|
Secure from what? Pick your risks and then make an
assessment based on that. I have personally found that a fully patched Domain
Controller is not secure from Denial of Service Attacks that involve
a large truck running the DC over. May sound extreme but only you can
really start to guess what your risks are and what you should start looking at.
Physically, pretty much any machine is a risk period,
if someone can put their mitts on it, good chance they can own
it.
The next tier is who you allow to access the machine
interactively from remote locations. Patching can help secure in this case but
usually it is more a case that you just shouldn't give access to
anyone but a few people (those 3-5 people who are the
Domain/Enterprise Admins for
the entire forest). The machines aren't very proof against attacks that come
from "inside". It is similar to physical access but possibly not quite as bad
(though if you give physical access to devices which give hardware level control
like DRACs/ILOs, etc then that is the same as physical access).
Next tier is who you give rights to not log on
interactively but to make core changes to services and the file system remotely.
Again, it should be the same 3-5 people mentioned above.
Next tier is how badly you have delegated rights in AD.
What was opened up to make an app working that really shouldn't have been opened
up? The longer I do this the more and more I get convinced that people probably
shouldn't get any delegation and you should just find a good
provisioning/metadata solution.
Then you have general virus/worm attack vectors. This is a
combination of what people you let do anything to the DCs and how bright they
actually are as well as services that extend handles out to foreign systems such
as Web services, RPC, etc - basically shut down everything you can that isn't
absolutely required and make sure you are patched. Patching is really about
helping the last piece of this, even a fully patched server can be conquered by
a bonehead logging on that isn't bright enough to avoid attack vectors such
as email, web sites, running untrusted code, etc.
Of course none of this really matters if you use auto
update routines or allow services on the DCs that run as admin or higher
permissions that are controlled by someone who isn't already a domain admin.
Examples of this are AV updates, OS updates, monitoring applications,
configuration/change management applications, auditing applications,
provisioning applications, syncing applications, etc. Someone who locks
everything down and then blindly allows AV/OS updates to come down really
doesn't have a clue about the state of their machines. Ditto for folks that say
install a corporate MOM or Tivoli or other monitoring system that runs as
localsystem or admin rights. Every person that has control in the MOM/Tivoli
system or anyone who can hack into those systems should be considered a domain
admin because for all intents and purposes they are.
As for not modifying the two default policies, I have
always kind of snickered at that. I have no problem doing it and haven't
encountered any issues that were just inherent in the whole GPO/FRS system as a
whole. I have always pretty much been against GPOs and would be thrilled if they
weren't required for a domain. I think setting domain/domain controller policy
through them, especially the bits that are actually attributes in AD is a bit
silly. But anyway, I modify those policies when I really need to apply something
and I don't think twice about it. But then, my use of GPOs is probably far less
than many people because of my general dislike for them. While it is easy and
fast to open a window with a hammer, there are other mechanisms to do it. Easy
and fast isn't often the right solution.
If there is anything to gnerally avoid it is the urge to
give people many rights. There should be a tiny group of DA/EA folks, I know for
a fact this works well in very large environments. Built in groups on the DCs
pretty much should be unused if not completely unused. FC should not be
something that is granted to anything for pretty much anyone, but especially
shouldn't be granted on OUs and other container types (nor users/groups if you
care about Exchange at all).
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Saturday, March 04, 2006 10:17 PM To: [email protected] Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller
that is fully patched on a default install of Windows 2003? When promoted
the domain controller has the two default policies, both of which are
recommended not to be modified. But there are things that could be done
better for added security. For example, NTLMv2 refuse NTLM and LM.
Is it common practice to add additional GPO’s to the DC OU? Or is DC
protected enough to where all that is needed to worry about are the member
machines? If adding additional GPO’s to the DC
OU, is there anything that should definitely be
avoided? Edwin |
- RE: [ActiveDir] How Secure ... Tony Murray
- RE: [ActiveDir] How Se... Ulf B. Simon-Weidner
- RE: [ActiveDir] Ho... Edwin
- RE: [ActiveDir] How Se... Molkentin, Steve
- RE: [ActiveDir] How Se... joe
- RE: [ActiveDir] How Se... neil.ruston
- RE: [ActiveDir] Ho... Ulf B. Simon-Weidner
- Re: [ActiveDir] Ho... Al Mulnick
- Re: [ActiveDir... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
