AD Gatekeepers Need to Own the Role

By Ed Bratter
Posted in Security
On April 21, 2016

As a consultant in the Active Directory (AD) space, I see a lot of AD environments up close. One theme that has become painfully clear to me is that we, as the gatekeepers of Active Directory, are not doing a good enough job of securing our kingdom. Even the organizations that put a strong emphasis on security come up short in one way or another.

This is often because the security professionals are focused on other areas of the network such as firewalls or intrusion detection. Those security professionals who do look at AD often don’t know enough about it to help ensure it is being properly secured. Auditors are usually not too helpful either, because they often focus on superficial items such as counting the number of users in the Domain Administrators group (of course this is valid, but I never have figured out how to assign a general number to how many is “too many”).

The sad thing is that many of the security holes I see are the result of us either not listening to our common sense or simply being lazy. Some of us break many of the rules that we push onto our users.

So I write this blog to appeal to my AD companions to step up and help protect our organizations from the bad guys – and thus protect our jobs. For starters, we need to start thinking of ourselves as security professionals. After all, we preside over perhaps the single most important resource in our environments. If AD is breached, the many systems that rely on it for security can be compromised as well. As such, we need to own the role of securing our fiefdoms and doing the right things to secure the castle.

To do so, I offer some suggestions of some simple tasks (which don’t cost nothin’) that you can do to kick off the battle. What might surprise you about this list is that there may not be a single item on it that seems earth shattering or something you have not heard of. In fact, most of the items are common sense things that can make a tremendous difference. Basically, your reaction should be – duh!

I won’t apologize for being somewhat sarcastic with these recommendations. The truth is, as administrators we should all be doing these things anyway – without having to be told. Sometimes I have to bite my tongue when I am with clients in the name of maintaining a “professional” appearance. This is my opportunity to say: dumb, dumb – do the right thing!

  • Do not log onto workstations with administrative accounts. Yes, it’s convenient - but, it is also a security risk. If you are logged into your machine as a domain administrator and your machine is compromised (because MacAfee, Windows Defender, or whatever failed to detect malware) you just potentially gave the keys to the kingdom to the bad guys. This leads to the next point…
  • Do not disable user access control (UAC). This is one of the more significant security enhancements Microsoft introduced to protect individual machines from rogue software. If I’m minding my business browsing the Internet and all of a sudden I am prompted for my admin credentials – it’s a pretty safe bet that something bad is going on.
  • Leave Windows firewall enabled if you do not have a third-party product to replace it. I can’t tell you how many times I have had admins tell me they turn it off because it breaks things. Newsflash – that is the point of Windows Firewall: to shut down connections it does not know about and can thus be harmful to the machine. Do your homework and figure out what the application requirements are for network communications and configure the firewall to “not break” the application.
  • Stop disabling IE Enhanced on DCs (especially if the DC has access to the Internet). This may be the #1 no-no I see domain admins doing. Well, if I leave IE Enhanced Security enabled – it breaks IE and I can’t browse the Internet. Right – that’s the point. Don’t browse the Internet from DCs. At the end of the day, there is simply no justifiable reason to do so that does not make us look lazy. This leads into the next one…
  • Install DCs on Core servers. I know the thought of giving up the GUI on a DC is a radical idea to many. But, the truth is we should not be logging on to them to manage the domain. Microsoft has put considerable effort into making servers easier to manage remotely (RDP does not count). More importantly, it makes DCs far more secure because of the reduced footprint and the need for fewer patches. If this does not suit you, then here is a great compromise…
  • Install the Minimal Server Interface (If you have Windows 2012 R2 DCs). For those who don’t know what this is, I like to say it’s a compromise between a core and a full GUI installation. This mode strips out Internet Explorer and the components of Windows Shell including the desktop, File Explorer, and the Universal Apps (oh, no there goes the neighborhood). So what’s left? Basically you just have a command prompt (and PowerShell) and Server Manager (yes, the program many of us admins love to ignore and prevent from auto starting). Actually, you get the admin tools as well. Of course with no shell, you are probably going to want Server Manager to launch them. This mode strips out much of the code that is most vulnerable to attack, but leaves behind just enough to manage the domain – if you insist on doing so from a DC.

Obviously, these suggestions are just a starting point. But Rome wasn’t conquered in a day and the battle against the bad guys will never end…


Ed Bratter

Ed Bratter

Ed has over 15 years’ experience in the IT industry as a Systems Consultant, Systems Engineer, and Technology Specialist. He architects, designs, and manages Active Directory, Exchange, Citrix, VMware, and RSA SecurID solutions for Gotham’s clients, and provides technical expertise for Active Directory, Exchange, and Citrix.