Fortinet white logo
Fortinet white logo

Administration Guide

AD integration best practices

AD integration best practices

Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and allows administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application; or device, such as a printer.

To detect AD attack using deception technology, use the following deception configuration example.

  • Deploy custom Windows decoys (Windows 10, 2016, 2019) and add them to the customer network domain.
Example of custom decoys in customer network domain
  • Add several custom Windows decoys to the customer network domain.
  • On the Windows domain, configure schedule task scripts to run using the fake users, such as the one from the cache credentials lure.
  • Add to each domain decoy the maximum number of IP addresses and ensure they are static IP addresses.
  • On the network DNS server, configure a decoy DNS.
    • Add DNS records to each decoy IP address.
    • Set up attractive hostnames for each decoy IP address. For more information, see Deception decoy best practices.
  • Deploy the SMB lure front in a domain decoy to avoid detection by tools like HoneyBuster.

AD integration best practices

AD integration best practices

Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and allows administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application; or device, such as a printer.

To detect AD attack using deception technology, use the following deception configuration example.

  • Deploy custom Windows decoys (Windows 10, 2016, 2019) and add them to the customer network domain.
Example of custom decoys in customer network domain
  • Add several custom Windows decoys to the customer network domain.
  • On the Windows domain, configure schedule task scripts to run using the fake users, such as the one from the cache credentials lure.
  • Add to each domain decoy the maximum number of IP addresses and ensure they are static IP addresses.
  • On the network DNS server, configure a decoy DNS.
    • Add DNS records to each decoy IP address.
    • Set up attractive hostnames for each decoy IP address. For more information, see Deception decoy best practices.
  • Deploy the SMB lure front in a domain decoy to avoid detection by tools like HoneyBuster.