RE: [ActiveDir] How Secure is a Domain Controller?

[Myrick, Todd \(NIH/CC/DNA\) [E]]

To add my 2 cents.   Add Anti-virus and Anti-Spywear detection. Configure and backup your event logs.  At remote sites, I would recommend collecting the event logs on a faster rotation. Add monitoring, You want to monitor account lockout events and have notification when excessive amounts of authentications are occurring.  (Tips you off to possible brute force attacks, and up/down situations). Use IPSEC Policies to not allow outside traffic to your DC’s.  (I haven’t tried this, but the theory seems pretty solid) Use GPO’s to enforce group memberships for EA and Domain Admins. When possible do not have child domains, allows you to use tighter security policies. Enforce all registry changes using GPO’s.  Things like DNS record weight, fixed ports for NTDS and FRS replication, etc should be set this way to avoid mis-configuration. At a minimum have a MFT backup of the AD system state done at a central site each night.  If you should lose objects, etc.  Having this will give you options for restore.  Not having it you’re doomed. Make sure your account policies balance the need to thwart an attack but also consider the potential for brute force and denial of service.  You don’t want to come in on Monday to 40K of accounts locked out, and everyone waiting for you to unlock them. TBD   Todd Myrick    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 11:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller?     I understand/stood what you were saying, just was hoping to bring out a clearer answer for some of the lurker/newbies on the list (of which there are many). And you provided exactly that clarification which was excellent. Thank you. [Neil Ruston] You're welcome :)   I still personally believe in the statement that if I can touch your server, I own your server. There just is no good technical solution to a physical problem, and it's part of our job responsibility to make that clear to management. [Neil Ruston] Sometimes we're forced to make compromises due to management and political pressure. Ulf has written an article which helps to secure the DC if it finds itself physically insecure. Ideally, the DC would not be deployed at all, but the world [of IT] is far from ideal... :)    From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 06, 2006 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? You mis-understand :)   Ulf was suggesting that in order to protect the AD data on a poorly protected DC, that strong passwords should be used that are harder to crack.   In the event that the disks were compromised, the hacker would not be able to crack a 20 char pw. He does not suggest the use of 20 char passwords to logon to the DC but instead, it is suggested as a way to further protect the AD data, in the event that physical protection is weak.   hth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: 06 March 2006 15:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? Based on the subject of this discussion: if you have those regular users, who can't comprehend or remember a password over 7 characters, signing on to your domain controllers I would say that your domain controllers are VERY not secure. Secondly, if your domain administrators are so lazy as to be using 7 character passwords you are still very insecure.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 06, 2006 2:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? The use of >20 char passwords caught my eye.   In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement.   As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.]   Food for thought, neil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 05 March 2006 08:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz   Weblog: http://msmvps.org/UlfBSimonWeidner   Website: http://www.windowsserverfaq.org   Profile:   http://mvp.support.microsoft.com/profile="">        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, March 05, 2006 4:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003?  When promoted the domain controller has the two default policies, both of which are recommended not to be modified.  But there are things that could be done better for added security.  For example, NTLMv2 refuse NTLM and LM.  Is it common practice to add additional GPO’s to the DC OU?  Or is DC protected enough to where all that is needed to worry about are the member machines?   If adding additional GPO’s to the DC OU, is there anything that should definitely be avoided?   Edwin PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.