Microsoft Active Directory (AD) นั้นถือเป็นหัวใจสำคัญของระบบ IT ในหลายๆ องค์กรในทุกวันนี้ และด้วยความนิยมนี้เองก็ทำให้ AD ตกเป็นเป้าของการโจมตีที่นับวันจะยิ่งมีความซับซ้อนสูงขึ้นเรื่อยๆ การดูแลรักษา Microsoft AD ให้ปลอดภัยอยู่เสมอจึงกลายเป็นหน้าที่สำคัญของผู้ดูแลระบบ โดยทาง Microsoft ได้ออก Best Practice สำหรับการรักษาความปลอดภัยให้ AD ด้วยกัน 22 ประเด็นดังนี้ครับ
Best Practice | More Information | |
1 | Patch applications. | “Initial Breach Targets” in Avenues to Compromise |
2 | Patch operating systems. | “Initial Breach Targets” in Avenues to Compromise
Appendix A: Patch and Vulnerability Management Software “Principles for Creating Secure Administrative Hosts” in Implementing Secure Administrative Hosts |
3 | Deploy and promptly update antivirus and antimalware software across all systems and monitor for attempts to remove or disable it. | Avenues to Compromise |
4 | Monitor sensitive Active Directory objects for modification attempts and Windows for events that may indicate attempted compromise. | Monitoring Active Directory for Signs of Compromise
“Active Directory Objects and Attributes to Monitor” in Audit Policy Recommendations |
5 | Protect and monitor accounts for users who have access to sensitive data. | “VIP Accounts” in Attractive Accounts for Credential Theft
“Implementing Robust Authentication Controls” in Implementing Least-Privilege Administrative Models “Identifying Principles for Segregating and Securing Critical Assets” in Planning for Compromise “Simplify Security for End Users” in Planning for Compromise “Active Directory Objects and Attributes to Monitor” in Monitoring Active Directory for Signs of Compromise |
6 | Prevent powerful accounts from being used on unauthorized systems. | Implementing Least-Privilege Administrative Models |
7 | Eliminate permanent membership in highly privileged groups. | Appendix B: Privileged Accounts and Groups in Active Directory
Appendix C: Protected Accounts and Groups in Active Directory Appendix D: Securing Built-In Administrator Accounts in Active Directory Appendix E: Securing Enterprise Admins Groups in Active Directory Appendix F: Securing Domain Admins Groups in Active Directory Appendix G: Securing Administrators Groups in Active Directory Appendix H: Securing Local Administrator Accounts and Groups |
8 | Implement controls to grant temporary membership in privileged groups when needed. | Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory |
9 | Implement secure administrative hosts. | Implementing Secure Administrative Hosts |
10 | Use application whitelisting on domain controllers, administrative hosts, and other sensitive systems. | Implementing Secure Administrative Hosts |
11 | Identify critical assets, and prioritize their security and monitoring. | Planning for Compromise |
12 | Implement least-privilege, role-based access controls to administer the directory, its supporting infrastructure, and domain-joined systems. | “Role-Based Access Controls (RBAC) for Active Directory” in Implementing Least-Privilege Administrative Models |
13 | Isolate legacy systems and applications. | “Isolating Legacy Systems and Applications” in Planning for Compromise |
14 | Decommission legacy systems and applications. | “Implementing Creative Destruction” in Planning for Compromise |
15 | Implement secure development lifecycle programs for custom applications. | “Lack of Secure Application Development Practices” in Avenues to Compromise |
16 | Implement configuration management, review compliance regularly, and evaluate settings with each new hardware or software version. | “Maintaining a More Secure Environment” in Planning for Compromise |
17 | Migrate critical assets to pristine forests with stringent security and monitoring requirements. | Planning for Compromise |
18 | Simplify security for end users. | “Simplify Security for End Users” in Planning for Compromise |
19 | Use host-based firewalls to control and secure communications. | “Principles for Creating Secure Administrative Hosts” in Implementing Secure Administrative Hosts
“Secure Configuration of Domain Controllers” in Securing Domain Controllers Against Attack |
20 | Patch devices. | Contact your device vendors |
21 | Implement business-centric lifecycle management for IT assets. | “Creating Business-Centric Security Practices for Active Directory” in Planning for Compromise |
22 | Create or update incident recovery plans. | Planning for Compromise |
ลองนำไปศึกษาและปรับใช้กันดูนะครับ