ad-hardening

Mon, 20 May 2024 00:00:00 +0000

ad-hardening is a comprehensive guidebook and reference repository dedicated to securing and hardening Active Directory (AD) environments in air-gapped, isolated networks. While physical isolation eliminates many remote threats, it places a heavier security premium on internal access control, endpoint hygiene, and physical media management.

This project outlines step-by-step guidance, configurations, and templates to establish a resilient security posture inside sensitive, non-internet-connected directory environments.

Core Hardening Pillars

Tiered Administrative Model: Isolating Tier 0 (Domain Controllers/Admins) credentials from Tier 1 (Servers) and Tier 2 (Workstations) to eliminate lateral escalation risks.
Offline Authentication & MFA: Strategies for deploying local, offline-capable multi-factor authentication without internet-based validation services.
Service Account Securing: transitioning legacy service accounts to Group Managed Service Accounts (gMSAs) to enforce automatic password rotation.
Audit & Event Analysis: Configuration templates for offline Windows Event Forwarding (WEF) and local security log auditing.
Removable Media Control: Hardening USB and other removable hardware access policies via Group Policy Objects (GPOs) to combat sneakernet malware propagation vectors.

Security-ADMX

Sun, 19 May 2024 00:00:00 +0000

Security-ADMX is a collection of custom Administrative Templates (.admx and .adml) specifically designed for hardening Windows 10 and Windows 11 workstations. It allows system administrators and security engineers to configure advanced security settings via local or domain Group Policy (GPO) that are otherwise difficult or tedious to manage.

Developed out of the need to streamline security compliance across embedded and workstation deployments, this project packages several security controls into easily manageable policies.

Active Directory | Florian Stosse

ad-hardening

Core Hardening Pillars

Security-ADMX