October 25, 2018//Ellen NeveuxLast Updated: November 19, 2020
Active Directory (AD) is so ubiquitous on Windows networks that many organizations have not invested time optimizing the tool. However, this consideration is critical. Your AD configuration has significant process and network security implications, so it’s important that you prioritize a review of how you’re currently managing the service.
Here are a few guidelines to follow as you assess your current set up:
Plan the structure of your AD before implementing or migrating. This process can be complex. Knowing your end goal before you begin will help cut down on the amount of management and reconfiguration required.
Make your AD design too convoluted. You should resist the urge to use hundreds of organizational units (OUs) for every possible need as this will be costly and difficult to maintain. For example, while it might seem obvious to create an OU structure based on the physical locations of your organization, this can lead to difficulties if a department is eventually spread over more than one location. Instead, use a basic structure like domain, OU, and site.
Make sure that your AD administrators have two separate accounts: one standard account for their everyday activities like email and web browsing, and one administrative account for managing AD. This separation is a good security practice to minimize the risk of your privileged AD account being compromised.
Neglect secure password policies. Individuals are at the heart a secure network. Bad habits will cause vulnerabilities, but an organization’s policies are what really put networks at risk. Create policies that avoid common mistakes like, setting user passwords to never expire – or using the same password for multiple accounts.
Use credential partitioning to create separate tiers of administrative access to AD. This ensures that no person has more access to the system than they need to perform their role. Least privileged access should be adopted to limit the threat of a security breach.
Let dormant accounts retain access. In a complex AD environment, unused accounts can cause serious vulnerabilities. Be sure to deactivate idle accounts so former employees or bad actors can’t take advantage.
Set up monitoring and audit capabilities. You should understand who has access and what activity has occurred within the system. When you’re able to track changes, you optimize the service and reduce time investigating issues.
Take your Active Directory configuration seriously. With any technology, the security of the tool comes down to how it’s managed. A number of different cyber attacks can be leveled against AD structures, like Pass-the-Hash or credential theft. Do your research, understand your organizations’ needs, and make sure your installation is secure.