--- title: AD Connect security best practices description: Keep your AD Connect configuration and data secure with the following tips and tools. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_adc_security_hardening_guide canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_adc_security_hardening_guide.html revdate: March 30, 2023 section_ids: encrypt-configuration-files: Encrypt configuration files enable-iwa: Enable IWA use-userprincipalname-as-the-subject-attribute: Use userPrincipalName as the subject attribute --- # AD Connect security best practices Keep your AD Connect configuration and data secure with the following tips and tools. ## Encrypt configuration files AD Connect stores configuration data in the following files: * `AuthenticationAgent.exe.config` * `Provisioner.exe.config` * `Softwareupdater.exe.config` | | | | - | ------------------------------------------------------------ | | | These files contain sensitive data, such as the product key. | You can encrypt these files using the Windows `Aspnet_config.exe` utility. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Because of a limitation of `Aspnet_config.exe`, you must:1) Rename the configuration files to `web.config`. 2) Run `Aspnet_config.exe` to encrypt the files. 3) Rename the files back to their original filenames. | For more information, see [Encrypting and Decrypting Configuration Sections](https://docs.microsoft.com/en-us/previous-versions/zhhddkxy\(v=vs.140\)?redirectedfrom=MSDN) in the Microsoft documentation. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Ping Identity does not test AD Connect with encrypted configuration files. Encrypting these files could cause unforeseen complications, and you do so at your own risk.If encrypted configuration files do cause trouble, you can reinstall AD Connect. | ## Enable IWA If you enable Integrated Windows Authentication (IWA), users within your organization's network will be authenticated through IWA. This improves security by reducing the need for user credentials to be communicated over the internet. However, IWA has other limitations to consider. For example, your users will be unable to sign off of PingOne for Enterprise because IWA will automatically sign them back on. For more information, see [Using IWA with browser clients](p14e_adc_using_iwa_browser_clients.html). ## Use `userPrincipalName` as the subject attribute AD Connect has two options for which attribute to use as the subject attribute. While `sAMAccountName` is unique only within an Active Directory (AD) domain, `userPrincipalName` is unique across all AD domains. If your user population contains multiple AD domains, select `userPrincipalName` as the subject attribute to avoid the potential of different users in different domains signing in using the same username. For more information, see [AD Connect final setup](p14e_adc_final_setup.html).