Securing Windows Server 2003 Domain Controllers

  • Article
On This Page

Introduction
Before You Begin
Securing Your Domain Controllers
Enabling Additional Services on Domain Controllers
Securing the DNS Server Service
Keeping Your Domain Controllers Secure
Related Information

Introduction

The loss of data or revenue that can result from a malicious attack on a computer system can be devastating to an organization. To help protect your company's computer systems and data from the ever-present threat of malicious code used in worms, viruses, and malicious attacks, it is critical that you implement security measures to help reduce the exposure to your company's assets.

The domain controllers in your network are the centerpiece of your Active Directory directory service. They contain all of your user account information, without which, users cannot log on to your network and access the resources that they need to perform their jobs.

Because of the information that domain controllers contain and their critical role in any environment, they are obvious targets of malicious attacks. For this reason, you should place your domain controllers in the most secure location possible; you should keep your domain controllers up-to-date with the latest security updates; and you should disable unnecessary services to minimize their exposure to worms, viruses, and malicious attacks.

This guide provides step-by-step guidance to help you quickly implement security measures that will help lock down the configuration of your domain controllers. All the step-by-step instructions in this document were developed by using the default "Start menu" view in Microsoft Windows XP.

To improve the security of your environment, you will apply Group Policy, which is the change and configuration management technology included with Active Directory, on your domain controllers. This guide leads you through the following tasks:

  • Securing your domain controllers by using Group Policy.

  • Configuring Group Policy to provide for additional domain controller functionality.

  • Securing the DNS Server service.

  • Keeping your domain controllers secure.

Note: Configuring Group Policy on your domain controllers is only the first step for enhancing the security of your domain controllers and your entire environment.

Review and complete the tasks in "Securing Windows XP Professional Clients in a Windows Server Environment" of the Security Guidance Kit. Completing the tasks in this guide will help to improve the security of your domain controllers.

After you complete these tasks, your domain controllers will contain a base level of security that can help protect your environment from a large number of security threats. Completing these tasks ensures that domain controllers run only the services they need to provide for your environment. Furthermore, configuring Automatic Updates helps you keep your domain controllers up-to-date by automatically downloading and installing the latest security updates as Microsoft releases them.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Before You Begin

To complete the tasks in this guide, you must log on to your domain controllers as a member of the Domain Admins account. Keep in mind that some steps require you to restart your domain controller; so make sure that you complete these steps during non-business hours to minimize the impact to your users.

This guide assumes that your client environment consists of computers running Microsoft Windows 2000 Service Pack 2 (SP2) or later and Windows XP Service Pack 1 (SP1). Several of the tasks and recommendations that are detailed in this guide are not compatible with earlier versions of Windows.

If your computers do not have these service packs installed or if you are unsure whether they are installed, go to the Windows Update page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=22630 and have it scan your systems for updates. If service packs show up as an available update, you should install them before proceeding with the tasks in this document. More information about using Windows Update is provided later in this document.

Securing Your Domain Controllers

You can improve security on your domain controllers by using Group Policy. The following tasks show you how to configure Group Policy to disable unnecessary or unused services on your domain controllers that might otherwise create unwanted exposure if they are left enabled. To configure Group Policy for your domain controllers, complete the following tasks:

  • Create a new Group Policy object (GPO), and link it to the Domain Controllers organizational unit (OU).

  • Import baseline security settings into the new GPO by using the security template that is included with this guide.

  • Verify your new settings by reviewing the Application log on your domain controllers.

Implementing the Domain Controllers Baseline Policy

You need to complete the following steps just one time. The security of all of your domain controllers is enhanced simultaneously after you configure the Domain Controllers Baseline Policy.

IMPORTANT: You must restart all your domain controllers for the Domain Controllers Baseline Policy to take effect. Make sure to complete these steps during non-business hours to minimize the impact to your users.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Tools: Active Directory Users and Computers.
    To access this tool, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • Files: You need to download the Enterprise Client ? Domain Controller.inf file that is included with the "Windows Server 2003 Security Guide." After downloading this file, copy it to the systemroot\Security\Templates folder of the domain controller on which you are performing these steps. (For example, in a typical configuration, you copy the .inf file to the C:\Windows\Security\Templates folder.)

  • To download the Enterprise Client ? Domain Controller.inf file

    1. On the domain controller, open a Web browser and go to theWindows Server 2003 Security Guide page of the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=14846.

