2.11.4 Internal Security
Internal security is the means by which the Active Directory system ensures its own security, including the steps that other entities that interact with the system have to take to protect the security of the system.
To protect its own security, the Active Directory system uses the mechanisms described in sections 2.11.1, 2.11.2, and 2.11.3 to enforce access controls, protect communications, and protect its configuration. The system times out operations that consume an excessive amount of directory service resources or that otherwise interfere with the directory service's ability to respond to requests from other clients.
Other systems that interact with the Active Directory system can take the following steps to protect the security of this system:
Use the service principal names (SPNs) defined in [MS-DRSR] sections 2.2.3.2, 2.2.3.3, 2.2.4.2, and 2.2.4.3 to perform mutual authentication against the directory service.
Use the mechanisms that are available in the protocols to provide integrity and confidentiality of the messages.
If performing a request against the directory service on behalf of a less-trusted component, any input from the less-trusted component is validated to protect against a luring attack where the less-trusted component tries to get the more-trusted component to perform an operation of the less-trusted component's choice against the directory service.
Avoid performing queries against the directory service that take an excessive amount of time to satisfy; for example, queries that require the directory service to walk through tens of thousands of entries to find a matching entry.
Avoid opening an excessive number of simultaneous connections to the directory service. Each connection consumes resources on the directory service. A single client that opens a large number of connections can reduce the number of clients that the directory service can simultaneously service.