Forum Discussion
Securing AD DS Servers - How do you do it?
Hi All, I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and ...
Locking down network ports around AD DS adds a lot of management overhead, especially if they offer a variety of services (DNS, DHCP ,NPS, LDAP).
For good ROI in securing AD, in addition to the great suggestions about access control (especially privileged access control), I'd also check out AppLocker to prevent malicious code from running on the DCs. AppLocker is very easy to implement on DCs as their workload is well defined and largely static.
Jian (Jane) Yan
Microsoft
MicrosoftIn addition to applocker, if the server is running Server 2016, you should also look into Device guard.