This is part one in a four- part series on Active Directory network security by expert Derek Melber.
A majority of companies have taken the plunge by installing Windows Active Directory in the enterprise and, for most companies, it is controlling the largest portion of the network. Microsoft has increased the default security within Active Directory, especially if you have a Windows Server 2003 Active Directory installation, but you still need to consider additional security settings after it is installed.
Domain controller security protection
Domain controllers are essential for your Windows Active Directory environment, and are responsible for many roles and services, including:
Authenticating computers and users at logon
Enforcing password, account lockout, and Kerberos policies
Centralized computer, user, and group storage and management
DNS database for Active Directory-integrated DNS zones
Group Policy storage and deployment
It is critical that domain controllers are running and protected in order for the Active Directory environment to remain functioning and stable. To protect domain controllers, you should consider the following areas of security protection:
Physical access - As obvious as it sounds, domain controllers need to be kept in a secure location that is only accessible by the IT staff. This includes having some form of physical entry control, such as a smart card or a retinal or fingerprint bioscan, for example. It also means that the facility that stores the domain controllers should have strict procedures, such as not leaving the server room door propped open at any time or not sharing security code access with any other users.
Challenge: I challenge all executives to try and beat the security of their server room. For example, arrive to work early and see if the server room door is ever propped open, or try to get an administrator to offer up a secure code to the server room in some form of social engineering ploy. It is always better for the security to be compromised by you rather than an enemy or intruder.
Network access - There are very sophisticated attackers that exist on your current network. You might not know who they are, but they are lurking at all times. The domain controllers need to be protected from such attackers at all costs. Examples of network protection that you should consider implementing include:
Use of Group Policy to secure domain controllers
Denial of anonymous user access
Use of IP Security for replicating Active Directory data
Limiting the LAN manager authentication protocols that are supported
Challenge: Try making an anonymous connection to one of your domain controllers and then using a tool like DumpSec, GetAccnt, or Winfingerprint to enumerate shared folders or user names. To create an anonymous connection just type the following at a command prompt: Net use \\<server ip address>ipc$ /u:"" ""
If it works, you've got a security problem in your network.
Protecting your domain controllers is at the core of protecting your Active Directory investment. Without your domain controllers you won't have your Active Directory network infrastructure. With exposed and unprotected domain controllers you also are at risk for attackers to enumerate shared folders and usernames, giving up valuable information that can be used to further attack the network.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.
This was first published in September 2005