Shulou(Shulou.com)06/02 Report--

Summary of best practices for protecting Active Directory domain services

In order to effectively protect the system from *, some general principles should be borne in mind.

You should never manage trusted systems (that is, secure servers, such as domain controllers) from untrusted hosts (that is, workstations that are not as secure as the systems they manage).

When performing privileged activities, you should not rely on a single authentication factor; that is, the username and password combination should not be considered acceptable authentication because it only represents a single factor (as you know). You should consider the location where credentials are generated and cached in the management scenario.

Although most people in the current threat environment take advantage of malware and malware, don't ignore physical security when designing and implementing security management hosts.

Microsoft Security Compliance Manager template

Can be used in conjunction with the Security configuration Wizard settings to generate a comprehensive configuration baseline for jump servers, which are deployed and implemented by OU in OU where the jump server is located in Active Directory.

Implement separate physical workstations

One way to manage the host is to send two workstations to each IT user. One workstation is used with a "regular" user account to perform activities such as checking e-mail and using productivity applications, while a second workstation is dedicated to administrative functions.

For productivity workstations, you can provide IT employees with a regular user account instead of using a privileged account to log on to an insecure computer. The management workstation should be configured with a strictly controlled configuration, and IT personnel should log in to the management workstation using other accounts.

If you have implemented a smart card, the management station should be configured to require a smart card login, and a separate account should be provided for IT employees for administrative use, and it should also be configured to require a smart card for interactive login. The management host should be hardened as described earlier, and only specified IT users are allowed to log on to the management station locally.

The disadvantage is that the physical cost is high and virtualization can be considered.

Best practices for how Windows AD audit policies are enabled

Https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

Privileged users and groups in AD

Https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

Five frequently asked questions about AdminSdHolder and SDProp

Https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/

Ten invariant rules of safety management

Https://docs.microsoft.com/en-us/previous-versions//cc722488(v=technet.10)

File links and readings related to AD information security

Https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/appendix-m--document-links-and-recommended-reading

For more information, please follow the official Wechat account.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.