March 30, 2011

Securing Active Directory from crackers

This is the first in a two part article about Active Directory security. This first part is about hardening Active Directory and workstations from crackers. No, not white people or what you put in soup. The next part of the article will demonstrate how easy it can be to gain administrative access to an Active Directory network.


Here are a few tips to get you started.
  • Never use the Administrator account. Create service accounts for all your applications that require admin permissions and ensure they do not have RDP permission to your global catalogs. Give those service accounts extremely strong passwords. Preferably alpha-numeric with special characters at least 14 characters long.
  • Don’t add your desktop admin users to any server admin groups.
  • Require your desktop admin users have a strong password and change frequently.
  • Create a Group Policy to reduce the number of cached logons on the workstations. I recommend 1, 0 will cause problems with mobile workstations.GroupPolicyInteractiveLogon