One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8371681 |
| Date de publication | 2023-08-18 10:00:00 (vue: 2023-08-18 10:08:01) |
| Titre | Implémentation en toute sécurité Active Directory sur Windows Server 2019 Securely implementing Active Directory on Windows Server 2019 |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company. Planning and design Start by carefully planning and designing. Analyze your organization\'s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization\'s compliance standards and security guidelines. Installing Windows Server 2019 Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security. Choose the right deployment type Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain\'s directory services, authentication, and security policies. Install Active Directory Domain Services (AD DS) role Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller. Choose an appropriate Forest Functional Level (FFL) Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level. Secure DNS configuration AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by: a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD. b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing. c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data. d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging. Use strong authentication protocols Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication. Securing administrative accounts Safeguard administrative accounts by: a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently. b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft. c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only. d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 2019 about access account accounts across active activities add adding adhere administrative administrator adopt against alerts all always analysis analyze any applying appropriate are article assets at&t attack attacks audit auditing authentication author authorized backbone backup backups based best bios/uefi bitlocker boot breaches by: calls can carefully case centralize changing choose company compatible compliance complicated complies conclusion confident confidently configuration configurations configure configured confirm constantly content continuous control controller controllers create creating credential critical crucial current currently dangers data dedicated dedication dependable deployment design designing detail detect directory disable disaster dns dnssec does doing domain domains drive during each efficacy employ enable enables enabling encryption endorse enforce enforcing ensure ensuring environment establish event events every examine extra factor favor feature features ffl firewall following forest forwarding frequently from functional gpos great group guarantee guide guidelines hardware has hashes heavily highest highly implement implementing improve inbound information infrastructure insider install installation installing integrated integrity iso isolating its kept kerberos kind landscape lateral latest least less level levels leverage like limiting location lockout log logging login loss maintaining make management manager measures mfa minimize minimums monitor monitoring most movement multi name necessary network not ntlm nuances number objects off older one ones only organization organizational other ous over overall overseeing password passwords perform performing periodically personnel physical plan planning policies policy positions post posture potential powershell practices prevent preventing principle privilege privileges procedure procedures process protect protecting protection protocols provided query quick rbac real recent recommended recovery reduce redundancy regular regularly related relies remember removed replication requirements requires resilient resolution resources responsibility restoration restrict restricting reviewed right rights risk robust role rotating rules safeguard safeguards safely satisfies secure securely securing security segment select selected sensitive separate server servers service services set setting settings should siem signing site solely solutions specifications specify speed standards start state staying steadfast stop storage storing strong structures such support supported surface suspicious system tampering technical techniques test theft them think thorough those threat threats through thwart time tools topology traffic transfers type unauthorized understanding units updates upgrades use user using valuable views vlan volume walk weak when will windows within your zone zones |
| Tags | Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.