Welcome to the latest installment of “Securing Your Windows Infrastructure”. Today’s topic is encryption – specifically encryption as it pertains to Active Directory. As with other applications, data managed by AD can be encrypted in storage and in transit. Let’s take a quick look at where encryption is, and can be, used by AD.
Luckily, replication traffic is encrypted by default, so there is nothing additional to do to keep data managed by AD secure as it goes over the wire. Kerberos v5 is used in this process, both for authentication of replication peers and encryption of replicated traffic.
LDAP and Global Catalog (GC) traffic can also be encrypted. LDAPS is enabled simply by adding a Server Authentication certificate to the server’s Personal Certificate store. There are a number of requirements for the certificate that are outlined in the following Microsoft Support article: https://support.microsoft.com/en-us/kb/321051.
Active Directory Data Store
With the enhanced virtualization support for Active Directory in Windows Server 2012, you may now be running your DCs safely in a virtual machine. Keep in mind that although you can encrypt the drive of a Domain Controller using Bitlocker on a physical machine, it is NOT recommended to encrypt the drive of a VM from within the guest OS. Instead, the host can be configured to encrypt the drive containing the .vhd(x) files. This way, even if the drive is stolen, your data within the .vhd file will be safe.
Using EFS to encrypt ntds.dit may seem like a good idea at first, but because AD is needed to decrypt the file in the first place, a dangerous situation can result if this method is used.
It is easy to further enhance the security of Active Directory and your Windows Infrastructure by enabling a couple of the built-in tools that Microsoft includes with Windows. For assistance with encryption, Windows Security, or any other concerns, please get in touch with us using the Contact page of this website.