    2. At the bottom of the page, under Files in This Download, click Windows_Server_2003_Security_Guide.exe.

    3. In the File Download dialog box, click Save.

    4. When prompted for a location, expand the Save in list box, select Desktop, and then create a new folder in which to save the file by doing the following:

      1. Right-click the white space within the Save As dialog box, point to New, and then click Folder.

      2. Type a descriptive name for the folder (replace the highlighted text, New Folder, with your descriptive name), double-click the new folder so that it is selected in the Save in list box, and then click Save.

    5. After the download is complete, in the Download complete box, click Close.

    6. In the new folder on your desktop, double-click the Windows_Server_2003_Security_Guide.exe file to open the WinZip Self-Extractor.

    7. In the WinZip Self-Extractor dialog box:

      1. Click Browse, select the folder that you created for the download, click the folder to open it, and then click OK.

      2. In the WinZip Self-Extractor dialog box, click Unzip.
        You will receive a confirmation message that the files unzipped successfully.

    8. In the set of extracted files and folders, double-click the Windows Server 2003 Security Guide folder to open it, open the Tools and Templates folder, open the Security Guide folder, and then open the Security Templates folder.

    9. In the Security Templates folder, right-click the Enterprise Client - Domain Controller.inf file, and copy this file to the systemroot\Security\Templates folder of the domain controller on which you are performing these steps.

  • To create a new GPO in the Domain Controllers OU

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

      Active Directory Users and Computers

      Note: Screenshots in this document reflect a test environment. The domain and server names in your environment might differ slightly from the ones shown in these screenshots.

    3. In the properties dialog box, click the Group Policy tab, and then click New to create a new GPO.

    4. Name the policy Domain Controllers Baseline Policy, and then click Close.

      Domain Controller Properties

  • To import the baseline security settings into the Domain Controllers Baseline Policy

    1. Right-click the Domain Controllers OU, and then click Properties.

    2. In the properties dialog box, click the Group Policy tab, and then select Domain Controllers Baseline Policy.

    3. Click Up to move the new GPO to the top of the list, and then click Edit.

      Domain Controller Properties2

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, right-click Security Settings, and then select Import Policy.

      Group Policy Object Editor

    5. In the Import Policy From dialog box, select the Enterprise Client ? Domain Controller.inf file, and then click Open.

      Import Policy From

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and exit Active Directory Users and Computers.

    7. Restart your domain controllers one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you configure the Group Policy security settings, be sure to verify that the settings have been applied successfully.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Tools: Event Viewer and Services.

Verify that the Application event log on each of your domain controllers contains an Event ID 1704.

  • To check the Application event log

    1. Click Start, click Control Panel; double-click Administrative Tools, and then click Event Viewer.

    2. In Event Viewer, click Application, and then look for the most recent event of:

      • Type: Information

      • Source: SceCli

      • Event ID: 704

    3. If you double-click this event, you see an Event Properties window similar to the following:

      Event Properties

    4. Click OK, and then close Event Viewer.

Next, verify that unnecessary services are disabled on your domain controllers.

  • To check for disabled services

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the Alerter, Messenger, and Task Scheduler services are not running, and that their Startup Type is set to Disabled.

      Note: The three services that are listed in step 2 are enabled by default in Microsoft Windows Server 2003. These are not the only services that are disabled by the Domain Controllers Baseline Policy, but checking their configuration is a good indication that your new Group Policy settings have taken effect.

    3. Close the Services tool.

Enabling Additional Services on Domain Controllers

The Domain Controllers Baseline Policy that you implemented in the previous section disables several services that are not used to provide base domain controller functionality. Making this configuration change can help to improve the security of your domain controllers; however, the change prevents certain services, which domain controllers typically provide in small and medium businesses, from operating properly.

The following steps show you how to modify your Group Policy to re-enable these additional services. Review the following tasks, and complete them on your domain controllers only if your network requires the additional functionality that is provided by these services:

  • Enabling DHCP services

  • Enabling WINS services

  • Enabling Print services

  • Enabling IAS services

  • Enabling Certificate Services

  • Enabling and securing the Task Scheduler service

Enabling DHCP Services

If any of your domain controllers is configured as a Dynamic Host Configuration Protocol (DHCP) server, you need to modify Group Policy settings for the domain controller to provide DHCP services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable DHCP services.

Configuring Group Policy to Enable DHCP Services

You must edit the Domain Controllers Baseline Policy to re-enable the DHCP Server service on your domain controllers. Following these steps enables the DHCP Server service on all domain controllers that provide DHCP services.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

  • To configure Group Policy to enable DHCP services

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.

    5. In the details pane (right pane), double-click DHCP Server, click Automatic, and then click OK.

      DHCPServer Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart your domain controllers one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the DHCP service, verify that the service is running.

  • To verify the DHCP service is running

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the DHCP service is running and configured to start automatically.

