One area that is sometimes overlooked with regard to security is Active Directory. Active Directory is the center of your IT infrastructure, but many administrators forget to lock it down and take advantage of the built-in security features that it offers. Some administrators feel that it is secure after a default installation or after an upgrade, but this is not the case. Active Directory needs special attention to ensure that it has been properly configured to secure access for creating, modifying, or even reading the contents of the directory.
Don't let me scare you into unplugging your domain controllers as you read this. Rather, understand that there are small, but sometimes significant, changes that you need to make to ensure that your Active Directory infrastructure is secure. You will need to consider security starting at the domain controllers themselves, all the way to the entire forest, and including everything in between, such as domains, organizational units, and objects such as user, computer, and group accounts.
Active Directory security can be very deceptive. Take, for example, an upgrade from a Windows NT 4.0 domain controller to a Windows Server 2003 domain controller. The steps are easy, right? Insert the Windows Server 2003 media and follow the wizard as it takes your Windows NT domain controller and transforms it to a Windows Server 2003 domain controller. The process is quite amazing if you think about it. But if you think about the amazing part only, you might miss the security implications that jeopardize the security of your new domain controller.
In this chapter, I explain how to successfully secure your Active Directory deployment. I will explain how the Microsoft security technologies work and how to configure the domain, forest, and domain controllers to protect the directory database. It is true that anyone can install Active Directory, but I have found that only a few know how to secure it properly.