Best Practice on a Domain Controller for Security

madbennyjeep · 2022-07-21T10:53:04.000Z

Hello All,

I’m wondering if anyone has an SOW or just a document with best practices that you may follow when in creating a new Domain Controller or securing an existing one for locking down the domain and Domain Controller. Maybe something that was built off NIST and personal changes.

Thank you in advance.

GDaddy · 2022-07-21T11:21:33.000Z

MS has some recommendations - they should have baselines for Win 10, server 20xx and domain controllers

learn.microsoft.com

Microsoft Security Compliance Toolkit Guide - Windows Security

This article describes how to use Security Compliance Toolkit in your organization.

dav4 · 2022-07-21T11:40:17.000Z

You can also look at the CIS Benchmarks for hardening Windows Servers including Domain Controllers here { Link }

dennis-aston · 2022-07-21T11:56:43.000Z

I think I am going to write up a howto article. This is the second one of these I have seen today, BBIAB

madbennyjeep · 2022-07-21T12:04:21.000Z

Dennis Aston:

I think I am going to write up a howto article. This is the second one of these I have seen today, BBIAB

I started to write up items I was changing but I just don’t haven’t had the time to complete or continue to add.

madbennyjeep · 2022-07-21T12:39:32.000Z

@dennis-aston I’ve found some of my documentation, I’ve been breaking it out in a format like the following:

Default Domain (Passwords, screen lock, clock sync, interactive login, etc)

Medical environment (Then workstation locked down settings)

I’m looking to add to these and build out other environments.

dennis-aston · 2022-07-21T13:19:09.000Z

I just finished it. Take a look at this and see if you can use it, don’t let TLDR get to you on this one. Its a tool that will help you with AD as well as a ton of other industry products, all with NIST standard recommendations.

https://community.spiceworks.com/how_to/187039-how-to-use-dod-cyber-exchange-stigs-secure-technical-implementation-guides

There are 41 entries for the Domain Controller template. There is also an Active Directory template (36 rules) and some GPO’s you can use as well in the library for download

madbennyjeep · 2022-07-21T15:08:16.000Z

@dennis-aston great right up, I’m guessing I can create my own document of additional changes and combine the 2 documents. I’ll play around with it, I appreciate the right up.

Great job!

rupesh-lepide · 2022-07-22T04:17:59.000Z

Here is another article for domain controller security Securing Domain Controllers: Best Practices and Tips

dennis-aston · 2022-07-22T05:59:04.000Z

That’s an executive level overview and light on the specifics we need to actually configure anything. Thank you however.

Rupesh (Lepide):

Here is another article for domain controller security Securing Domain Controllers: Best Practices and Tips

Neally · 2022-07-23T19:02:25.000Z

A ton

learn.microsoft.com

Securing Domain Controllers Against Attack

Learn more about: Securing Domain Controllers Against Attack

Delinea

Active Directory Hardening | A Guide to Reducing AD Risks

Learn which common hacking techniques put your organization at risk daily, and apply these Active Directory security recommendations.

GitHub

GitHub - decalage2/awesome-security-hardening: A collection of awesome...

A collection of awesome security hardening guides, tools and other resources - decalage2/awesome-security-hardening

GitHub

GitHub - PaulSec/awesome-windows-domain-hardening: A curated list of awesome...

A curated list of awesome Security Hardening techniques for Windows. - PaulSec/awesome-windows-domain-hardening

jeffnoel · 2022-07-24T12:22:42.000Z

CIS Benchmarks are pretty much the industry standard.

johngustin · 2022-07-24T22:57:33.000Z

Take a close look at both Ping Castle and Purple Knight, along with the CIS Benchmarks**. I have also used the DoD STIGs** in the past as well, but some of the recommendations in the STIGs were a little too heavy-handed for my environment.

PingCastle

Home - PingCastle

Because the Active Directory security lies in the process and not in expensive tools, our solution is simple: download PingCastle and apply its methodology.

Purple Knight

Active Directory Security Assessment | Purple Knight

Purple Knight, built by Semperis, is the top Active Directory security assessment tool today. Identify threats and get prioritized guidance.

https://public.cyber.mil/stigs/

**Important Disclaimer: Blindly making changes from any of the above can and most likely will cause problems for your domain, servers, users, etc. Go slow, document all changes, understand how to rollback if needed. Understand what impact each change might have in your environment before making it. Try to do all changes in a test lab / sandbox environment first. Make sure your management/chain of command is aware of what you are trying to accomplish and that they have buy in on the process (this is more of a CYA in the event something unexpected happens and there is some downtime as a result).

dennis-aston · 2022-07-25T16:01:39.000Z

I’ll second the comment on the STIG’s being heavy handed. The DoD isn’t really concerned too much if your favorite or required feature gets broken, they are more concerned that they don’t get hacked and sensitive data leaked out. There are recommendations in the list that will break a Cisco switch and your ability to manage it if you don’t know how to properly configure it. Things like DHCP Snooping being required by dynamic arp inspection so if you just go down a command list and copy and paste you are doomed from the start.

Whatever you do, don’t save a config change in a Cisco switch until you are sure everything is working because you can always hard boot it with a power cord pull and get everything back running.

madbennyjeep · 2022-07-26T13:10:12.000Z

Great suggestions everyone, I greatly appreciate it. As for best answer I don’t think I can just pick one as the contribution has been spread across several responses.

In the mean time I’m taking everyone’s links and building out a spreadsheet (Baseline, Extra, High, Specialized) with what changes should or you would want to do, I’d be happy to share when done.

Internet_Schneider · 2022-08-24T20:23:46.000Z

As a side note, I’d secure/lockdown Domain Admins group in the AD also. Please give this a read: Appendix F - Securing Domain Admins Groups in Active Directory | Microsoft Learn