Personal New Year’s resolutions are long gone, with the turmoil this year maybe even a few career ones too. In fact, the last thing anyone in tech is thinking about right now is whether our Active Directory is in tiptop shape.
Okay, if you’re not a Windows Server admin, you’ve probably already checked out. But if you are, I’d like to share some best practices we encourage our customers here at ZAG to consider as they start to think ahead about the rest of the year. If you’re like most admins, you’re probably thinking, “Sure, I’ll get to that someday.”
The fact is that the best time to get to any long-overdue project is now. We created a short hit list of items you should check to ensure that you have some of the basic Active Directory standards established. These include removing old users no longer with the company, enforcing industry best practice password policies, renaming Admin accounts, reviewing the list of Admin access to ensure that it is limited to those who truly require it, and so on.
We also work with our customers beyond the basics, by running a Network Detective scan to give them a report listing items to address, such as workstations and servers that may need replacing due to support agreements coming to an end, and much more.
We report on and take action to clean up your AD environment to make you more secure. Whether you are a customer or not, consider this checklist a helpful place to start in improving the security of your AD:
- Rename Local Administrator accounts
- Remove unnecessary users from Local Administrators group
- Remove unnecessary Domain Admins, Enterprise Admins, and Schema Admins
- Use dedicated Accounts for Domain Admins
- Deploy LAPS
- Enforce Password Policies
- Password changes forced
- Password settings
- Password length
- Password Timeout Policy
- Password reuse
- Password security
- Are Administrator Accounts Tiered?
- Domain
- Server
- Workstation
There’s plenty more we recommend, but this is a great place to start. Microsoft shared a comprehensive list of best practices on their website for securing Active Directory.
It won’t take long to do your AD checkup, but if you find yourself in need of some assistance, ZAG can help! We can do an assessment and let you know if you are meeting industry standards or if there might be some things you want to remediate for security reasons.
Now that you have your AD maintenance checked off the to-do list, go do something a little more fun. Perhaps tackling your Disaster Recovery plan?
Thanks to my colleagues, John Luevano and Jeff Hollis for their collaboration #teamworkthroughout.
This post was originally published by Christie Fisher on LinkedIn.
(Shoutout to Ryan Bates who mentioned LAPS in the comments on my LinkedIn post.)