Foreword
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
In today’s information rich environment, senior executives are faced with the challenge of harnessing information technology to help their business:
Execute its strategy
Improve its operations
Enhance the perceived value of its own products and services
In support of these challenges, consumer-centric computing models that leverage highly scalable platforms (the cloud) and a plethora of devices are being utilized. The new business paradigm is obsessed with speed, agility, and execution. The evolution of these models requires even more comprehensive and agile security and risk management programs to ensure success.
This document provides a practitioner’s perspective and contains a set of practical techniques to help IT executives protect an enterprise Active Directory® environment. Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. The methods discussed are based largely on the Microsoft® Information Security and Risk Management (ISRM) organization’s experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500 customers.
Key tenets of this paper are understanding the avenues for establishing a healthy Active Directory, implementing monitoring systems, actions to reduce the attack surface, and managing a resilient environment. This risk-based approach assumes that the corporate infrastructure, and more specifically the Active Directory, is a critical target. With this mindset, resiliency and recovery become critical components of an Active Directory protection program
This document encompasses experience from several hundred Active Directory Security Assessments, critical incident responses, and recovery engagements, and proven techniques for mitigating IT risks. Based on numerous requests from Microsoft customers and partners, this document reflects a comprehensive guide, and it contains best practices for protecting Active Directory. Information security and risk management executives will find the techniques explained in this document to be a significant contribution to their understanding of best practices, in addition to practical implementation programs for their Active Directory environments.
Bret Arsenault
Microsoft Chief Information Security Officer