IMPORTANT: Also verify that client computers are obtaining DHCP server Internet Protocol (IP) addresses from your domain controller.

Enabling WINS Services

If your domain controller is configured as a Windows Internet Name Service (WINS) server, you need to modify Group Policy settings for your domain controller to provide WINS services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable the WINS service.

Configuring Group Policy to Enable WINS Services

You must edit the Domain Controllers Baseline Policy GPO to enable the WINS service on your domain controllers. Following these steps enables the WINS service on all of your domain controllers.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

  • To edit Group Policy to enable the WINS service

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, expand the Windows Settings folder, click Security Settings, and then click System Services.

    5. In the details pane, double-click WINS, click Automatic, and then click OK.

      WINS Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart any domain controllers that provide WINS services one at a time, being sure to restart them one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the WINS service, verify that the service is running.

  • To verify that WINS is running

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the Windows Internet Name Service (WINS) service is started and configured to run automatically.

Enabling File and Print Services

Access to file shares on your domain controllers is not affected by the Domain Controllers Baseline Policy that you implemented in the previous sections. No modifications are necessary for your domain controllers to provide secure file-sharing services.

However, if any of your domain controllers is configured as a print server, you need to configure Group Policy to enable the Print Spooler service so that your domain controllers can provide print services to your environment.

Configuring Group Policy to Enable Print Services

You must edit the Domain Controllers Baseline Policy GPO to enable the Print Spooler service on your domain controllers. Following these steps enables the Print Spooler service on all of your domain controllers.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

  • To configure Group Policy to enable print services on your domain controllers

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.

    5. In the details pane, double-click Print Spooler, click Automatic, and then click OK.

      Print Spooler Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart any domain controllers that provide Print services, being sure to restart them one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the Print Spooler service, verify that the service is running.

  • To verify that the Print Spooler service is running

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the Print Spooler service is running and configured to start automatically.

IMPORTANT: Also verify that client computers can print to the printer shares on your domain controllers.

Enabling IAS Services

If any of your domain controllers is configured as an Internet Authentication Service (IAS) server, you need to modify Group Policy settings for the domain controller to provide IAS services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable IAS services.

Configuring Group Policy to Enable IAS Services

You must edit the Domain Controllers Baseline Policy to re-enable IAS services on your domain controllers. Following these steps enables Certificate Services on all domain controllers that provide IAS services.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

  • To configure Group Policy to enable IAS services

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.

    5. In the details pane (right pane), double-click IAS, click Automatic, and then click OK.

      IAS Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart any domain controllers that use IAS, being sure to restart them one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable IAS services, verify that the service is running.

  • To verify that the IAS service is running

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the IAS service is running and configured to start automatically.

Enabling Certificate Services

If any of your domain controllers is configured as a certification authority (CA) server, you need to modify Group Policy settings for the domain controller to provide Certificate Services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable Certificate Services.

Configuring Group Policy to Enable Certificate Services

You must edit the Domain Controllers Baseline Policy to re-enable Certificate Services on your domain controllers. Following these steps enables Certificate Services on all domain controllers that provide certificate services.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

  • To configure Group Policy to enable Certificate Services

    1. Click Start, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.

    5. In the details pane, double-click CertSvc, click Automatic, and then click OK.

      CertSvc Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart your domain controllers one at a time.

      IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable Certificate Services, verify that the service is running.

  • To verify that Certificate Services is running

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that Certificate Services is running and configured to start automatically.

Enabling and Securing the Task Scheduler Service

If any of your domain controllers use scheduled tasks to automatically run scripts or programs, you need to modify Group Policy settings for the domain controller to run the Task Scheduler service.

To help improve the security of your domain controllers, after you re-enable the Task Scheduler service, restrict any tasks that are scheduled using AT commands from using the Local System account. If you maintain the default account configuration, your domain controllers are open to attacks by malicious users.

This section provides the following step-by-step instructions:

  • Configuring Group Policy to enable Task Scheduler.

  • Securing the Task Scheduler service by modifying the AT Service Account.

Configuring Group Policy to Enable Task Scheduler

You must edit the Domain Controllers Baseline Policy GPO to enable the Task Scheduler service on your domain controllers. Following these steps enables the Task Scheduler service on all of your domain controllers.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Consider impact to users: You will need to restart your domain controllers to complete these steps. Rebooting all your domain controllers simultaneously might temporarily prevent users from logging on to the network or accessing network resources. To minimize the impact on your users, you should complete these steps during non-business hours.

  • To configure Group Policy to enable Task Scheduler on your domain controllers

    1. Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.

    2. Right-click the Domain Controllers OU, and then click Properties.

    3. In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit.

      IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.

    4. Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.

    5. In the details pane, double-click Task Scheduler, click Automatic, and then click OK.

      Task Schedule Properties

    6. Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.

    7. Restart any domain controllers that use the Task Scheduler, being sure to restart them one at a time.

      IMPORTANT: Do not reboot all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the Task Scheduler service, verify that the service is running.

  • To verify that the Task Scheduler service is running

    1. Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.

    2. Verify that the Task Scheduler service is running and is configured to start automatically.

Securing Task Scheduler by Modifying the AT Service Account

You can also use AT commands to schedule tasks in Task Scheduler. By default, tasks that you schedule by using AT commands run under the Local System account and run regardless of which user is logged on to the computer. Often, these tasks run in the background and are unnoticed by administrators.

The Local System account is a special, predefined account that is used to start and run many services on your domain controllers. This account allows full access to your domain controllers and also has access to network resources. Hence, many security-related attacks try to exploit services that run by using the Local System account.

To help improve the security of your domain controllers, you can limit a malicious user's ability to run programs that use the Local System account. This guide recommends that you modify the configuration of Task Scheduler so that any tasks that are scheduled using AT commands do not run using the Local System account.

After you complete the following steps, any tasks that are scheduled by using AT commands only run using the account that you specify.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Repeat these steps: You must complete these steps on each one of your domain controllers.

  • To modify the AT Service Account configuration

    1. Click Start, click Settings, click Control Panel, and then double-click Scheduled Tasks.

    2. From the Advanced menu, select AT Service Account.

    3. Click the This Account option, type the name and password for an account that does not provide administrative privileges to your domain controller, and then click OK.
      AT Service Account Configuration
      IMPORTANT: Be sure that the account you use does not belong to any of the administrative groups (for example, Enterprise Admins, Domain Admins, or Administrators). It is recommended that you create a specific service account for this purpose and periodically monitor the account's group membership.

      If you need to run a task that uses administrator credentials, you must schedule the task by using the Add Scheduled Tasks wizard in Task Scheduler.

Securing the DNS Server Service

For Active Directory to function correctly, it requires the presence of a Domain Name System (DNS) server. In the Internet and in other TCP/IP networks, DNS naming is used to locate computers and services by using user-friendly names. When a user enters a DNS name in an application, DNS services resolve the name to an IP address.

To support Active Directory, you can use a DNS service that is provided by a service provider, or you can host your own DNS in Windows Server 2003. If you are hosting your own DNS Server service, you can improve its security through the options described in this section:

  • Limiting the IP Addresses on which the DNS Server service listens.

  • Disabling recursion for DNS servers that do not provide resolution services to network clients.

  • Configuring root hints to help protect your private DNS namespace.

IMPORTANT: The default settings for the DNS Server service are designed to ensure security. For example, zone transfers are only allowed to the secondary DNS servers that you specify. Before changing any of the default settings of the DNS Server service, make sure that you understand the impact to your environment.

Limiting the IP Addresses on Which the DNS Server Service Listens

A multihomed computer is a computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter. By default, a DNS Server service that is running on a multihomed computer is configured to listen for DNS queries by using all of its IP addresses.

By limiting the IP addresses on which the DNS Server service listens, you help reduce the DNS server's exposure to attack. You should configure your DNS servers to only listen for DNS queries on the IP addresses specified as preferred DNS servers in the configuration of the computers in your environment. Use the following procedure to limit the IP addresses on which the DNS Server service listens.

Requirements

  • Credentials: You must be logged on to the DNS server as a member of the DNSAdmins, Domain Admins, or Enterprise Admins groups.

  • Configuration: The DNS server must have more than one IP address.

  • Tools: DNS Microsoft Management Console (MMC) snap-in.

  • To limit the IP addresses on which the DNS Server service listens

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

      dnsmgmt

    2. In the console tree (left pane), click the DNS server that you want to configure.

    3. On the Action menu, click Properties.

    4. On the Interfaces tab, click the Only the following IP addresses option.

      svr1 Properties

    5. In IP address, type an IP address to be enabled for use by this DNS server, and then click Add.

    6. As needed, repeat the previous step to specify other server IP addresses to be enabled for use by this DNS server.

    7. For each listed IP address that is not used as a preferred DNS server by DNS clients, click the IP address, and then click Remove.

    8. Click OK.

Disabling Recursion for Certain DNS Servers

A client submits a query to a DNS server when the client wants to know the IP address of a specific computer. A recursive query is a query that is made to a DNS server in which the requester asks the DNS server to assume the responsibility for providing a complete answer to the query, not just a referral to another DNS server. The DNS server then uses separate iterative queries to other DNS servers on behalf of the requester to get a complete answer for the recursive query. By default, recursion is enabled for the DNS Server service.

