Tip

Challenge: Make sure you have a secure Active Directory network by securing domain controllers

This is part one in a four- part series on Active Directory network security by expert Derek Melber.

A majority of companies have taken the plunge by installing Windows Active Directory in the enterprise and, for most companies, it is controlling the largest portion of the network. Microsoft has increased the default security within Active Directory, especially if you have a Windows Server 2003 Active Directory installation, but you still need to consider additional security settings after it is installed.

Domain controller security protection

Domain controllers are essential for your Windows Active Directory environment, and are responsible for many roles and services, including:

Requires Free Membership to View

  • Authenticating computers and users at logon
  • Enforcing password, account lockout, and Kerberos policies
  • Centralized computer, user, and group storage and management
  • DNS database for Active Directory-integrated DNS zones
  • Group Policy storage and deployment

    It is critical that domain controllers are running and protected in order for the Active Directory environment to remain functioning and stable. To protect domain controllers, you should consider the following areas of security protection:

    Physical access - As obvious as it sounds, domain controllers need to be kept in a secure location that is only accessible by the IT staff. This includes having some form of physical entry control, such as a smart card or a retinal or fingerprint bioscan, for example. It also means that the facility that stores the domain controllers should have strict procedures, such as not leaving the server room door propped open at any time or not sharing security code access with any other users.

    Challenge: I challenge all executives to try and beat the security of their server room. For example, arrive to work early and see if the server room door is ever propped open, or try to get an administrator to offer up a secure code to the server room in some form of social engineering ploy. It is always better for the security to be compromised by you rather than an enemy or intruder.

    Network access - There are very sophisticated attackers that exist on your current network. You might not know who they are, but they are lurking at all times. The domain controllers need to be protected from such attackers at all costs. Examples of network protection that you should consider implementing include:

  • Use of Group Policy to secure domain controllers
  • Denial of anonymous user access
  • Use of IP Security for replicating Active Directory data
  • Limiting the LAN manager authentication protocols that are supported

    Challenge: Try making an anonymous connection to one of your domain controllers and then using a tool like DumpSec, GetAccnt, or Winfingerprint to enumerate shared folders or user names. To create an anonymous connection just type the following at a command prompt: Net use \\<server ip address>ipc$ /u:"" ""

    If it works, you've got a security problem in your network.

    Summary

    Protecting your domain controllers is at the core of protecting your Active Directory investment. Without your domain controllers you won't have your Active Directory network infrastructure. With exposed and unprotected domain controllers you also are at risk for attackers to enumerate shared folders and usernames, giving up valuable information that can be used to further attack the network.


    Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

    This was first published in September 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.