AD is a valuable feature of Microsoft Windows for IT operations. AD centralizes many maintenance tasks and makes it easy to standardize security settings. It also is a valuable target for attackers, because it stores so much useful information. Since AD is a target for attackers, it should also be a target for your hardening efforts.

Begin by recognizing the value of compromising AD. Limit the number of administrators with access to AD. Ensure that administrators managing AD do so using separate Administrator user accounts. Administrators should have one account for AD administration and at least one other account for other administration tasks. Isolating privileged user accounts makes the accounts harder to compromise. You can create an AD security group with necessary privileges for this purpose. To add additional AD administration restrictions, require that AD administrators do their AD work only from dedicated terminal servers instead of their workstations. This requirement reduces the potential of malware infections on workstation computers to infect AD or allow AD compromise.

Periodically change the Directory Service Restore Mode (DSRM) password. And immediately change it from the default password after installation. This password is what you use to log on to a domain controller (DC) that has been booted into DSRM mode to create an offline copy of AD. This capability would allow an attacker to copy all your AD information. Protect the DSRM password for each DC and change it at least every 6 months.

Other steps you can take to harden AD include ensuring all DCs are physically secure. Locate your DCs in a datacenter or other location with limited access. Configure your DCs to audit important activities and use Internet Protocol Security (IPSec) between all servers. IPSec may be a little difficult to use for client connections, but setting it up for use between servers doesn’t take a lot of effort. IPSec will help ensure that your AD remains secure.