It is a common adage that "if you can't protect the physical box, you don't have much protection of anything stored on the box." When it comes to domain controllers, the statement is even more true. I know this is an article on domain controllers, but this should be the case for all servers on the network. You must protect these computers so that no one has physical access to them. Here are some tips on how to accomplish this.
- -Make sure all domain controllers are located in a secured server room.
- -Use physical access controls at the server room door. This might include a door locking system that required a code, key, card system, voice recognition or some other biometric.
- -Require smart card access when logging into the domain controllers. This form of two factor authentication is becoming more popular and easier to configure for all systems including domain controllers.
- -Limit logging into domain controllers unless there is a problem with the computer that can't be done remotely. This includes leaving users logged on to the domain controllers.
Securing Windows domain controllers
Step 1: Physical Access
Step 2: Network Access
Step 3: Domain Controller Communications
Step 4: Location and Responsibilities of Domain Controllers in Active Directory
|ABOUT THE AUTHOR:|
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at email@example.com.|
Copyright 2005 TechTarget
This was first published in March 2006