Best Practice Guide for Securing Active Directory Installations

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Organizations require a network operating system (NOS) that provides secure network access to network data by authorized users and that rejects access by unauthorized users. For a Microsoft® Windows Server® 2003 NOS, the Active Directory® directory service provides many key components for authenticating users and for generating authorization data that controls access to network resources.

Note

For a printable .doc version of this guide, see Best Practice Guide for Securing Active Directory Installations.doc at the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=140862). This guide does not include operations information. For more information about day-to-day service operations for Windows Server 2003 deployments, see the Windows Server 2003 Operations Guide, which is available as a downloadable document on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=63079).

A breach in Active Directory security can result in the loss of access to network resources by legitimate clients or in the inappropriate disclosure of potentially sensitive information. Such information disclosure affects data that is stored on network resources or in Active Directory. To avoid these situations, organizations need more extensive information and support to ensure enhanced security for their NOS environments. This guide addresses this need for organizations that have new, as well as existing, Active Directory deployments.

This guide contains recommendations for protecting domain controllers against known threats, establishing administrative policies and practices to maintain network security, and protecting Domain Name System (DNS) servers from unauthorized updates. It also provides guidelines for maintaining Active Directory security boundaries and securing Active Directory administration.

This guide also includes procedures for enacting these recommendations. For more information, see “Appendix: Procedures” later in this guide.

Note

The recommendations and procedures in this guide have been tested in a lab to demonstrate that domain controllers that are built, configured, and administered in accordance with these recommendations can be deployed and operated in an efficient manner that enhances security.

In This Guide