Securing an Active Directory (AD) environment is critical to protect organizational resources, ensure data integrity, and comply with regulatory standards. Configuring security settings involves implementing policies, restricting access, and monitoring activities across domain controllers and member servers. This guide provides a detailed guide to configuring security settings in a Windows Server domain.
In this exercise, you configure settings related to security including disabling NTLM authentication for domain accounts, auditing account management activity, and denying log on as a service for members of a security group.
Restrict NTLM Authentication
In this task, you restrict NTLM authentication.
From the Tools menu of the Server Manager console, open the Group Policy Management console.
In the Group Policy Management console, expand the tailwindtraders.internal forest, the Domains folder, and the tailwindtraders.internal domain. Then expand Group Policy Objects.
Right-click Default Domain Controller Policy and click Edit.
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
Select and double-click Network security: Restrict NTLM: NTLM authentication in this domain.
Click the Define this policy setting check box.
Select the value Deny all and click OK.
Click Yes in the Confirm Setting Change dialog box.
Close the Group Policy Management Editor.
Audit User Account Management in Sydney
In this task, you enable auditing of User Account Management in the Sydney OU.
From the Tools menu of the Server Manager console, choose Group Policy Management Console.
In the Group Policy Management Console, expand the Tailwindtraders.internal domain.
Navigate to the Sydney OU, right-click and select Create a GPO in this domain, and link it here….
Name the new GPO SydneyOUPolicy.
Click OK.
Right-click SydneyOUPolicy and select Edit.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management.
Select and double-click Audit User account management.
Click the Configure the following audit events check box.
Select the Success and Failure values and click OK.
Close the Group Policy Management Editor
Deny Log On As a Service
In this task, you configure the Deny Log On As A Service security option.
From the Tools menu of the Server Manager console, open the Group Policy Management console.
Expand Tailwindtraders.internal domain.
Browse to the Sydney OU and right-click SydneyOUPolicy. Select Edit.
Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Select and double-click the Deny Log on as a service policy.
Select the Define this policy setting.
Click Add User or Group.
Click Browse, click Advanced, and then click Find now.
Select Sydney Administrators group.
Click OK until dialogue boxes are closed (it may require four or five acknowledgements).
Configuring security settings in Active Directory strengthens the domain environment by enforcing robust policies, restricting access, and enabling monitoring. By defining policies, securing access, and maintaining vigilance, administrators can protect against threats and ensure compliance.
Top comments (0)