Tips and Tricks for Active Directory Management

Active Directory - SeniorDBA

Managing Active Directory is essential for your network security. Here are a few tips to help you better manage your Active Directory:

  1. Disable the default Guest Account – This is a security best practice recommended by Microsoft. Disabling the guest account can protect you from simple and very basic attacks. It is also an item that security auditors look for to verify you are using security best practices.
    1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
    2. In the console tree (left pane), click Users.
    3. In the details pane (right pane), right-click Guest, and then click Rename.
    4. Type the fictitious first and last name and press Enter.
    5. Right-click the new name, and then click Properties.
    6. On the General tab, delete the Description “Built-in account for guest access to the computer/domain” and type in a description to resemble other user accounts (for many organizations, this will be blank).
    7. In the First name and Last name boxes, type the fictitious names.
    8. On the Account tab, type a new User logon name, using the same format you use for your other user accounts, for example, first initial and last name.
    9. Type this same new logon name in the User logon name (pre-Windows 2000) box, and then click OK.
    10. Verify that the account is disabled. The icon should appear with a red X over it. If it is enabled, right-click the new name, and then click Disable Account.
  2. Rename the default Administrator account – This is an essential security best practice. One of the first things a malicious user or hacker will do is look to compromise the default administrator account. You want to hide the default account by renaming it to something other than the default name. It is also an item that security auditors look for to verify you are using security best practices.
    1. Log on as a member of the Domain Admins group, and then open Active Directory Users and Computers.
    2. In the console tree (left pane), click Users.
    3. In the details pane (right pane), right-click Administrator, and then click Rename.               Actrive Directory Users and Computers
    4. Type the fictitious first and last name and press Enter.
    5. In the Rename User dialog box, change the Full name, First name, Last name, Display name, User logon name, and User logon name (pre-Windows 2000) values to match your fictitious account name, and then click OK.                                                 Rename User
    6. In the details pane (right pane), right-click the new name, and then click Properties.
    7. On the General tab, delete the Description “Built-in account for administering the computer/domain” and type in a description to resemble other user accounts (for many organizations, this will be blank).                                                  Karen Berg Properties
    8. On the Account tab, verify that the logon names are correct.
  3. Maintain Physical Security – People will often focus on system security when thinking about ways to secure your Active Directory, but physical security is also required. Make sure people can’t just walk up to your Domain Controllers and attempt to bypass your security. If there are places where you can’t prevent physical access then consider turning that instance into a Read-Only Domain Controller.
  4. Disaster Planning – Disasters will happen, and I’m not just talking about fires, hurricanes, earthquakes, and tornadoes. What will you do if you find out an entire OU, containing 100 users, was deleted by mistake last night? Do you have a plan on how to resolve that issue, or are you expecting to just know all 100 users names, security settings, etc. as well as making the time to contact each user and help them log into the network with their new password and verify their network security setting are resolved? This could take days to resolve and it would be a PR nightmare.
  5. Prohibit Shared Accounts – Never allow anybody to share accounts, especially if the account has administrator privileges. It is almost impossible to determine who performed what action if multiple people are sharing a network account. It also creates security problems when someone is terminated that might know the password.
  6. Documentation – You can’t allow the Active Directory structure to grow uncontrolled and without a plan. Document the system, and keep the document updated. By creating a structure with basic logic and control, you are less likely to allow random changes that make no sense and people will never understand. Use the description fields in the tool to make this easier, but also an external document that explains the current status and reason for the structure.
  7. Delegate Responsibilities – Don’t allow just one person to perform all the Active Directory work. Even if your backup resource is only available one or two days a week, at least they are familiar with your AD structure and corporate procedures. One day you will find that backup resource a safely net that could save the day.
  8. Single Purpose Servers – You Domain Controller should be used only for user authentication, which is Active Directory and even DNS. Don’t install other applications or utilities, including products that can lead to security vulnerabilities like Adobe Reader, Microsoft Office, and Java.
  9. Beware Storing Extra Data – There are many fields available in Active Directory, including fields like address, telephone numbers, etc. It can serve a business purpose to complete some of these fields, but you must be careful when making a decision about who should have access to this data to prevent privacy or security issues.
  10. Delay Changes – Never allow yourself or others to make changes to your Active Diretcory before the weekend. Unless it is a required change that must be made on a Friday afternoon (a user termination is a good example) then wait until Monday to make the change. It can take days for a mistake to be uncovered, and you would rather deal with those mistakes during the week than on your precious weekend.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s