Zero Trust Networks

7 Best Practices for Active Directory Security to Keep Attackers Out 

Share with your network!

Active Directory security is a top-of-mind and ongoing concern for countless cybersecurity teams. Why? Because attackers are relentless in their efforts to target this vital directory service and identity management hub for Microsoft Windows-based networks.  

If a bad actor infiltrates a company’s Active Directory (AD) they can work to escalate their privileges, move laterally through the network and gain access to sensitive data and systems. 

There are multiple ways to fortify your Active Directory security. In this post, we’ll look at seven examples of Active Directory security best practices that can help you reduce the risk of costly breaches. These best practices make it tougher for bad actors to gain access to your AD in the first place. 

First, let’s take closer look at Active Directory and its purpose. Then, we’ll explain why Active Directory security is important and describe some common risks associated with it.  

What is Active Directory?

Microsoft introduced Active Directory nearly a quarter-century ago. Today, it is a crucial component of Windows-based networks for businesses around the globe. AD plays a central role in how resources are managed and organized within a networked environment.  

AD stores information about objects on a network—like a printer, application or a user’s account—and makes it easy for network administrators and users to locate and use that information. AD also manages user identities, authentication and access permissions.  

Active Directory allows administrators to enforce security policies, set password policies and control access to sensitive systems and data. So, for example, if you want to check your email or access the internet via your company’s Windows-based network, AD is what permits you to connect to those resources. It also facilitates the single sign-on (SSO) authentication process. 

Why is Active Directory security so important?

As noted at the top of this post, if a bad actor can compromise Active Directory, they are well on their way toward gaining access to sensitive data—or doing something worse. Here are just a few reasons that AD environments are prime targets for attackers: 

  • Centralized control. Active Directory is a central point of control for network resources including user accounts and servers. Once inside AD, attackers can take control of your entire network and potentially compromise other resources connected to it. 
  • Credential theft. Attackers can steal usernames and passwords stored in your AD. They can then use those credentials to access other systems, apps and data within your company. 
  • Privilege escalation. Active Directory stores information about user roles, permissions and group memberships. So, if an attacker can escalate their privileges within AD, they can gain access to other systems or admin accounts. That will allow them to make lateral moves within the network and expand their foothold. 
  • Persistence. Once attackers are inside Active Directory, they can establish persistence within the network. They can set up backdoor access, add rogue user accounts or manipulate security policies—moves designed to make it easier for them to evade detection. And if they are discovered, it will be harder for security teams to remove them from the network because they will have already created multiple other points of entry. 

What are some common Active Directory security risks?

By now, it is probably clear that two of the most significant Active Directory security risks are unauthorized access to accounts and systems and the theft of credentials like usernames and passwords. The latter is, of course, a vital strategy for gaining unauthorized access. 

As your business works to improve Active Directory security, you will want to address common risks like these sooner than later: 

  • Inadequate password policies. Strong passwords are essential to prevent data breaches and data loss. If your password practices and policies are lacking, you can be sure that attackers will take full advantage of those weaknesses. To improve password policies, see the tips in the Password Awareness Kit from Proofpoint. 
  • Lack of multifactor authentication (MFA). Without MFA, a single compromised password offers an attacker a fast path to unauthorized access. When you enable MFA, you enable an additional layer of authentication. It is particularly important to use multifactor authentication to help secure privileged accounts. While MFA isn’t 100% secure, it does help a lot. 
  • Misconfigurations. Malicious actors will move fast to abuse any misconfiguration they can identify within your AD. Some examples include misconfigured administrator privileges, “aged” accounts or accounts with no password expiration policy, and hidden security identifiers or “SIDs.” (Here’s how attackers exploit SID history.) 
  • Legacy systems. Legacy systems may rely on outdated versions of AD, and attackers will seek to exploit any known vulnerabilities. Also, it is important to understand that AD environments see a buildup of identity data over time. While some of that information may still be relevant, much of it likely is not. In both cases, that information may not be managed as well as it should be. 
  • Insider threats. Employees or other insiders with malicious intent may abuse their legitimate access to your Active Directory. They may seek to steal high-value data like intellectual property and financial data, compromise systems or otherwise cause harm to the business. To create a proactive approach to defend against insider threats, see this Insider Threat Management Starter Kit from Proofpoint. 

7 Active Directory security best practices

Active Directory offers security features like access control lists (ACLs), encryption and auditing capabilities to protect sensitive data and resources. These are all good features to employ. But comprehensive and ongoing Active Directory security involves many other steps and strategies.  

Your business is complex and changing all the time—and so, too, is your AD environment. Threats targeting your Active Directory are continuously evolving as well. With all that in mind, here’s a look at seven Active Directory security best practices that you can use to help reduce the risk of bad actors gaining access to your AD—and creating a lot of damage if they do. 

1. Strongly secure domain administrator accounts

Attackers are eager to compromise domain administrator accounts associated with your AD. That’s because these Active Directory users have high privileges with administrative control and authority over an entire domain with an AD “forest.” (A forest is a collection of one or more domain trees in the service directory.)  

