Page 123 - Cyber Defense eMagazine September 2022
P. 123

7. Secure your dependencies

            As you think about the security of your environment and Active Directory, consider all the abstraction
            layers and how they are secured. Each one of those layers expands your attack surface, so take the time
            to understand how they are protected and consider adding security to them. Take these steps to get
            started:

               •  Limit hypervisor admin privileges.
               •  Restrict access to storage that contains copies of the Active Directory .dit database file, such as
                   backups and IFM (install from media) AD copies.
               •  Audit management tools and services with elevated access.
               •  Evaluate PAM tools.



            8. Harden your domain controller


            In addition to the other functions it performs, your domain controller provides the physical storage for the
            Active Directory database. Just as abstraction layers can be abused by an attacker, so can your domain
            controller.  If  your  domain  controller  is  compromised,  your  Active  Directory  forest  is  considered
            untrustworthy until you can restore a clean backup and ensure that the gaps that led to the compromise
            are closed. Take these steps to harden your domain controller:

               •  Upgrade  your  domain  controllers  to  a  minimum  Windows  Server  2019  OS  level  with  AES
                   encryption configured.
               •  Remove unnecessary server roles and agents.
               •  Disable the Print Spooler service on all domain controllers.
               •  Consider using server core to reduce the DC’s attack surface.



            9. Harden privileged access

            Hardening accounts that have privileged access reduces AD’s attack surface and lessens the likelihood
            of  potential  compromise  of  these  accounts.  Here  are  some  steps  you  can  take  to  protect  privileged
            accounts:


               •  Implement an MFA service designed to support AD.
               •  Use separately named admin accounts and lock them down for administration purposes only.
               •  Create break glass accounts to use in case of emergency.
               •  Deploy  a  tiered  administrative  model,  focusing  on  protecting  access  to  Tier  0  accounts  and
                   systems.
               •  Use a PAM solution to enable just-in-time access to privileged accounts.
               •  Use privileged access workstations that are specially hardened to limit the potential for being used
                   as an attack entry point.







            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         123
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   118   119   120   121   122   123   124   125   126   127   128