Planning for Active Directory Security-in-Depth

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

A security strategy for an enterprise is most effective when data is protected by more than one layer of security. With this type of strategy, the potential losses that might be caused by a security failure in any single layer are minimized by the remaining security layers. For example, when a home is protected by both door locks and a security system, the homeowner is implementing a security-in-depth strategy that is more effective than either of these security features alone.

A security-in-depth strategy first divides all security elements into discrete security layers. In this way, the security effectiveness of each layer can be determined independently, and a security plan can then be implemented. Active Directory security policies and practices can be divided into the following layers:

• Physical security for domain controllers and the network (physical access to domain controllers, backup data, and network components)

• Administrative authority (security management and secure administrative practices)

• End system (domain controller settings, policy settings, and deployment practices)

The following figure shows one way of visualizing the relationships among these security layers for Active Directory.

This guide provides recommendations for security best practices that are based on security-in-depth. Therefore, it is organized along the lines of the security layers for secure deployment of domain controllers, including physical security, secure domain controller policies, and secure administrative practices.