Also have a look at the Windows Server 2003 Security Guide, which contains information and sample Group Policy templates for DCs.
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89- b655-521ea6c7b4db&displaylang=en Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 5 March 2006 4:55 p.m. To: [email protected] Subject: Re: [ActiveDir] How Secure is a Domain Controller? Boy that's an open question isn't it? Books and white papers have been written on this issue alone. I'd recommend that you grab the "Threats and Countermeasures" guide and look at the Security Configuration Wizard. http://www.microsoft.com/technet/security/topics/Serversecurity/tcg/tcgch00. mspx Even in my little SBS network I adjusted off lanman hashes from the getgo as one "hardening" I could do (when you are running the Kitchen sink service you can't do too much to harden) Can a DC get hacked/rootkitted and all around screwed up if it's not managed carefully? Yes. Just ask the PSS Security folks. (and that means you don't disable the Enhanced IE security like I just did on two Vmware Servers because I was installing some betas and couldn't get the file transfer thing to work. Don't surf at the server. Don't read email at the server. Have patch management. Block unnecessary ports. Disable what you don't need running. (and if Joe had his way media player and such things would not be on a server) Watch those audit logs. It's my opinion that a domain controller is as secure as the admin is paranoid I think and the risk level of that DC. Microsoft's domain controllers for example have an ever so slightly larger risk factor and attack threat level than my domain controller at home. :-) Needless to say that's why they are running with IPsec, smart card deployments, PKI and all that crud and I'm not. Needless to say... the answer to "How secure is a domain controller?" is... "it depends.". Oh yeah... and don't forget physical security of that DC. 'cause Law number 3 says if I can get access to it, it's mine. http://www.microsoft.com/technet/archive/community/columns/security/essays/1 0imlaws.mspx I will tell you from some of the folks that teach pentesting say that they are using 2k to teach classes because 2k3 is much harder. And lastly, quite frankly look at the vulnerabilities in the last months or so...what are the patches on? Desktop applications. The low hanging fruit these days is not servers but end users... Honestly these days I worry about the workstations behind my DC ...they are the ones introducing my risks. In the 2k era us SBS boxes that are DCs were nailed by Code Red/Nimda. These days if the SBS DC has gotten nailed it's because someone has been stupid and been using it as a workstation (yes, we have some that are that dumb to use it like this). I think the better question is... is what you have done secure "enough" for the risks you face. There are three security hardening guidelines that Windows has in their security configuration guidelines. Depending on the clients you have attaching to that domain...that's what guides what hardening you can do. The more "all borg" you are... the more secure and locked down that DC can be. Killing off 98's helps quite a bit. The "Extreme security" one is for the military and "will" break things. Sometimes you have to balance business with security. While the business needs to be secure, if I didn't have business, I'd have nothing to worry about securing. Edwin wrote: > How Secure is a Domain Controller that is fully patched on a default > install of Windows 2003? When promoted the domain controller has the > two default policies, both of which are recommended not to be > modified. But there are things that could be done better for added > security. For example, NTLMv2 refuse NTLM and LM. Is it common > practice to add additional GPO's to the DC OU? Or is DC protected > enough to where all that is needed to worry about are the member machines? > > If adding additional GPO's to the DC OU, is there anything that should > definitely be avoided? > > Edwin > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
