recommendations is through an automated software solution from the field of identity and access management.

By automatically creating, updating and removing accounts and permissions, tenfold‘s user lifecycle management not only saves precious time for your IT staff, but also ensures the strict adherence to least privilege access. Clear, detailed and central permission breakdowns as well as automated user access reviews help you manage and control access rights in your organization. Additionally, tenfold‘s dashboard highlights errors and misconfigurations, allowing you to quickly address common problems.

Best of all: Thanks to tenfold‘s deep integration with both Microsoft’s on-premise infrastructure and the cloud services included in Microsoft 365, you’ll enjoy the benefits of automated user and permission management across all systems.

Would you like to learn more about the advantages of tenfold? Our video overview will introduce you to the key features of our IAM solution. Compare editions to see which plugins and interfaces are included in each of tenfold‘s three subscription tiers. Or sign up for a free trial to experience our powerful features and user-friendly interface firsthand.

Demo Video

Automate your Active Directory with tenfold!

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.