Recently I was having a discussion with another Cloud Solutions Architect about hosting domain controllers in Azure and how to protect them. I thought I would post some of the best practices that we discussed:
- Review the guide for hosting Active Directory domain controllers in Azure.
- Use a dedicated Azure storage account for Active Directory domain controller disks.
- Ensure that the storage container for the domain controller’s OS and data disks is set to private access type (this is the default for new containers).
- Use role based access control (RBAC) to limit who has access to manage the storage account and access keys.
- Enable Azure Disk Encryption with key encryption key (KEK) for both the operating system and data disks. This will utilize Azure Key Vault for storing the keys. The Key Vault must reside in the same Azure region and subscription as the virtual machine.
- Use RBAC to limit who has access to manage the Key Vault.
- Keep domain controllers in their own virtual network subnet.
- Implement an incoming deny all network security group rule on the domain controller subnet and then configure only the required ports for the domain controllers.
- Set a static IP for the domain controller using PowerShell or the Azure Management Portal. Never set a static IP address directly in the operating system. You must always set the operating system to use DHCP.
- Do not set public IP addresses on domain controllers.
Deploying domain controllers in Azure is an important step for providing an organization with resilient identity. By taking precautions like you would on-premises you can have a safe and secure cloud environment. The best practices listed above are not an exhaustive list of all configurations and settings that you should implement in order to have a secure domain controller environment in the cloud. Please review all of the documentation and apply your own security requirements and standards to your cloud deployment.