Problem solve Get help with specific problems with your technologies, process and projects.

Step 1: Physical access

Domain controllers control the keys to your Windows kingdom. They need to be even more secure than your other servers. Ensure their security by following these steps from Active Directory expert Derek Melber.

It is a common adage that "if you can't protect the physical box, you don't have much protection of anything stored...

on the box." When it comes to domain controllers, the statement is even more true. I know this is an article on domain controllers, but this should be the case for all servers on the network. You must protect these computers so that no one has physical access to them. Here are some tips on how to accomplish this.

  • -Make sure all domain controllers are located in a secured server room.
  • -Use physical access controls at the server room door. This might include a door locking system that required a code, key, card system, voice recognition or some other biometric.
  • -Require smart card access when logging into the domain controllers. This form of two factor authentication is becoming more popular and easier to configure for all systems including domain controllers.
  • -Limit logging into domain controllers unless there is a problem with the computer that can't be done remotely. This includes leaving users logged on to the domain controllers.

Securing Windows domain controllers

  Step 1: Physical Access
 Step 2: Network Access
 Step 3: Domain Controller Communications
 Step 4: Location and Responsibilities of Domain Controllers in Active Directory

Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at
Copyright 2005 TechTarget
This was last published in March 2006

Dig Deeper on Microsoft Active Directory Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.