Forum Discussion
Securing AD DS Servers - How do you do it?
Hi All, I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and ...
Before answering this question, I think it best to ask what goal you are accomplishing by doing this? The answer can be taylored to that specific goal.
Hi -
Thanks for the reply!
So, after a bunch of security assessments, we have had many recommendations to segment our network better (we are pretty flat), and account for lateral movement, etc. As such, I am moving many server VM's into a separate network segment.
For most things, this is pretty straightforward. For others - like AD - I fond it a bit more tedious. (Reference this blog post - I have kept this one around for a while).
So, I am just curious how others deal with this? Do you keep AD servers in the same network segment as client machines? Do you just rely on Windows firewall? If you have firewalls between your AD servers and client machines, how do you manage those rules? Etc.
Any tips, advice, experience, or wisdom is very much appreciated! :)
Thanks!
- Physical isolation and logical isolation, such as traffic isolation between network segments, port restrictions, or site restrictions
