Deploying secure domain controllers - Part 2

Click here to read Part 1 of this tip.

Improve the process for building new domain controllers and your system will be more secure and reliable than a similar system created without

Requires Free Membership to View

matured development processes would be. This concept is familiar to anyone in the design, architectural or programming arena's of IT, where improving the quality of the process results in an improved product quality. Applying those principles to the procedure for building new domain controllers will result in more trustworthy domain controllers.

The first goal is to establish a defined procedure. This procedure must be written out and followed to the letter each and every time a new domain controller is built. This creates a repeatable and predicable build practice which in turn provides a more secure end result. Yes, over time the procedure document will need to be updated to reflect changes to your environment, the existence of new patches and upgrades, and selection of additional third-party or add-on applications and software. Once you have a detailed procedure, you should endeavor to automate as much of the build process as possible. Automation, especially from verified and protected system images, installation answer files, security templates, and software libraries, provides for a more secure installation by reducing the risk of rogue or malicious code being deposited on the system and reducing the likelihood of misconfiguration.

Keep in mind that Windows Server 2003 and Windows 2000 Server can be installed using unattended automated setup, Remote Installation Services (RIS) or via drive imaging. However, drive imaging requires the use of a third party disk cloning or imaging tool in addition to the native SYSPREP tool. SYSPREP simply configures a model system for cloning, it does not perform the actual disk imaging task. Since system imaging or cloning includes all installed software and configurations, it is considered the most secure form of automated installation. RIS does employ a type of imaging process, but its installation method occurs in stages, and thus is slightly less secure. An unattended automated setup, which requires manual post-install configuration and application installation, is considered the least secure form of automated setup. But as stated earlier, any form of automation is more secure than a completely manual installation.

Do also keep in mind that RIS and image based deployment methods may require a high-speed network infrastructure and do not support upgrade installations.

In the next tip I'll discuss the issues of creating more secure image-based and answer file-based installation procedures.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in March 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.