To add my 2 cents.
1. Add Anti-virus and Anti-Spywear detection.
2. Configure and backup your event logs. At remote sites, I would
recommend collecting the event logs on a faster rotation.
3. Add monitoring, You want to monitor account lockout events and
have notification when excessive amounts of authentications are
occurring. (Tips you off to possible brute force attacks, and
up/down situations).
4. Use IPSEC Policies to not allow outside traffic to your DC's. (I
haven't tried this, but the theory seems pretty solid)
5. Use GPO's to enforce group memberships for EA and Domain Admins.
6. When possible do not have child domains, allows you to use
tighter security policies.
7. Enforce all registry changes using GPO's. Things like DNS record
weight, fixed ports for NTDS and FRS replication, etc should be
set this way to avoid mis-configuration.
8. At a minimum have a MFT backup of the AD system state done at a
central site each night. If you should lose objects, etc. Having
this will give you options for restore. Not having it you're
doomed.
9. Make sure your account policies balance the need to thwart an
attack but also consider the potential for brute force and
denial of service. You don't want to come in on Monday to 40K of
accounts locked out, and everyone waiting for you to unlock them.
10. TBD
Todd Myrick
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*Sent:* Monday, March 06, 2006 11:23 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
I understand/stood what you were saying, just was hoping to bring out
a clearer answer for some of the lurker/newbies on the list (of which
there are many). And you provided exactly that clarification which was
excellent. Thank you.
**[Neil Ruston] You're welcome :)**
I still personally believe in the statement that if I can touch your
server, I own your server. There just is no good technical solution to
a physical problem, and it's part of our job responsibility to make
that clear to management.
**[Neil Ruston] Sometimes we're forced to make compromises due to
management and political pressure. Ulf has written an article which
helps to secure the DC if it finds itself physically insecure.
Ideally, the DC would not be deployed at all, but the world [of IT] is
far from ideal... :)**
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
[EMAIL PROTECTED]
*Sent:* Monday, March 06, 2006 9:52 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
You mis-understand :)
Ulf was suggesting that in order to protect the AD data on a poorly
protected DC, that strong passwords should be used that are harder to
crack.
In the event that the disks were compromised, the hacker would not be
able to crack a 20 char pw. He does not suggest the use of 20 char
passwords to logon to the DC but instead, it is suggested as a way to
further protect the AD data, in the event that physical protection is
weak.
hth,
neil
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Tim
Vander Kooi
*Sent:* 06 March 2006 15:44
*To:* [email protected]
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
Based on the subject of this discussion: if you have those regular
users, who can't comprehend or remember a password over 7 characters,
signing on to your domain controllers I would say that your domain
controllers are VERY not secure. Secondly, if your domain
administrators are so lazy as to be using 7 character passwords you
are still very insecure.
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
[EMAIL PROTECTED]
*Sent:* Monday, March 06, 2006 2:25 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
The use of >20 char passwords caught my eye.
In previous discussions with MS et al, it was suggested that the
majority of users would simply repeat a (at most ( 7 char password n
times, so as to meet the 20+ char pw policy requirement.
As a result, I have heard it suggested that in reality (not theory) a
pw policy of more than 7 chars is actually counter productive. [Any pw
policy with a multiple of 7 chars being most counter productive.]
Food for thought,
neil
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Ulf B.
Simon-Weidner
*Sent:* 05 March 2006 08:35
*To:* [email protected]
*Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
I've written down some related thoughts once:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
<http://www.windowsserverfaq.org/>
Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Edwin
*Sent:* Sunday, March 05, 2006 4:17 AM
*To:* [email protected]
*Subject:* [ActiveDir] How Secure is a Domain Controller?
How Secure is a Domain Controller that is fully patched on a
default install of Windows 2003? When promoted the domain
controller has the two default policies, both of which are
recommended not to be modified. But there are things that could be
done better for added security. For example, NTLMv2 refuse NTLM
and LM. Is it common practice to add additional GPO's to the DC
OU? Or is DC protected enough to where all that is needed to worry
about are the member machines?
If adding additional GPO's to the DC OU, is there anything that
should definitely be avoided?
Edwin
PLEASE READ: The information contained in this email is confidential
and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent permitted
by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential
and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent permitted
by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential
and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
delete your
copy from your system. You must not copy, distribute or take any
further
action in reliance on it. Email is not a secure method of
communication and
Nomura International plc ('NIplc') will not, to the extent permitted
by law,
accept responsibility or liability for (a) the accuracy or
completeness of,
or (b) the presence of any virus, worm or similar malicious or
disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise
stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers.
Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
