Wie sichert man Active Directory ab?

Active Directory wird durch das Tier-Modell (Tier 0/1/2), Admin Forest (ESAE), Privileged Access Workstations (PAW), Just-in-Time Admin und strenge GPO-Security-Baselines abgesichert. Kritisch: Domain Controller niemals für reguläre Aufgaben nutzen.

Was ist Credential Guard in Windows?

Credential Guard ist ein Windows-Sicherheitsfeature, das LSASS-Prozesse durch Virtualization-Based Security (VBS) isoliert. Es schützt vor Pass-the-Hash und Pass-the-Ticket Angriffen, indem Anmeldeinformationen in einem gesicherten Container gespeichert werden.

Wie richtet man Windows Security Baselines ein?

Microsoft Security Compliance Toolkit (SCT) bietet vorkonfigurierte GPO-Baselines für Windows Server. Diese werden per PowerShell oder GPMC importiert und decken Account-Policies, Netzwerksicherheit, Auditrichtlinien und AppLocker-Regeln ab.

Was ist der Unterschied zwischen AppLocker und Windows Defender Application Control?

AppLocker bietet regelbasierte Anwendungskontrolle auf Basis von Pfad, Publisher oder Hash. WDAC (Windows Defender Application Control) ist die modernere, kernel-basierte Alternative mit stärkerem Schutz gegen Admin-Manipulationen, aber komplexerer Verwaltung.

Windows Server Security

AD & Defender Hardening 2026

Active Directory, Group Policy, Defender for Endpoint, Credential Guard & AppLocker

Active DirectoryDefenderGPOAppLocker

Active Directory Security Architecture

Active Directory ist das Identitätszentrum von Windows-Umgebungen. Kompromittierte AD bedeutet vollständige Domänenkontrolle. Sichern Sie Forest, Domain Controller und Berechtigungsstrukturen mit Defense-in-Depth.

AD Hardening

• Tier-Modell (Tier 0/1/2)
• Admin Forest (ESAE)
• Privileged Access Workstations
• Just-in-Time Admin

Authentication

• Windows Hello for Business
• FIDO2/Passwordless
• Smart Cards
• NTLM Restrictions

Monitoring

• Advanced Audit Policies
• Defender for Identity
• Event Forwarding
• SIEM Integration

Group Policy Security Baselines

# PowerShell - Deploy Security Baseline GPOs

# Import Security Compliance Toolkit baselines
Import-GPO -BackupGpoName "MSFT Windows Server 2022 - Domain Controller" \
  -Path "C:\SecurityBaselines" \
  -TargetName "Production DC Baseline" \
  -CreateIfNeeded

# Computer Configuration - Security Settings
$ComputerSettings = @{
    # Account Policies
    "PasswordPolicy/MinimumPasswordLength" = 14
    "PasswordPolicy/PasswordComplexity" = 1
    "PasswordPolicy/MaximumPasswordAge" = 60
    "PasswordPolicy/MinimumPasswordAge" = 1
    "PasswordPolicy/PasswordHistorySize" = 24
    
    # Account Lockout
    "AccountLockoutPolicy/AccountLockoutThreshold" = 5
    "AccountLockoutPolicy/AccountLockoutDuration" = 30
    "AccountLockoutPolicy/ResetAccountLockoutCounterAfter" = 30
    
    # Audit Policy
    "AuditPolicy/AccountLogon" = "Success,Failure"
    "AuditPolicy/AccountManagement" = "Success,Failure"
    "AuditPolicy/LogonEvents" = "Success,Failure"
    "AuditPolicy/ObjectAccess" = "Failure"
    "AuditPolicy/PolicyChange" = "Success,Failure"
    "AuditPolicy/PrivilegeUse" = "Failure"
    "AuditPolicy/ProcessTracking" = "Success,Failure"
    "AuditPolicy/SystemEvents" = "Success,Failure"
    
    # User Rights Assignment
    "UserRights/SeTrustedCredManAccessPrivilege" = @()  # No one
    "UserRights/SeNetworkLogonRight" = @("Authenticated Users")
    "UserRights/SeDenyNetworkLogonRight" = @("Guests")
    "UserRights/SeRemoteInteractiveLogonRight" = @("Domain Admins", "Remote Desktop Users")
    
    # Security Options
    "SecurityOptions/LSAProtection" = 1
    "SecurityOptions/LAPS" = 1
    "SecurityOptions/CredentialGuard" = 1
    "SecurityOptions/DeviceGuard" = 1
    "SecurityOptions/HVCI" = 1
    
