A comprehensive list of the top 25 Active Directory Security Tips and best practices. Securing domain admins, local administrators, audit policies, monitoring AD for compromise, password policies, vulnerability scanning and more.
See https://activedirectorypro.com/active-directory-security-best-practices/
Here are the 25 that he lists:
- Clean up the Domain Admins Group
- Use at Least Two Accounts (Regular and Admin Account)
- Secure The Domain Administrator account
- Disable the Local Administrator Account (on all computers)
- Use Local Administrator Password Solution (LAPS)
- Use a Secure Admin Workstation (SAW)
- Enable Audit policy Settings with Group Policy
- Monitor Active Directory Events for Signs of Compromise
- Password Complexity Sucks (Use Passphrases Instead)
- Use Descriptive Security Group Names
- Cleanup Old Active Directory User & Computer Accounts
- Do NOT Install Additional Software or Roles on Domain Controllers
- Continues Patch Management & Vulnerability Scanning
- Use DNS Services to Block Malicious Domains
- Run Critical Infrastructure on latest Windows Operating System
- Use Two Factor Authentication for Remote Access
- Monitor DHCP Logs for Connected Devices
- Monitor DNS Logs for Security Threats
- Use Latest ADFS and Azure Security Features
- Use Office 365 Secure Score
- Plan for Compromise ( Have a recovery plan)
- Document Delegation to Active Directory
- Lock Down Service Accounts
- Disable SMBv1
- Use Security Baselines and Benchmarks