Manage Learn to apply best practices and optimize your operations.

Five ways to improve Windows Server hardening

3/6

Review user delegations to secure Active Directory

Source:  JJpan/iStock/Getty Images
Visual Editor: Sarah Evans

Active Directory (AD) provides directory-based, identity-related services to the enterprise. This includes handling user accounts and passwords, along with assignment and enforcement of security and group policies.

Active Directory allows for delegations, assigning certain administrative rights -- such as the right to reset user passwords or to create or modify groups -- to regular users. Delegations can be hard to report or remove, so it's easy to forget or to overlook delegated authority once it's given. Delegations assigned to malicious users can expose the business to serious risks. Review them often.

Perform a careful assessment of all delegations on each domain and organizational unit to secure Active Directory. Identify each delegation, consider its implications and remove it if it's questionable, unnecessary or inappropriate. This need not prohibit operations; for example, let a user reset a password, then simply remove their AD delegation after the reset.

Any permanent delegations should conform to least privilege rules. Also, review group policies, seeking out any that are unnecessary or that might unduly compromise Windows Server hardening.

The release of Windows Server 2016 includes several updates for securing Active Directory. Privileged access management (PAM) adds security provisions so organizations can limit privileged access within the AD environment. PAM adds a bastion AD forest for privileged isolation, new workflows to request and approve privileges, privilege expirations and new monitoring features. 

View All Photo Stories

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Who should have full or partial administrative rights in Active Directory?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close