Apr 12 2017 09:34 AM
Hi All,
I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and so on...)
Anyway... I am curious how folks are dealing with things like AD in this regard. Are you keeping full blown AD DS servers on the same VLAN as your client computers? Are you using RODC's instead? If you do have AD DS servers in a protected VLAN, how are dealing with the traffic that passses through firewalls? IPSec tunneling? Forcing AD communication to use specific ports?
Thanks in advance for your comments!
David
Apr 16 2017 07:01 PM
Before answering this question, I think it best to ask what goal you are accomplishing by doing this? The answer can be taylored to that specific goal.
May 02 2017 09:49 AM
Hi -
Thanks for the reply!
So, after a bunch of security assessments, we have had many recommendations to segment our network better (we are pretty flat), and account for lateral movement, etc. As such, I am moving many server VM's into a separate network segment.
For most things, this is pretty straightforward. For others - like AD - I fond it a bit more tedious. (Reference this blog post - I have kept this one around for a while).
So, I am just curious how others deal with this? Do you keep AD servers in the same network segment as client machines? Do you just rely on Windows firewall? If you have firewalls between your AD servers and client machines, how do you manage those rules? Etc.
Any tips, advice, experience, or wisdom is very much appreciated! 🙂
Thanks!
Jun 22 2017 06:25 PM
Jun 23 2017 12:05 PM
Microsoft consulting service offers a solution to secure the AD environment using a tiered management model. It was called ESAE "Enhanced secure administration environment".
We also published a plan to help customers to secure the AD environment: http://aka.ms/privsec
Jun 26 2017 03:39 PM
Locking down network ports around AD DS adds a lot of management overhead, especially if they offer a variety of services (DNS, DHCP ,NPS, LDAP).
For good ROI in securing AD, in addition to the great suggestions about access control (especially privileged access control), I'd also check out AppLocker to prevent malicious code from running on the DCs. AppLocker is very easy to implement on DCs as their workload is well defined and largely static.
Jun 27 2017 03:18 PM
In addition to applocker, if the server is running Server 2016, you should also look into Device guard.