Updating best practices for Domain Controllers - Microsoft Tech Community
Most organizations using directory services are moving towards using a cloud-based identity platform, like Azure Active Directory, to take advantage of newer authentication methods like passwordless authentication, use conditional access to enforce zero-trust methodologies, and aspire to reduce their infrastructure footprint by phasing out Active Directory.
However, we realize that customers are on a journey and hybrid will be an important state for many customers for a long time. Domain Controllers still act as a pivotal piece of infrastructure for many organizations, and the identities that Active Directory holds are often the target for attackers.
Protecting DCs from attack has always been a priority for administrators. Some examples of ways organizations keep their DCs secure include:
- Limit the use of Domain Admin privileges
- Use jump boxes for RDP access or MMC access.
- Do not install 3rd party applications on DCs
- Restrict internet access to DCs
Given the challenges that a modern security team is faced with, there’s potential to revisit these best practices to see where improvements can be made.