New Blog Post | Updating best practices for Domain Controllers

%3CLINGO-SUB%20id%3D%22lingo-sub-3284857%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Updating%20best%20practices%20for%20Domain%20Controllers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3284857%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SEC20_Security_018-1-900x360.jpg%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F363895i1504E41855CDBC7F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SEC20_Security_018-1-900x360.jpg%22%20alt%3D%22SEC20_Security_018-1-900x360.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fupdating-best-practices-for-domain-controllers%2Fba-p%2F3263043%22%20target%3D%22_blank%22%3EUpdating%20best%20practices%20for%20Domain%20Controllers%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EMost%20organizations%20using%20directory%20services%20are%20moving%20towards%20using%20a%20cloud-based%20identity%20platform%2C%20like%20Azure%20Active%20Directory%2C%20to%20take%20advantage%20of%20newer%20authentication%20methods%20like%20passwordless%20authentication%2C%20use%20conditional%20access%20to%20enforce%20zero-trust%20methodologies%2C%20and%20aspire%20to%20reduce%20their%20infrastructure%20footprint%20by%20phasing%20out%20Active%20Directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20we%20realize%20that%20customers%20are%20on%20a%20journey%20and%20hybrid%20will%20be%20an%20important%20state%20for%20many%20customers%20for%20a%20long%20time.%20Domain%20Controllers%20still%20act%20as%20a%20pivotal%20piece%20of%20infrastructure%20for%20many%20organizations%2C%20and%20the%20identities%20that%20Active%20Directory%20holds%20are%20often%20the%20target%20for%20attackers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EProtecting%20DCs%20from%20attack%20has%20always%20been%20a%20priority%20for%20administrators.%20Some%20examples%20of%20ways%20organizations%20keep%20their%20DCs%20secure%20include%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELimit%20the%20use%20of%20Domain%20Admin%20privileges%3C%2FLI%3E%0A%3CLI%3EUse%20jump%20boxes%20for%20RDP%20access%20or%20MMC%20access.%3C%2FLI%3E%0A%3CLI%3EDo%20not%20install%203%3CSUP%3Erd%3C%2FSUP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eparty%20applications%20on%20DCs%3C%2FLI%3E%0A%3CLI%3ERestrict%20internet%20access%20to%20DCs%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EGiven%20the%20challenges%20that%20a%20modern%20security%20team%20is%20faced%20with%2C%20there%E2%80%99s%20potential%20to%20revisit%20these%20best%20practices%20to%20see%20where%20improvements%20can%20be%20made.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3284857%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

SEC20_Security_018-1-900x360.jpg

Updating best practices for Domain Controllers - Microsoft Tech Community

Most organizations using directory services are moving towards using a cloud-based identity platform, like Azure Active Directory, to take advantage of newer authentication methods like passwordless authentication, use conditional access to enforce zero-trust methodologies, and aspire to reduce their infrastructure footprint by phasing out Active Directory.

 

However, we realize that customers are on a journey and hybrid will be an important state for many customers for a long time. Domain Controllers still act as a pivotal piece of infrastructure for many organizations, and the identities that Active Directory holds are often the target for attackers.

 

Protecting DCs from attack has always been a priority for administrators. Some examples of ways organizations keep their DCs secure include:

  • Limit the use of Domain Admin privileges
  • Use jump boxes for RDP access or MMC access.
  • Do not install 3rd party applications on DCs
  • Restrict internet access to DCs

Given the challenges that a modern security team is faced with, there’s potential to revisit these best practices to see where improvements can be made.

0 Replies