Recommendations: Deploying Secure Domain Controllers

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Following the security recommendations described earlier in this section helps minimize the security risks that may be involved in deploying domain controllers. Of course, as previously mentioned, you should consider the recommendations that are described in other sections when deciding how best to enhance your comprehensive Active Directory security.

In most instances, these recommendations are intended for intranet datacenter, extranet datacenter, and branch office scenarios. However, some of the recommendations depend on the particular scenario. Where the recommendations are scenario specific, notes are included to direct you to the section where the recommendation is discussed.

Recommendations for Securing the Domain Controller Build Environment

Recommendations for establishing secure domain controller rollout practices are:

  • Whenever possible, build domain controllers in secured environments, such as datacenters.

  • When building domain controllers in unsecured environments, ensure that only trusted personnel have physical access.

Recommendations for Establishing Secure Domain Controller Build Practices

The following sections provide checklists of recommendations for establishing secure domain controller build practices.

Recommendations for Using Automated Installation Processes

Recommendations for using automated installation processes are:

  • Use an imaged-based, automated deployment process for installing Windows Server 2003.

    Note

    This recommendation may vary or not be feasible, depending on your scenario. For more information, see “Establishing Secure Domain Controller Build Practices” earlier in this guide.

  • Automate the promotion of servers to domain controllers.

Recommendations for Ensuring Predictable, Repeatable, and Secure Domain Controller Deployments

Recommendations for ensuring that your domain controller deployments are predictable, repeatable, and secure are:

  • Installing Windows Server 2003 with Service Packs and Hotfixes

    • Install Windows Server 2003 with the most recent service packs.

    • Apply all current security-related hotfixes.

    • Format all partitions as NTFS.

    • Create a strong password for the Administrator account.

    • Do not install IIS on domain controllers.

    • Select DNS during installation.

    • Do not install SMTP unless Active Directory replication uses SMTP.

  • Disabling NTFS Automatic 8.3 Name Generation

    • Disable NTFS automatic 8.3 name generation.

  • Running Virus-Scanning Software on the Server

    • Run virus-scanning software before promoting any server to a domain controller.

    • Ensure that virus-scanning software includes any updates to detect and remove the latest viruses.

    • Configure virus scans appropriately to prevent excessive FRS replication and to prevent interference between virus scans and access to database files and log files by FRS and Active Directory.

    • Enable script signing if you have stopped the virus-scanning software from scanning the SYSVOL folder.

  • Enabling Only Essential Services

    • Enable only those services that are required for a computer that is running Windows Server 2003 in the role of a domain controller.

  • Creating a Reserve File to Enable Recovery from Disk-Space Attacks

    • Create a reserve file on the same disk volume as Ntds.dit. Ensure that the reserve file is either 250 MB or 1 percent of the available disk space, whichever is larger.

Recommendations for Configuring the Automatic Installation of Active Directory

Recommendations for configuring automatic Active Directory installation are:

  • Using Unattended Active Directory Installation

    • Set the registry to run Dcpromo.exe automatically.

    • Prepare the DCInstall portion of the Unattend.txt file.

  • Selecting Secure Active Directory Configuration Settings

  • Place the Active Directory database (Ntds.dit) on a separate physical drive.

    • Place the Active Directory logs on a separate physical drive.

    • Place SYSVOL on the same physical drive as the Active Directory database.

    • Do not enable Pre–Windows 2000 Compatibility unless it is required by earlier applications or services, as described in “Determining the Need for Anonymous Access to Active Directory Data” earlier in this guide.

  • Determining the Need for Anonymous Access to Active Directory Data

    • Create a test domain that mirrors your production domain and that allows anonymous access.

    • Monitor the directory for anonymous access according to “Enabling Monitoring for Anonymous Active Directory Access” in “Appendix: Procedures” later in this guide.

    • Identify the applications and services that use anonymous access.

  • Eliminating the Requirement for Anonymous Access to Active Directory

    • Upgrade the applications that are identified as using anonymous access.

    • Monitor the directory to ensure that no further anonymous access is requested.

    • Disable anonymous access, if it is in effect.

Recommendations for Maintaining Physical Security

Recommendations for maintaining the physical security of your domain controllers are:

  • Securing Domain Controllers Against Physical Access

    • Include UPSs.

    • Place domain controllers and UPSs in locked rooms.

    • Require cardkey locks or cipher-locks on the entrances to the locked rooms.

    • Require locks on individual domain controllers or on doors to the racks that house domain controllers.

    • Require specific processes and procedures for the administration or repair of domain controllers.

  • Preventing Domain Controllers from Booting into Alternate Operating Systems

    • Disable or remove the floppy disk drive, unless it is required for SYSKEY.

    • Disable or remove the CD-ROM or DVD drive.

    • Set the [timeout] parameter in boot.ini file to 0.

  • Protecting Domain Controllers on Restart by Using SYSKEY

    • Enable SYSKEY.

      Note

      This recommendation may vary or not be feasible, depending on your scenario. For more information, see “Protecting Domain Controllers on Restart by Using SYSKEY” earlier in this guide.

  • Securing Backup Media Against Physical Access

    • Store backup media that is used on-site in a locked cabinet or container.

    • Store archival backup media in off-site storage.

    • Establish processes and procedures that require signatures to bring any archival storage back on-site.

    • Ensure that backup media is installed only during backup and that it is in secured storage otherwise.

  • Enhancing the Security of the Network Infrastructure

    • Require cardkey locks or cipher-locks on the entrances to the cabling rooms.

    • Require processes and procedures for any administration or repair of cabling, switches, or routers.

    • Use strong passwords to secure the configuration of routers and switches.

    • Use different passwords for reading and configuring your routers and switches.

  • Securing the Remote Restart of Domain Controllers

    • When the domain controller is in a datacenter, connect the remote restart devices to the secured management network.

When the domain controller is in a branch office, connect the remote restart device to a dedicated modem, and require the modem to provide password identification and callback functionality.