Page 123 - Cyber Defense eMagazine September 2022
P. 123
7. Secure your dependencies
As you think about the security of your environment and Active Directory, consider all the abstraction
layers and how they are secured. Each one of those layers expands your attack surface, so take the time
to understand how they are protected and consider adding security to them. Take these steps to get
started:
• Limit hypervisor admin privileges.
• Restrict access to storage that contains copies of the Active Directory .dit database file, such as
backups and IFM (install from media) AD copies.
• Audit management tools and services with elevated access.
• Evaluate PAM tools.
8. Harden your domain controller
In addition to the other functions it performs, your domain controller provides the physical storage for the
Active Directory database. Just as abstraction layers can be abused by an attacker, so can your domain
controller. If your domain controller is compromised, your Active Directory forest is considered
untrustworthy until you can restore a clean backup and ensure that the gaps that led to the compromise
are closed. Take these steps to harden your domain controller:
• Upgrade your domain controllers to a minimum Windows Server 2019 OS level with AES
encryption configured.
• Remove unnecessary server roles and agents.
• Disable the Print Spooler service on all domain controllers.
• Consider using server core to reduce the DC’s attack surface.
9. Harden privileged access
Hardening accounts that have privileged access reduces AD’s attack surface and lessens the likelihood
of potential compromise of these accounts. Here are some steps you can take to protect privileged
accounts:
• Implement an MFA service designed to support AD.
• Use separately named admin accounts and lock them down for administration purposes only.
• Create break glass accounts to use in case of emergency.
• Deploy a tiered administrative model, focusing on protecting access to Tier 0 accounts and
systems.
• Use a PAM solution to enable just-in-time access to privileged accounts.
• Use privileged access workstations that are specially hardened to limit the potential for being used
as an attack entry point.
Cyber Defense eMagazine – September 2022 Edition 123
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.