Step-by-Step Guide

Step 3: Domain controller communications

To increase the security of domain controllers communicating together on the network, you can use the Group Policy settings related to IPSec. IPSec allows for computer-to-computer communications to be protected and encrypted. IPSec should not be used for all communications to and from domain controllers, but there are two specific scenarios where it is suggested to help increase security of domain controllers.

First, the domain controller communication and replication can be configured to use IPSec. This will protect any and all information sent from one domain controller to another when synchronizing the Active Directory database. Since the data that is synchronized includes information about user accounts, group accounts, and group policy, it is not a bad idea to protect this communication. IPSec will encrypt this RPC traffic when it is sent from one domain controller to another. Not only will IPSec encrypt the data, but IPSec performs mutual authentication, which will require the domain controllers to verify their identity before communicating the information.

Second, if the domain controllers are communicating across an unprotected network, you can use IPSec to send the information through a protected tunnel. The overall protection of the data is the same as before, it is just that in the tunnel the packets are encapsulated to add more protection from an attacker trying to break into the information stored in the packets. The IPSec tunnel does require some additional

    Requires Free Membership to View

settings in the Group Policy for each domain controller. The IPSec tunnel will require two rules, one for inbound traffic and one for outbound traffic. You might have the tendency to use filter mirroring, but that won't work with this type of tunnel.


Securing Windows domain controllers

 Introduction
 Step 1: Physical Access
 Step 2: Network Access
 Step 3: Domain Controller Communications
 Step 4: Location and Responsibilities of Domain Controllers in Active Directory

ABOUT THE AUTHOR:
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.
Copyright 2005 TechTarget

This was first published in March 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: