RE: [ActiveDir] How Secure is a Domain Controller?

[Molkentin, Steve]

I always find locking the server in a box with the network cable pulled out makes it most secure (as long as I don't lose my keys)...   ;)   themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, 5 March 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003?  When promoted the domain controller has the two default policies, both of which are recommended not to be modified.  But there are things that could be done better for added security.  For example, NTLMv2 refuse NTLM and LM.  Is it common practice to add additional GPO’s to the DC OU?  Or is DC protected enough to where all that is needed to worry about are the member machines?   If adding additional GPO’s to the DC OU, is there anything that should definitely be avoided?   Edwin