Problem solve Get help with specific problems with your technologies, process and projects.

Step 2: Network access

Domain controllers control the keys to your Windows kingdom. They need to be even more secure than your other servers. Ensure their security by following these steps from Active Directory expert Derek Melber.

Most attacks against your domain controllers will occur over the network. These attacks might originate from an...

existing desktop that has membership in the domain, or from a rogue desktop or laptop that is connected to the network. (Note: With wireless so predominant in most companies, attacks are now coming from the wireless network with the same aggressiveness as from the local network.) To protect against these attacks, you will need to make sure that the domain controllers are secured from users, intruders, and attackers while connecting over the network. To help protect the domain controllers from these attacks, apply some of these techniques.

Limit user accounts from logging in locally to domain controllers

  • By default only administrator accounts and administrator type groups have the ability to logon locally to domain controllers. Through services, applications, and errant configurations additional users and groups are granted this privilege. As you can imagine, this is not a good configuration.

Limit the Administrator account from accessing domain controllers from across the network

  • By default the Administrator user account is configured to access domain controllers from across the network. Since it is a best practice to not use this account for daily tasks, there is no reason for this account to have this privilege. Another account should be created that has administrative privileges to perform these tasks.

Use Administrator user account only for emergencies

  • It is a common practice by many network admins, as well as by product vendors, to use the Administrator account as a service account. This is a bad practice since the account is now being used every minute of every day by the service. This exposure of the account is not necessary and should be removed by configuring specific user accounts that are configured for each service running on the network.

Securing Windows domain controllers

 Step 1: Physical Access
  Step 2: Network Access
 Step 3: Domain Controller Communications
 Step 4: Location and Responsibilities of Domain Controllers in Active Directory

Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at
Copyright 2005 TechTarget
This was last published in March 2006

Dig Deeper on Microsoft Active Directory Security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.