There are hundreds, if not thousands, of possible settings related to Active Directory, including group membership, user rights, access control lists (ACLs), delegations, and so many more. With all of these settings, there are always some settings missed or misconfigured. Here are three security-related settings that I have found most Active Directory environments fail to have set up correctly.
-
Enterprise Admins group: For most Active Directory installations and corporations, the Enterprise Admins group should be empty. This group should be empty because the group capabilities are rarely utilized, but having a user in the group exposes that user account to attacks and the dangerous use of the group capabilities. Also, if you monitor and alert changes to the Enterprise Admins group, you will have a record and be notified immediately if the group does change membership, which is ideal for this group. This link describes how to set up monitoring and alerting for the Enterprise Admins group.
-
Account Lockout Policy/Account Lockout Threshold: This setting (defined in a Group Policy Object) determines how many failed logon attempts a user can have before their account is locked out. The setting has historically been set to a low number (usually three to five) to meet security compliance regulations, and ease the thoughts of those who believe that a low number is good for security. However, with internal users who are more sophisticated and have the ability to attack with better results, this number should be increased to something in between 75 and 100 to help reduce the chances of a denial of service attack. A denial of service attack, in this case, consisrs of all user accounts being locked out with a simple script or batch file that any internal user could run. By attempting to logon with three to five bad passwords for every user in the domain, an internal attacker could lock out every user in Active Directory (sans the domain administrator account) within seconds. If you set the value to a higher number, the internal attacker may not know what the lockout value is, as they would never reach it in daily use of their account.
-
Service Account “Log on to”: This setting is a control that can limit which computers service accounts can log on to. The setting is part of the user accounts properties, which are easy to setup. The key is to know which computers the service account is used on, and then to simply list them in the “Log on to” list for the service account. This will restrict the user account (used as a service account) from logging on to any computer except those listed. If you need help discovering which computers the service accounts in your organization are configured on, you can use this free tool.
These three easy-to-check and configure settings can make your Active Directory environment increasingly secure and stable.