This post focuses on Domain Controller security with some cross-over into Active Directory security. 😉 This post covers some of the best methods to secure Active Directory by securing Domain Controllers in the following sections: Note that these GPO GUIDs are the same for every Active Directory domain instance.
This is to ensure that Windows can quickly find these GPOs and if they’re deleted, they need to be restored/recreated.
Domain Controller security, and in many ways Active Directory security, is based on the Windows version installed on the Domain Controllers.
This is why it’s important to run the current Windows version on Domain Controllers – newer versions of Windows server have better security baked in and improved Active Directory security features.
If one of the templates includes FIPS compliant encryption, validate whether or not you need it set since Microsoft doesn’t recommend this as of 2014. FIPS compatible encryption can actually cause problems.Domain Controllers and admin workstations/servers should have their own patching infrastructure like Windows Server Update Services (WSUS).The best way to protect Active Directory is to limit domain level administrative privileges.Note that the domain password policy is effectively the GPO with the highest link order linked to the domain, so it’s possible to create a new GPO with custom password policy settings, link to the domain, and move the link order to 1 (as shown in the following graphics).With that said, many organizations simply customize the password policy in the Default Domain Policy GPO which is fine (and was required back in the Windows 20 Server days).Just don’t add new settings to this GPO; keep it clean.