    # Windows Defender
    "Defender/RealTimeProtection" = 1
    "Defender/CloudProtection" = 1
    "Defender/SubmitSamplesConsent" = 1
    "Defender/PUAProtection" = 1
    "Defender/AttackSurfaceReduction" = 1
}

# Deploy via GPO
$GPO = Get-GPO -Name "Security Baseline"
foreach ($Setting in $ComputerSettings.GetEnumerator()) {
    Set-GPRegistryValue -Name $GPO.DisplayName \
        -Key "HKLM\Software\Policies\Microsoft\Windows\$($Setting.Key)" \
        -ValueName $Setting.Key.Split('/')[-1] \
        -Value $Setting.Value
}

Credential Guard & Device Guard

# Enable Credential Guard (via GPO or DSC)

# GPO Path: Computer Configuration > Administrative Templates > System > Device Guard
# Policy: Turn On Virtualization Based Security
# Settings: Enabled with UEFI lock

# PowerShell - Enable Credential Guard
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
New-Item -Path $RegPath -Force
Set-ItemProperty -Path $RegPath -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $RegPath -Name "RequirePlatformSecurityFeatures" -Value 1  # Secure Boot + DMA
Set-ItemProperty -Path $RegPath -Name "HypervisorEnforcedCodeIntegrity" -Value 1
Set-ItemProperty -Path $RegPath -Name "LsaCfgFlags" -Value 2  # UEFI lock

# Verify Credential Guard
Get-WmiObject -Namespace "root\cimv2\security\MicrosoftTpm" -Class Win32_Tpm
msinfo32.exe  # Check "Device Guard Security Services Running"

# Enable Windows Defender Application Control (WDAC)
# Create policy with PowerShell
New-CIPolicy -FilePath "C:\WDAC\policy.xml" \
    -Rules "Hash" \
    -UserPEs \
    -ScanPath "C:\Program Files" \
    -Level FilePublisher

# Convert to binary
ConvertFrom-CIPolicy -XmlFilePath "C:\WDAC\policy.xml" -BinaryFilePath "C:\WDAC\policy.bin"

# Deploy via GPO (copy to SYSVOL)
Copy-Item "C:\WDAC\policy.bin" \
    "\\domain.local\sysvol\domain.local\Policies\PolicyDefinitions\WindowsDefenderApplicationControl.bin"

# AppLocker Configuration (backup to WDAC)
Set-Service -Name AppIDSvc -StartupType Automatic
Start-Service -Name AppIDSvc

# Create AppLocker Rules
New-AppLockerPolicy -RuleType Path,Hash,Publisher \
    -User Everyone \
    -XmlPolicy "C:\AppLocker\policy.xml"

# Enforce AppLocker
Set-AppLockerPolicy -XmlPolicy "C:\AppLocker\policy.xml" -Merge

Active Directory Tier Model

# AD Tier Model Implementation

# Tier 0: Forest/Domain Admins (No internet, dedicated PAWs)
# Tier 1: Server Admins (Protected servers)
# Tier 2: Workstation Admins (User workstations)

# OU Structure
New-ADOrganizationalUnit -Name "Tier 0" -Path "DC=corp,DC=local"
New-ADOrganizationalUnit -Name "Tier 1" -Path "DC=corp,DC=local"
New-ADOrganizationalUnit -Name "Tier 2" -Path "DC=corp,DC=local"
New-ADOrganizationalUnit -Name "Privileged Access Workstations" -Path "OU=Tier 0,DC=corp,DC=local"

# Tier 0 Group Policy (most restrictive)
$Tier0GPO = New-GPO -Name "Tier 0 - Domain Controllers" -Comment "Tier 0 Security Settings"
Set-GPLink -Name $Tier0GPO.DisplayName -Target "OU=Domain Controllers,DC=corp,DC=local" -Enforced Yes

# Tier 0 Restrictions
Set-GPRegistryValue -Name $Tier0GPO.DisplayName \
    -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" \
    -ValueName "LocalAccountTokenFilterPolicy" \
    -Type DWord -Value 0

# Block Tier 0 accounts from Tier 1/2
$DenyTier0 = @"
{
    "Name": "Deny Tier 0 to Tier 1/2",
    "UserRights": {
        "SeDenyNetworkLogonRight": ["CORP\Tier 0 Admins"],
        "SeDenyInteractiveLogonRight": ["CORP\Tier 0 Admins"],
        "SeDenyRemoteInteractiveLogonRight": ["CORP\Tier 0 Admins"]
    }
}
"@

