In order to protect domain controllers from local and network attacks, you should use Group Policy settings. Ideally, you will modify the Default Domain Controllers Policy or create a new Group Policy Object (GPO) and link it to the Domain Controllers organizational unit (OU). In either case, you should configure the following settings to protect your domain controllers.
|Checklist: Primary settings for securing Domain Controllers|
|These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment node.|
|Allow log on locally|
|Access this computer from the network|
|These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options node.|
|Domain controller: LDAP server signing requirements|
|Domain member: Digitally encrypt or sign secure channel data|
|Network access: Allow anonymous SID/Name translation|
|Network access: Do not allow anonymous enumeration of SAM accounts and shares|
|Network access: Let Everyone permissions apply to anonymous users|
These settings can help protect domain controllers from various attacks. Be sure to test each setting before putting them into your production environment. Not all third party products are designed to support proper credential authentication. These settings will prohibit anonymous connections to domain controllers, which is highly desired.
Read more about domain controller settings in Derek's step-by-step guide.
About the author Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.
This was first published in April 2006