Secure Active Directory -- Tips That You Can Use
Active Directory is the largest and the most vital distributed system in your company. This makes it one of the biggest security concerns for system administrators.
There are several tasks that you can do to make your Active Directory secure and robust. Here are some simple tips that you can use.
Tip # 1: Document Each And Every Entity in the Directory -- Start with your top level structures, such as forest and domain configuration, organizational unit (OU) structure, top-level directory security, and existing trust relationships. Next, document your group policies, information related to different domain controllers, methods used to make data backups, and any changes you make to original the design from time to time. Finally , you must ensure that you document DNS-related information.
Tip # 2: Implement Control on Administration -- You need to do this to work along with administrators of different domains in your forest and come up with uniform domain controller (DC) administration model that works effectively for the entire forest.
Tip# 3: Don't make too many administrators -- It is best that you use a combination of group policies and various third-party tools to grant different users, just enough rights so that they can perform their tasks without any problems. Don't make too many domain-level administrators because doing this puts the security of your entire Active Directory in jeopardy. It is best that you use different administrative accounts with elevated rights and appropriate naming convention, to enable them to perform their tasks.
Tip #4: Test your group policies -- Group policies are one of the most essential components that help in making your Active Directory secure. Therefore, you must thoroughly test them before rolling them out.
Tip # 5: Rename the Administrator account and disable the Guest account - This is an essential to keep your Active Directory safe from external threats, such as malware and hackers. It is recommended that after you rename the original Administrator account, create another account and name it as Administrator. Enable high-level auditing on this account. This way if anyone tries to use this account to gain access to your network, you can easily track it.
Tip # 6: Implement Strong Password Rules -- You should make users on your network, aware of tips and strategies they can use to create strong passwords.
Tip # 7: Ensure that all your Domain Controllers are placed at a secure location -- Placed at different location throughout your enterprise, each Domain Controller runs its own copy of Active Directory. So, if you don't place these servers at a secure location, they can easily get stolen. And, for a professional it will not take a lot of time to run password cracking programs to get confidential information related to your Active Directory and different entities within it.
Tip # 8 Secure the Service Accounts -- These are the accounts that various applications use to run their services on your computer. These accounts are usually configured to never expire. To protect these accounts, it is best that you generate a naming convention for service accounts and then rename them in such a way that they identify the service they run. Next, put all service accounts in an account group with a name such as 'Service Accounts'. On this group, apply a policy to disable "Log on Locally" and enable "Log on as a Service" right permissions.
|
Carl Stevenson is a freelance technology writer who specializes in writing articles about business technology solutions and services. For more information about Dallas Active Directory services, visit http://www.intelinetsystems.com/ Article Source: http://EzineArticles.com/?expert=Carl_Stevenson |