Most attacks against your domain controllers will occur over the network. These attacks might originate from an
existing desktop that has membership in the domain, or from a rogue desktop or laptop that is connected to the network. (Note: With wireless so predominant in most companies, attacks are now coming from the wireless network with the same aggressiveness as from the local network.) To protect against these attacks, you will need to make sure that the domain controllers are secured from users, intruders, and attackers while connecting over the network. To help protect the domain controllers from these attacks, apply some of these techniques.
Limit user accounts from logging in locally to domain controllers
- By default only administrator accounts and administrator type groups have the ability to logon locally to domain controllers. Through services, applications, and errant configurations additional users and groups are granted this privilege. As you can imagine, this is not a good configuration.
Limit the Administrator account from accessing domain controllers from across the network
- By default the Administrator user account is configured to access domain controllers from across the network. Since it is a best practice to not use this account for daily tasks, there is no reason for this account to have this privilege. Another account should be created that has administrative privileges to perform these tasks.
Use Administrator user account only for emergencies
- It is a common practice by many network admins, as well as by product vendors, to use the Administrator account as a service account. This is a bad practice since the account is now being used every minute of every day by the service. This exposure of the account is not necessary and should be removed by configuring specific user accounts that are configured for each service running on the network.
Securing Windows domain controllers
Step 1: Physical Access
Step 2: Network Access
Step 3: Domain Controller Communications
Step 4: Location and Responsibilities of Domain Controllers in Active Directory
|ABOUT THE AUTHOR:|
| Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at email@example.com.
Copyright 2005 TechTarget