The ANSSI document “Recommandations pour l’administration sécurisée des SI reposant sur Active Directory” provides comprehensive guidance to secure information systems (SI) that rely on Microsoft’s Active Directory (AD). It emphasizes that AD administration requires specific security measures due to AD’s critical role in centralizing user identities and access controls. The guide advocates for a logical segmentation or tiered isolation (cloisonnement) of the SI into zones of trust to limit attack surfaces and lateral movement by adversaries. It highlights that attackers can exploit various vectors, including storage, virtualization, and backup infrastructures, thus these must also be secured to protect AD’s sensitive data. The document offers a detailed methodology for identifying and isolating these zones and presents 89 concrete recommendations covering architecture, privileged access management, and authentication protocols. It is intended both for initial design and ongoing improvement of AD-based SI security and targets IT administrators, security officers, and architects to foster a security-conscious administration aligned with current threat landscapes.
Publication's URL
https://cyber.gouv.fr/publications/recommandations-pour-ladministration-securisee-des-si-reposant-sur-adAdditional documents on this topic
- CSA Agentic AI Identity and Access Management
- NIST SP 800-63-4 Digital Identity Guidelines
- ANSSI Cyber attacks and remediation : Remediation of active directory tier 0
- ANSSI Cyber threat overview 2024 (in 2025)
- NIST IR 8374 Rev. 1 Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile