I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and so on...)
Anyway... I am curious how folks are dealing with things like AD in this regard. Are you keeping full blown AD DS servers on the same VLAN as your client computers? Are you using RODC's instead? If you do have AD DS servers in a protected VLAN, how are dealing with the traffic that passses through firewalls? IPSec tunneling? Forcing AD communication to use specific ports?
So, after a bunch of security assessments, we have had many recommendations to segment our network better (we are pretty flat), and account for lateral movement, etc. As such, I am moving many server VM's into a separate network segment.
For most things, this is pretty straightforward. For others - like AD - I fond it a bit more tedious. (Reference this blog post - I have kept this one around for a while).
So, I am just curious how others deal with this? Do you keep AD servers in the same network segment as client machines? Do you just rely on Windows firewall? If you have firewalls between your AD servers and client machines, how do you manage those rules? Etc.
Any tips, advice, experience, or wisdom is very much appreciated! :)
Locking down network ports around AD DS adds a lot of management overhead, especially if they offer a variety of services (DNS, DHCP ,NPS, LDAP).
For good ROI in securing AD, in addition to the great suggestions about access control (especially privileged access control), I'd also check out AppLocker to prevent malicious code from running on the DCs. AppLocker is very easy to implement on DCs as their workload is well defined and largely static.