Step-by-Step Guide

Step 2: Network access

Most attacks against your domain controllers will occur over the network. These attacks might originate from an existing desktop that has membership in the domain, or from a rogue desktop or laptop that is connected to the network. (Note: With wireless so predominant in most companies, attacks are now coming from the wireless network with the same aggressiveness as from the local network.) To protect against these attacks, you will need to make sure that the domain controllers are secured from users, intruders, and attackers while connecting over the network. To help protect the domain controllers from these attacks, apply some of these techniques.

Limit user accounts from logging in locally to domain controllers

  • By default only administrator accounts and administrator type groups have the ability to logon locally to domain controllers. Through services, applications, and errant configurations additional users and groups are granted this privilege. As you can imagine, this is not a good configuration.

Limit the Administrator account from accessing domain controllers from across the network

  • By default the Administrator user account is configured to access domain controllers from across the network. Since it is a best practice to not use this account for daily tasks, there is no reason for this account to have this privilege. Another account should be created that has administrative privileges to perform these tasks.

Use

    Requires Free Membership to View

Administrator user account only for emergencies
  • It is a common practice by many network admins, as well as by product vendors, to use the Administrator account as a service account. This is a bad practice since the account is now being used every minute of every day by the service. This exposure of the account is not necessary and should be removed by configuring specific user accounts that are configured for each service running on the network.


Securing Windows domain controllers

 Introduction
 Step 1: Physical Access
 Step 2: Network Access
 Step 3: Domain Controller Communications
 Step 4: Location and Responsibilities of Domain Controllers in Active Directory

ABOUT THE AUTHOR:
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
Copyright 2005 TechTarget

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: