Checklist: Secure domain controller settings

Don't get overwhelmed by the number of domain controller settings and Group Policy options. Active Directory expert Derek Melber reveals his list of essential settings for your domain controller's security.

In order to protect domain controllers from local and network attacks, you should use Group Policy settings. Ideally, you will modify the Default Domain Controllers Policy or create a new Group Policy Object (GPO) and link it to the Domain Controllers organizational unit (OU). In either case, you should configure the following settings to protect your domain controllers.

 Checklist: Primary settings for securing Domain Controllers
These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment node.
Allow log on locally
Access this computer from the network
These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options node.
Domain controller: LDAP server signing requirements
Domain member: Digitally encrypt or sign secure channel data
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users

These settings can help protect domain controllers from various attacks. Be sure to test each setting before putting them into your production environment. Not all third party products are designed to support proper credential authentication. These settings will prohibit anonymous connections to domain controllers, which is highly desired.

Read more about domain controller settings in Derek's step-by-step guide.

About the author Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].

Dig Deeper on Windows systems and network management