# Authentication Policies (Windows Server 2016+)
New-ADAuthenticationPolicy -Name "Tier 0 Auth Policy" \
    -Enforce -UserTGTLifetime 60 \
    -ComputerTGTLifetime 240

# Silos
New-ADAuthenticationPolicySilo -Name "Tier 0 Silo" \
    -AuthenticationPolicy "Tier 0 Auth Policy" \
    -UserCategory Membership \
    -ComputerCategory Membership

# Fine-Grained Password Policy for Admins
New-ADFineGrainedPasswordPolicy -Name "Admin Password Policy" \
    -MinPasswordLength 16 \
    -PasswordComplexityEnabled $true \
    -MinPasswordAge "1.00:00:00" \
    -MaxPasswordAge "30.00:00:00" \
    -PasswordHistoryCount 24 \
    -LockoutThreshold 3 \
    -LockoutDuration "00:30:00" \
    -LockoutObservationWindow "00:30:00"

Add-ADFineGrainedPasswordPolicySubject -Identity "Admin Password Policy" \
    -Subjects "Domain Admins", "Enterprise Admins", "Tier 0 Admins"

Defender for Endpoint Configuration

# Microsoft Defender for Endpoint - Intune/Configuration Profile

# ASR (Attack Surface Reduction) Rules
$ASRRules = @{
    # Block Office apps from creating child processes
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" = 1
    
    # Block Office apps from creating executable content
    "3B576869-A4EC-4529-8536-B800A3967B3B" = 1
    
    # Block all Office apps from injecting code into other processes
    "D3E037E1-3EB8-44C8-A917-57927947596D" = 1
    
    # Block JavaScript/VBScript from launching downloaded executable content
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" = 1
    
    # Block execution of potentially obfuscated scripts
    "5BEB7EFE-FD9A-4556-801D-A275C435748C" = 1
    
    # Block Win32 API calls from Office macros
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" = 1
    
    # Block process creations originating from PSExec and WMI commands
    "D1E49AAC-8F56-4280-B9BA-993A6D77406C" = 1
    
    # Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    "9E6C4E1F-7D60-472F-BA1A-A39EF4210F4A" = 1
    
    # Block persistence through WMI event subscription
    "E6DB77E5-3DF2-4CF1-B95A-636979351E5B" = 1
}

# Deploy via Intune or GPO
foreach ($Rule in $ASRRules.GetEnumerator()) {
    Set-MpPreference -AttackSurfaceReductionRules_Ids $Rule.Key \
                     -AttackSurfaceReductionRules_Actions $Rule.Value
}

# Enable Exploit Guard
Set-MpPreference -EnableExploitProtectionAuditMode $false
Set-MpPreference -EnableNetworkProtection 1  # Block mode
Set-MpPreference -EnableControlledFolderAccess 1  # Protect Documents/Desktop

# Controlled Folder Access allowed apps
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\app.exe"

# Network Protection
Set-MpPreference -EnableNetworkProtection 1

# PUA Protection
Set-MpPreference -PUAProtection 1

# Cloud-delivered protection
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent Always

# Check status
Get-MpComputerStatus | Select-Object \
    RealTimeProtectionEnabled, \
    OnAccessProtectionEnabled, \
    BehaviorMonitorEnabled, \
    AntivirusSignatureLastUpdated

# Defender Antivirus Exclusions (minimal!)
Add-MpPreference -ExclusionPath "C:\ProgramData\CustomApp\Logs"
Add-MpPreference -ExclusionProcess "CustomApp.exe"

# Windows Defender Firewall (GPO)
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow

Windows Security Checklist

Active Directory

☐Tier Model implemented (0/1/2)

☐Privileged Access Workstations deployed

☐Fine-grained password policies configured

☐Authentication policies/silos enabled

☐LAPS deployed on all machines

☐AD Recycle Bin enabled

Endpoint Protection

☐Credential Guard enabled (UEFI lock)

☐Device Guard / HVCI enabled

☐Defender for Endpoint onboarded

☐ASR rules enabled (block mode)

☐Application Control (WDAC/AppLocker)

☐Exploit protection configured

Windows Security Assessment

Assessment Starten

OpenClaw Security Hub AI Agent Security Security Runbooks Methodology