RE: [ActiveDir] How Secure is a Domain Controller?

[Ulf B. Simon-Weidner]

I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz   Weblog: http://msmvps.org/UlfBSimonWeidner   Website: http://www.windowsserverfaq.org   Profile:   http://mvp.support.microsoft.com/profile="">      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, March 05, 2006 4:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003?  When promoted the domain controller has the two default policies, both of which are recommended not to be modified.  But there are things that could be done better for added security.  For example, NTLMv2 refuse NTLM and LM.  Is it common practice to add additional GPO’s to the DC OU?  Or is DC protected enough to where all that is needed to worry about are the member machines?   If adding additional GPO’s to the DC OU, is there anything that should definitely be avoided?   Edwin