Microsoft released a detailed technical reference document, "Best Practices for Securing Active Directory."
It provides a practitioner’s perspective and contains a set of practical techniques to help IT executives protect an enterprise Active Directory environment.
The methods discussed are based largely on the Microsoft Information Security and Risk Management (ISRM) organization’s experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500 customers.
Key tenets of this paper are understanding the avenues for establishing a healthy Active Directory, implementing monitoring systems, actions to reduce the attack surface, and managing a resilient environment.
This risk-based approach assumes that the corporate infrastructure, and more specifically the Active Directory, is a critical target. With this mindset, resiliency and recovery become critical components of an Active Directory protection program.