Boy that's an open question isn't it?
Books and white papers have been written on this issue alone.
I'd recommend that you grab the "Threats and Countermeasures" guide and
look at the Security Configuration Wizard.
http://www.microsoft.com/technet/security/topics/Serversecurity/tcg/tcgch00.mspx
Even in my little SBS network I adjusted off lanman hashes from the
getgo as one "hardening" I could do (when you are running the Kitchen
sink service you can't do too much to harden)
Can a DC get hacked/rootkitted and all around screwed up if it's not
managed carefully? Yes. Just ask the PSS Security folks. (and that means
you don't disable the Enhanced IE security like I just did on two Vmware
Servers because I was installing some betas and couldn't get the file
transfer thing to work.
Don't surf at the server.
Don't read email at the server.
Have patch management.
Block unnecessary ports.
Disable what you don't need running. (and if Joe had his way media
player and such things would not be on a server)
Watch those audit logs.
It's my opinion that a domain controller is as secure as the admin is
paranoid I think and the risk level of that DC.
Microsoft's domain controllers for example have an ever so slightly
larger risk factor and attack threat level than my domain controller at
home. :-) Needless to say that's why they are running with IPsec, smart
card deployments, PKI and all that crud and I'm not.
Needless to say... the answer to "How secure is a domain controller?"
is... "it depends.".
Oh yeah... and don't forget physical security of that DC. 'cause Law
number 3 says if I can get access to it, it's mine.
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
I will tell you from some of the folks that teach pentesting say that
they are using 2k to teach classes because 2k3 is much harder. And
lastly, quite frankly look at the vulnerabilities in the last months or
so...what are the patches on? Desktop applications. The low hanging
fruit these days is not servers but end users...
Honestly these days I worry about the workstations behind my DC ...they
are the ones introducing my risks. In the 2k era us SBS boxes that are
DCs were nailed by Code Red/Nimda. These days if the SBS DC has gotten
nailed it's because someone has been stupid and been using it as a
workstation (yes, we have some that are that dumb to use it like this).
I think the better question is... is what you have done secure "enough"
for the risks you face. There are three security hardening guidelines
that Windows has in their security configuration guidelines. Depending
on the clients you have attaching to that domain...that's what guides
what hardening you can do. The more "all borg" you are... the more
secure and locked down that DC can be. Killing off 98's helps quite a
bit. The "Extreme security" one is for the military and "will" break
things. Sometimes you have to balance business with security. While the
business needs to be secure, if I didn't have business, I'd have nothing
to worry about securing.
Edwin wrote:
How Secure is a Domain Controller that is fully patched on a default
install of Windows 2003? When promoted the domain controller has the
two default policies, both of which are recommended not to be
modified. But there are things that could be done better for added
security. For example, NTLMv2 refuse NTLM and LM. Is it common
practice to add additional GPO’s to the DC OU? Or is DC protected
enough to where all that is needed to worry about are the member machines?
If adding additional GPO’s to the DC OU, is there anything that should
definitely be avoided?
Edwin
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
