Securing AD DS Servers - How do you do it?

Brass Contributor

Hi All,


I have a question; I am looking to take a relatively flat network and carve it up a bit - creating some new VLANS and separating server and client endpoints, etc. (with NG firewalls, and so on...)


Anyway... I am curious how folks are dealing with things like AD in this regard. Are you keeping full blown AD DS servers on the same VLAN as your client computers? Are you using RODC's instead? If you do have AD DS servers in a protected VLAN, how are dealing with the traffic that passses through firewalls? IPSec tunneling? Forcing AD communication to use specific ports?


Thanks in advance for your comments!



6 Replies

Before answering this question, I think it best to ask what goal you are accomplishing by doing this?  The answer can be taylored to that specific goal.

Hi -


Thanks for the reply!


So, after a bunch of security assessments, we have had many recommendations to segment our network better (we are pretty flat), and account for lateral movement, etc. As such, I am moving many server VM's into a separate network segment.


For most things, this is pretty straightforward. For others - like AD - I fond it a bit more tedious. (Reference this blog post - I have kept this one around for a while).


So, I am just curious how others deal with this? Do you keep AD servers in the same network segment as client machines? Do you just rely on Windows firewall? If you have firewalls between your AD servers and client machines, how do you manage those rules? Etc.


Any tips, advice, experience, or wisdom is very much appreciated! :)



Physical isolation and logical isolation, such as traffic isolation between network segments, port restrictions, or site restrictions

Microsoft consulting service offers a solution to secure the AD environment using a tiered management model. It was called ESAE "Enhanced secure administration environment".

We also published a plan to help customers to secure the AD environment:


Locking down network ports around AD DS adds a lot of management overhead, especially if they offer a variety of services (DNS, DHCP ,NPS, LDAP). 


For good ROI in securing AD, in addition to the great suggestions about access control (especially privileged access control), I'd also check out AppLocker to prevent malicious code from running on the DCs. AppLocker is very easy to implement on DCs as their workload is well defined and largely static.

In addition to applocker, if the server is running Server 2016, you should also look into Device guard.