Limit user accounts from logging in locally to domain controllers
- By default only administrator accounts and administrator type groups have the ability to logon locally to domain controllers. Through services, applications, and errant configurations additional users and groups are granted this privilege. As you can imagine, this is not a good configuration.
Limit the Administrator account from accessing domain controllers from across the network
- By default the Administrator user account is configured to access domain controllers from across the network. Since it is a best practice to not use this account for daily tasks, there is no reason for this account to have this privilege. Another account should be created that has administrative privileges to perform these tasks.
- It is a common practice by many network admins, as well as by product vendors, to use the Administrator account as a service account. This is a bad practice since the account is now being used every minute of every day by the service. This exposure of the account is not necessary and should be removed by configuring specific user accounts that are configured for each service running on the network.
Securing Windows domain controllers
Step 1: Physical Access
Step 2: Network Access
Step 3: Domain Controller Communications
Step 4: Location and Responsibilities of Domain Controllers in Active Directory
|ABOUT THE AUTHOR:|
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.|
Copyright 2005 TechTarget
This was first published in March 2006