Posted by: kurtsh | February 19, 2023

INFO: Jeff Woolsey’s Rant on Domain Controller & Active Directory security

Recently, Jeff Woolsey, Microsoft Principal Program Manager for Windows Server & Hybrid Cloud, in what can only be described as a fit of frustration Smile, posted this information to his followers & it’s worth repeating:

  1. Do not put Domain Controllers on the open internet. 
    Do not put Domain Controllers on the open internet. 
    Do not put Domain Controllers on the open internet.
    Here’s some additional helpful guidance for securing Domain Controllers:
    Securing Domain Controllers Against Attack
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack#blocking-internet-access-for-domain-controllers
  2. You should run all domain controllers on the newest version of Windows Server that is supported within your organization. Organizations should prioritize decommissioning legacy operating systems in the domain controller population.
  3. Keeping domain controllers current and eliminating legacy domain controllers, allows you to take advantage of new functionality and security. This functionality may not be available in domains or forests with domain controllers running legacy operating system.
  4. What is the impact of upgrading the Domain or Forest Functional Level?
    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-is-the-impact-of-upgrading-the-domain-or-forest-functional/ba-p/399348
  5. At this point in time, your domain controllers should all be running at Windows Server 2016 Functional Level. There’s a good chance that future AD features will require a 2016 DFL. To learn more about Active Directory Functional Levels see:
    What Are Active Directory Functional Levels?
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787290(v=ws.10)
  6. Q: Are their any concerns about upgrading Domain or Forest Functional Level
    A: No. In a review over a decade of support calls, NOT ONE involves a case where changing the Domain or Forest Function Level was responsible as the root cause of any issue.
  7. How to raise Active Directory domain and forest functional levels:
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels
  8. Best Practices for Securing Active Directory
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Posted in Uncategorized

«
»

Categories

%d bloggers like this: