Securing Active Directory

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Securing Active Directory

Active Directory provides a secure directory environment for your organization using built-in logon authentication and user authorization. To further secure Active Directory once it has been deployed, consider the following precautions and recommendations.

For general security information about Active Directory, see Security information for Active Directory.

For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web Site. For more information about authorization, see "Authorization and Access Control" at the Microsoft Windows Resource Kits Web Site.

Important

  • Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. Therefore, it is recommended that all domain controllers be locked in a secured room with limited public access. In addition, you should limit membership in the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators, and Backup Operators groups to trusted personnel in your organization. For more information about domain controllers and groups, see Domain controllers and Default groups.
To Use

Manage the security relationship between two forests and simplify security administration and authentication across forests.

Forest trusts

See Forest trusts.

Force domain users to use strong passwords.

Group Policy

See Strong passwords.

Enable audit policy. Auditing event logs can notify you of actions that could pose a security risk.

Group Policy

See Auditing Policy.

Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.

Group Policy

See Group types.

Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.

Group Policy

See User and computer accounts.

Enforce password history on user accounts and decrease the possibility of an attacker compromising your domain.

Group Policy

See Enforce password history.

Enforce minimum and maximum password ages on user accounts and decrease the possibility of an attacker compromising your domain.

Group Policy

See Minimum password age, Maximum password age.

Verify and authenticate the validity of each user through the use of public key cryptography.

Public key infrastructure

See Deploying a Public Key Infrastructure.

Promote a secure operating environment by running your computer without administrative credentials except when required.

Run as

See Using Run as.

Restrict user, group, and computer access to shared resources and filter Group Policy settings.

Security groups

See Group types.

Prevent attacks from malicious users who might try to grant elevated user rights to another user account.

SID filtering

See "Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks" at the Microsoft Web Site.

Provide tamper-resistant user authentication and e-mail security.

Smart cards

See Smart cards overview.

Use strong encryption techniques to secure account password information on local computers, member servers, or domain controllers.

Syskey

See The system key utility.