One tip to secure domain admin accounts is to rename them from the default “administrator” to something more creative (and harder to guess). Implementing strong password policies and using passphrases can help here. Another good practice is to require MFA for authentication. 

2. Limit the use of highly privileged access to AD

Authorized personnel are the only users who should have administrative access in your AD. And those who have domain administrator privileges should not use those accounts for everyday tasks. Instead, they should use separate, less-privileged accounts for routine or common user activities.  

Related measures for limiting Active Directory access—which can also help to reduce the risk of insider threats—include: 

  • Implementing the principle of least privilege (PoLP) to grant users only the permissions they need to perform their work—and no more 
  • Using role-based access control (RBAC) to limit user access to specific tasks or systems 
  • Auditing administrative accounts regularly 

To learn more about implementing least-privilege administrative models, see these tips from Microsoft

3. Use a locked-down Secure Admin Workstation (SAW)

A SAW is a highly secure and isolated environment for performing administrative tasks in critical systems and services like Active Directory. The admin must originate from the SAW before they can perform any administrative task or connect to any other administered server or network. Some of the ways to “lock down” a SAW include: 

  • Using dedicated hardware or a virtual machine (VM) for administrative tasks 
  • Hardening the SAW’s operating systems—for example, by disabling unnecessary services and features 
  • Implementing strict access controls and user privilege management 
  • Placing the SAW in a separate network segment 
  • Reducing or eliminating direct internet connectivity to the SAW 

4. Disable local administrator accounts

Local admins also have high privileges. But unlike domain admins, they are restricted to one, local machine. Local administrators have complete access to resources on the local server or client, though. And they can use their account to create local users, to assign user rights and access control permissions and to install software. 

Local admin accounts are often configured with the same password on every computer in a domain. So, an attacker only needs to compromise the credentials for one account to sign into others. Not surprisingly, bad actors often use unmanaged local administrator credentials in ransomware attacks. 

You may want to consider disabling local admin accounts completely. You can instead set up individual accounts with the necessary rights to complete key tasks. To disable a local admin account, you will need to modify Group Policy settings in the Active Directory. Then, you can enforce security policies on Windows computers that are joined to the domain. (Microsoft offers these instructions for configuring group policies.) 

5. Use managed service accounts (MSAs)

MSAs are designed to enhance the security and manageability of service accounts that the applications, services and tasks running on Windows-based systems use. Each MSA is isolated to a specific computer, which means it can be used only by that system.  

MSA accounts have complex passwords that AD manages automatically. The AD domain controller rotates the passwords regularly, so the risk of passwords for service accounts being weak, stale or exposed is reduced. By eliminating manual password changes the likelihood of human error is minimized. So, too, is the risk of service disruptions due to password changes. 

(Note: MSAs are available in Windows Server 2008 R2 and later, including Windows Server 2012, 2012 R2, 2016, 2019 and 2022. The specific features and capabilities of MSAs may vary depending on the version of Windows Server in use.) 

6. Find and remove unused accounts

If an attacker breaks into your Active Directory and discovers a wealth of unused accounts, they will no doubt have a field day abusing them. Malicious insiders can make mischief with unused accounts, too. 

Creating a formal process to identify inactive users and unused computer accounts in your AD can help ensure you stay on top of this risk. As part of that process, you will need to determine the criteria for identifying inactive accounts, such as a specific period of inactivity (like 90 days). You should also notify relevant stakeholders to make sure that the identified accounts can be deleted safely.  

Taking the time to back up your AD environment before you start to remove accounts is also a wise practice. You may want to document the accounts you plan to remove and cite the reasons for deleting them, just so you have a record. 

7. Be vigilant about patch management and vulnerability scanning

This tip may seem mundane. However, you need to move fast to patch Active Directory vulnerabilities, just as you should do to protect any other critical system. Attackers focused on targeting your AD will waste no time exploiting known vulnerabilities. 

Consider this AD vulnerability, for example: CVE-2022-26923. Microsoft reports that an authenticated user could manipulate attributes on computer accounts they own or manage and acquire a certificate from Active Directory Certificate Services that would allow them to elevate their system privileges. That means an attacker could quickly move from being a mere user to a domain administrator in just a few steps. 

Be sure to scan for and remediate Active Directory vulnerabilities often—once a month or on a more frequent basis, if possible. Prioritize fixes that pose the most serious risk to your business and users. And identify and address any outdated or unsupported software as well. 

Proofpoint can help you defend against threats that target Active Directory

Cyber criminals often use identity-based attacks to gain access to Active Directory. Once inside, they take advantage of AD’s domain and trust vulnerabilities. 

The Proofpoint Identity Threat Detection and Response (ITDR) solution can help you to detect and prevent identity risks to Active Directory, as well as your identity environment more broadly. ITDR solutions also help to stop lateral movement and privilege escalation by malicious actors. 

Learn more about identity risks related to Active Directory and your company’s exposure to them here