Posted On October 13, 2021

Active Directory Domain Accounts Security Hardening

kimconnect 0 comments
blog.KimConnect.com >> Windows >> Active Directory Domain Accounts Security Hardening

1. Disable or rename Administrator account
1a. Create an alternate service account
1b. Discover where it’s being used (search for computernames, scheduled tasks, services)
1c. Reconfig existing services and scheduled tasks to use the alternative service account

2. Audit members of Domain Admins and Enterprise Admins
2a. Create report to include these columns: username, name, lastLoginDC, lastLoginComputernames, created, isActive, lastChanged, lockedOut, passwordLastChanged, passwordNeverExpires, isServiceAccount, emailAddress
2b. Contact each domain admin user to mitigate
2c. Coordinate with SysAdmins and Helpdesk to reconfig scheduled tasks, services, printers, and other devices with complex passwords

3. Audit user accounts to enforce password complexity
3a. Create report of user accounts that do not pass standardized complexity requirements
3b. Coordinate with SysAdmins and Helpdesk to contact each user to mitigate weak passwords

4. Implement security monitoring tools
4a. Deploy Tenable.io
4b. Coordinate with SysAdmins to resolve ‘high risk’ vulnerabilities per system scan reports
4c. Review security reports and mitigation progress periodically

5. ….
6. …
7. …
8. …
9. …
10. …

# Sample script to collect active user accounts with PasswordNeverExpires set to True

$usersAuditReport='C:\Scripts\Audits\usersAuditReport.csv'
$domainObjects=@(
    @{domain='intranet';dc='dc02-intranet.kimconnect.com';username='intranet\domainadmin';password='SOMECOMPLEXPASSWORD'}
    )

$command={
  $filter='PasswordNeverExpires -eq "True" -and Enabled -eq "True"'
  $matchedUsers=Get-ADUser -Filter $filter -Properties SamAccountName,GivenName,sn,EmailAddress,created,modified,PasswordLastSet,LockedOut,PasswordNeverExpires,LastLogon
  return $matchedUsers
}

$results=@()
foreach ($domainObject in $domainObjects){
  $adminUsername=$domainObject.username
  $adminPassword=$domainObject.password
  $encryptedPassword=$(ConvertTo-SecureString $adminPassword -AsPlainText -Force)
  $adminCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adminUsername,$encryptedPassword
  $session=new-pssession -computername $domainObject.dc -credential $adminCredential
  if($session.State -eq 'Opened'){
    $result=invoke-command -session $session -scriptblock $command|select * -ExcludeProperty PSComputerName,RunspaceId,PSShowComputerName,ObjectClass,ObjectGUID,SID
    $results+=$result
    remove-pssession $session
  }else{
    write-warning "Unable to connect to $($domainObject.domain)"
  }
}
$null=mkdir (split-path $usersAuditReport -parent) -force
$results|Export-Csv -Path $usersAuditReport -NoTypeInformation

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Restoring AD – using Secondary Domain Controller

1. Reset Administrator password ntdsutil  reset password on server [servername]  [password], confirm [password]  quit, quit  2.…

Proposal: Network Optimization (Simplified)

Kim ConnectNetwork Optimization Proposal June 23, 2017 Overview 1.    Project Background and Description We are…

Procedure to Recreate a Microsoft Clustered Role

1. Delete cluster role 2. Validate that the DNS entry has been purgeda. Check DNS…