To increase the security of domain controllers communicating together on the network, you can use the Group Policy settings related to IPSec. IPSec allows for computer-to-computer communications to be protected and encrypted. IPSec should not be used for all communications to and from domain controllers, but there are two specific scenarios where it is suggested to help increase security of domain controllers.
First, the domain controller communication and replication can be configured to use IPSec. This will protect any and all information sent from one domain controller to another when synchronizing the Active Directory database. Since the data that is synchronized includes information about user accounts, group accounts, and group policy, it is not a bad idea to protect this communication. IPSec will encrypt this RPC traffic when it is sent from one domain controller to another. Not only will IPSec encrypt the data, but IPSec performs mutual authentication, which will require the domain controllers to verify their identity before communicating the information.
Second, if the domain controllers are communicating across an unprotected network, you can use IPSec to send the information through a protected tunnel. The overall protection of the data is the same as before, it is just that in the tunnel the packets are encapsulated to add more protection from an attacker trying to break into the information stored in the packets. The IPSec tunnel does require some
Securing Windows domain controllers
Step 1: Physical Access
Step 2: Network Access
Step 3: Domain Controller Communications
Step 4: Location and Responsibilities of Domain Controllers in Active Directory
|ABOUT THE AUTHOR:|
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at email@example.com.|
Copyright 2005 TechTarget
This was first published in March 2006