Warning: Implementing these hardening measures may impact existing systems and applications.
Always test in a non-production environment first and plan for potential issues.
1. Strengthen Domain and Forest Functional Levels
- Raise domain and forest functional levels to the highest supported version
- Enable advanced security features like Kerberos armoring
- Use PowerShell to check and update:
Get-ADForest | ft Name,ForestMode
Set-ADForestMode -ForestMode Windows2016Forest
Tip: Higher functional levels enable more security features but may limit backwards compatibility.
2. Implement Secure LDAP (LDAPS)
- Install a certificate on all domain controllers for LDAPS
- Configure firewalls to allow LDAPS traffic (TCP 636)
- Update applications to use LDAPS instead of LDAP
- Monitor and eventually disable unsecured LDAP
3. Enable Advanced Audit Policy Configuration
- Enable detailed auditing for critical events:
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
- Configure centralized log collection (e.g., Windows Event Forwarding)
- Implement automated log analysis and alerting
4. Implement Protected Users Security Group
- Move privileged accounts to the Protected Users group
- Configure additional restrictions through Group Policy
- Be aware of the limitations (e.g., no Kerberos delegation)
Warning: Protected Users group features are only fully supported in Windows Server 2012 R2 and later.
5. Implement Time-based Group Membership
- Use PowerShell to set time-based group membership:
Add-ADGroupMember -Identity "Domain Admins" -Members "JohnDoe" -MemberTimeToLive (New-TimeSpan -Hours 2)
- Automate the process of granting and revoking temporary access
6. Implement and Enforce Security Baselines
- Download and import the latest Microsoft Security Baselines
- Customize baselines to fit your organization's needs
- Test and deploy baselines using Group Policy
- Regularly review and update applied baselines
7. Implement Administrative Tiering
- Separate administrative accounts into tiers (e.g., Tier 0, 1, 2)
- Use separate admin workstations for each tier
- Implement network segmentation to enforce tiering
- Use Just-In-Time (JIT) and Just-Enough-Administration (JEA) principles
8. Harden Service Accounts
- Use Group Managed Service Accounts (gMSA) where possible
- For traditional service accounts:
- Set "Account is sensitive and cannot be delegated"
- Enable "This account supports Kerberos AES 256 bit encryption"
- Regularly audit and rotate service account passwords
9. Implement Active Directory Federation Services (AD FS) Extranet Lockout
- Enable extranet lockout to protect against brute-force attacks
- Configure appropriate lockout thresholds:
Set-AdfsProperties -ExtranetLockoutThreshold 10 -ExtranetObservationWindow (New-TimeSpan -Minutes 30) -ExtranetLockoutRequirePDC $true
10. Implement and Maintain a Secure Administrative Forest
- Create a separate forest for administrative accounts and workstations
- Establish a one-way trust from production to admin forest
- Apply stringent security controls to the admin forest
- Use admin forest accounts to manage production environment
Tip: This approach significantly reduces the attack surface for privileged accounts.