Securing Active Directory (AD) with Group Policy involves configuring Group Policy Objects (GPOs) to enforce security settings across users, computers, and resources in an AD environment.
Below is a comprehensive guide to key strategies and best practices for securing AD using Group Policy, tailored for clarity and practicality.
1. Understand Group Policy and Its Role in AD Security
Group Policy is a feature in Windows Server that allows centralized management and configuration of user and computer settings in an AD environment. GPOs can enforce security policies, such as password requirements, account lockout settings, and access controls, to protect the AD infrastructure from unauthorized access and misconfigurations.
2. Key Group Policy Settings for AD Security
Here are critical GPO settings to enhance AD security, organized by category:
a. Password and Account Policies
These settings, typically applied at the domain level via the Default Domain Policy, control user authentication security.
• Password Policy (Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy):
• Enforce password history: Set to at least 24 to prevent reuse of old passwords.
• Maximum password age: Set to 60–90 days to require regular password changes.
• Minimum password length: Set to 12–14 characters to increase complexity.
• Password must meet complexity requirements: Enable to enforce a mix of uppercase, lowercase, numbers, and special characters.
• Account Lockout Policy (Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy):
• Account lockout threshold: Set to 5–10 invalid logon attempts to prevent brute-force attacks.
• Account lockout duration: Set to 15–30 minutes to deter attackers while minimizing user disruption.
• Reset account lockout counter after: Set to 15–30 minutes to align with lockout duration.
b. User Rights and Security Options
Control who can perform sensitive actions and enforce system-wide security settings.
• User Rights Assignment (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment):
• Restrict Log on locally to specific accounts (e.g., Administrators) for sensitive servers like domain controllers.
• Deny Log on through Remote Desktop Services for non-essential accounts to limit remote access.
• Restrict Access this computer from the network to authorized groups only.
• Security Options (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options):
• Enable Accounts: Limit local account use of blank passwords to console logon only to prevent unauthorized access.
• Enable Interactive logon: Do not display last user name to reduce information disclosure.
• Enable Network security: Force logoff when logon hours expire to enforce time-based access restrictions.
c. Audit Policies
Enable auditing to monitor security events and detect suspicious activity.
• Audit Policy Settings (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration):
• Enable Audit Account Logon Events (Success and Failure) to track authentication attempts.
• Enable Audit Logon Events (Success and Failure) to monitor user logons.
• Enable Audit Object Access (Success and Failure) for critical resources like file shares or AD objects.
• Enable Audit Policy Change (Success and Failure) to track changes to security policies.
• Use tools like Event Viewer or SIEM solutions to analyze audit logs for anomalies.
d. Windows Firewall and Network Security
Use GPOs to enforce firewall rules and secure network communications.
• Windows Defender Firewall (Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security):
• Enable the firewall for all profiles (Domain, Private, Public).
• Create inbound and outbound rules to allow only necessary traffic (e.g., block unused ports like RDP unless required).
• Enable Network security: LAN Manager authentication level to “Send NTLMv2 response only. Refuse LM & NTLM” for stronger authentication.
e. Software Restriction Policies and AppLocker
Prevent unauthorized software execution to reduce the risk of malware.
• Software Restriction Policies (Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies):
• Set default rule to Disallowed and allow only approved applications via path or hash rules.
• AppLocker (Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker):
• Create rules to allow only signed executables or specific applications.
• Apply to specific user groups (e.g., standard users) while allowing admins flexibility.
f. Privileged Access Management
Limit and secure administrative privileges to reduce attack surface.
• Restricted Groups (Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups):
• Control membership of sensitive groups like Domain Admins or Enterprise Admins.
• Remove unnecessary accounts from privileged groups.
• Deny Logon Rights:
• Deny Log on as a batch job, Log on as a service, and Log on locally for service accounts on non-essential systems.
g. Disable Unnecessary Features
Reduce attack vectors by disabling outdated or risky features.
• Disable SMBv1 (Computer Configuration > Policies > Administrative Templates > Windows Components > SMB):
• Set Enable SMBv1 Protocol to Disabled to prevent exploits like WannaCry.
• Disable PowerShell v2 (Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell):
• Set Turn on PowerShell v2 to Disabled, as it lacks modern security features.
• Disable Guest Account (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options):
• Enable Accounts: Guest account status to Disabled.
3. Best Practices for Implementing GPOs
• Use a Tiered OU Structure: Organize Organizational Units (OUs) hierarchically (e.g., Tier 0 for domain controllers, Tier 1 for servers, Tier 2 for workstations) and apply GPOs at the appropriate level for granular control.
• Test GPOs Before Deployment: Use a test OU or lab environment to validate settings and avoid unintended disruptions.
• Enable GPO Inheritance and Enforcement: Use “Enforced” GPOs for critical security settings to prevent overrides by lower-level OUs.
• Use WMI Filters: Apply GPOs selectively based on conditions like OS version or device type.
• Document and Backup GPOs: Regularly back up GPOs using the Group Policy Management Console (GPMC) and document their purpose and scope.
• Monitor GPO Application: Use gpresult /r or rsop.msc to verify that GPOs are applied correctly to users and computers.
4. Additional Security Considerations
• Enable Multi-Factor Authentication (MFA): While not directly a GPO setting, enforce MFA for privileged accounts using solutions like Azure AD or third-party tools to complement GPO security.
• Secure Domain Controllers: Apply a dedicated GPO to domain controllers with stricter settings, such as disabling unnecessary services and enabling enhanced auditing.
• Regularly Update GPOs: Review and update GPOs to align with evolving security standards, such as those from Microsoft’s Security Baselines or CIS Benchmarks.
• Segment Administrative Privileges: Use tools like Microsoft’s Local Administrator Password Solution (LAPS) to manage local admin passwords via GPO.
• Monitor for Unauthorized Changes: Use change management tools or audit policies to detect unauthorized GPO modifications.
5. Common Tools and Resources
• Microsoft Security Baselines: Download and apply Microsoft’s recommended GPO templates for Windows Server and Windows 10/11.
• Group Policy Management Console (GPMC): Use for creating, editing, and managing GPOs.
• CIS Benchmarks: Refer to Center for Internet Security benchmarks for AD and Windows security settings.
• PowerShell for GPO Management: Use cmdlets like Get-GPO, Set-GPRegistryValue, or Backup-GPO for automation.
6. Example: Creating a GPO for Password Policy
1. Open GPMC (gpmc.msc).
2. Right-click the domain or OU, select Create a GPO in this domain, and Link it here.
3. Name the GPO (e.g., “Domain Password Policy”).
4. Edit the GPO:
• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
• Configure settings (e.g., Minimum password length = 14, Complexity = Enabled).
5. Link the GPO to the domain or an OU.
6. Test using gpresult /r on a client machine