Step 2: Network access

Domain controllers control the keys to your Windows kingdom. They need to be even more secure than your other servers. Ensure their security by following these steps from Active Directory expert Derek Melber.

Most attacks against your domain controllers will occur over the network. These attacks might originate from an existing desktop that has membership in the domain, or from a rogue desktop or laptop that is connected to the network. (Note: With wireless so predominant in most companies, attacks are now coming from the wireless network with the same aggressiveness as from the local network.) To protect against these attacks, you will...

need to make sure that the domain controllers are secured from users, intruders, and attackers while connecting over the network. To help protect the domain controllers from these attacks, apply some of these techniques.

Limit user accounts from logging in locally to domain controllers

  • By default only administrator accounts and administrator type groups have the ability to logon locally to domain controllers. Through services, applications, and errant configurations additional users and groups are granted this privilege. As you can imagine, this is not a good configuration.

Limit the Administrator account from accessing domain controllers from across the network

  • By default the Administrator user account is configured to access domain controllers from across the network. Since it is a best practice to not use this account for daily tasks, there is no reason for this account to have this privilege. Another account should be created that has administrative privileges to perform these tasks.

Use Administrator user account only for emergencies

  • It is a common practice by many network admins, as well as by product vendors, to use the Administrator account as a service account. This is a bad practice since the account is now being used every minute of every day by the service. This exposure of the account is not necessary and should be removed by configuring specific user accounts that are configured for each service running on the network.


Securing Windows domain controllers

  Introduction
 Step 1: Physical Access
  Step 2: Network Access
 Step 3: Domain Controller Communications
 Step 4: Location and Responsibilities of Domain Controllers in Active Directory

ABOUT THE AUTHOR:
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
Copyright 2005 TechTarget
This was first published in March 2006
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close