Problem solve Get help with specific problems with your technologies, process and projects.

Deploying secure domain controllers - Part 2

Part two of this series looks at the need to establish consistent procedures for building secure domain controllers in Active Directory.

Click here to read Part 1 of this tip.

Improve the process for building new domain controllers and your system will be more secure and reliable than a similar system created without matured development processes would be. This concept is familiar to anyone in the design, architectural or programming arena's of IT, where improving the quality of the process results in an improved product quality. Applying those principles to the procedure for building new domain controllers will result in more trustworthy domain controllers.

The first goal is to establish a defined procedure. This procedure must be written out and followed to the letter each and every time a new domain controller is built. This creates a repeatable and predicable build practice which in turn provides a more secure end result. Yes, over time the procedure document will need to be updated to reflect changes to your environment, the existence of new patches and upgrades, and selection of additional third-party or add-on applications and software. Once you have a detailed procedure, you should endeavor to automate as much of the build process as possible. Automation, especially from verified and protected system images, installation answer files, security templates, and software libraries, provides for a more secure installation by reducing the risk of rogue or malicious code being deposited on the system and reducing the likelihood of misconfiguration.

Keep in mind that Windows Server 2003 and Windows 2000 Server can be installed using unattended automated setup, Remote Installation Services (RIS) or via drive imaging. However, drive imaging requires the use of a third party disk cloning or imaging tool in addition to the native SYSPREP tool. SYSPREP simply configures a model system for cloning, it does not perform the actual disk imaging task. Since system imaging or cloning includes all installed software and configurations, it is considered the most secure form of automated installation. RIS does employ a type of imaging process, but its installation method occurs in stages, and thus is slightly less secure. An unattended automated setup, which requires manual post-install configuration and application installation, is considered the least secure form of automated setup. But as stated earlier, any form of automation is more secure than a completely manual installation.

Do also keep in mind that RIS and image based deployment methods may require a high-speed network infrastructure and do not support upgrade installations.

In the next tip I'll discuss the issues of creating more secure image-based and answer file-based installation procedures.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was last published in March 2004

Dig Deeper on Microsoft Active Directory Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.