Although recursion enables a DNS server to perform recursive queries for the DNS clients and servers from which is receives queries, recursion can also be used by attackers to overload the available resources of a DNS server and deny its service to legitimate users. If your DNS server is offering resolution services to network clients rather than to other DNS servers, recursion must remain enabled. However, if your DNS server does not provide resolution services to network clients, use the following procedure to disable recursion.

IMPORTANT: If you are unsure whether your DNS server offers resolution services to network clients, you should not change the default setting.

Requirements

  • Credentials: You must be logged on to the DNS server as a member of the DNSAdmins, Domain Admins, or Enterprise Admins groups.

  • Tools: DNS MMC snap-in.

  • To disable recursion

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click DNS.

      dsmgmt1

    2. In the console tree (left pane), click the DNS server that you want to configure.

    3. On the Action menu, click Properties.

    4. Click the Advanced tab.

    5. Under Server options, click Disable recursion (also disables forwarders), and then click OK.

      svr1 Properties

Configuring Root Hints to Prevent Information Exposure

An internal DNS root is used to provide your organization with a private DNS namespace that is not exposed to the public Internet. Root hints help a DNS server find information about a top-level DNS domain (for example, .net, .org, or .com).

If you have an internal DNS root in your DNS infrastructure, you should configure the root hints of internal DNS servers to point to the DNS servers that host your root domain and not to the DNS servers that host the Internet root domain. This helps prevent your internal DNS servers from sending private information over the Internet when they resolve names.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins or Enterprise Admins groups.

  • Tools: DNS MMC snap-in.

    Note: You should only perform this procedure on DNS servers that resolve names for an internal DNS root.

  • To configure root hints to prevent information exposure

    1. Click Start, click Control Panel, point to Administrative Tools, and then click DNS.

      dnsmgmt2

    2. In the console tree (left pane), click the DNS server that you want to configure.

    3. On the Action menu, click Properties.

    4. Click the Root Hints tab.

      svr1 Properties

    5. For each server that is listed under Name servers, click the server name, and then click Remove.

    6. For each DNS server that hosts your internal DNS root, click Add, and then specify the name and IP address of the DNS server.

Verifying New Settings

You can use the following procedure to verify that the appropriate settings have been applied to your DNS server.

Requirements

  • Credentials: You must be logged on to the DNS server as a member of the DNSAdmins, Domain Admins, or Enterprise Admins groups.

  • Tools: DNS MMC snap-in.

  • To verify the configuration of root hints

    1. Click Start, click Control Panel, point to Administrative Tools, and then click DNS.

    2. In the console tree (left pane), click the DNS server that you want to verify.

    3. On the Action menu, click Properties.

    4. Click the Root Hints tab.

    5. Make sure that only the DNS servers that host your internal DNS root are listed under Name servers.

Keeping Your Domain Controllers Secure

Because domain controllers contain critical information that must remain secure, you should research the available security features for domain controllers and employ the ones that suit your environment. Then be sure to maintain that protection by installing the latest Microsoft security updates.

This section provides configuration steps for helping you keep your domain controllers secure:

  • Installing the latest Microsoft security updates.

  • Creating a reserve file to enable recovery from disk-space attacks.

  • Disabling automatic 8.3 name generation to decrease system exposure to viruses and malicious attacks.

  • Using the System Key utility to help protect domain controllers from password-cracking software.

  • Disabling anonymous access to Active Directory in environments where applications do not require anonymous connections.

Installing the Latest Security Updates

To maintain your domain controllers, you must routinely download and install the latest Microsoft security updates. These updates are provided to help resolve known issues and protect your computer from known security vulnerabilities.

The following steps provide you with automatic and manual methods for keeping your domain controllers up-to-date with available security updates. You will complete the following tasks:

  • Configure Automatic Updates to automatically download and install security updates on the schedule that you specify.

  • Review how to use Windows Update to manually download and install security updates.

IMPORTANT: You should keep all computers on your network up-to-date with the latest security updates. Configuring Automatic Updates and using Windows Update on your domain controllers will only keep your domain controllers-not your other servers and clients-up-to-date. Make sure that Automatic Updates and Windows Update are configured and used with all the computers on your network that are running Windows Server 2003, Windows 2000, and Windows XP.

Configuring Automatic Updates

You can configure your Windows Server 2003 domain controllers to automatically download and install the latest Microsoft security updates while your computer is turned on and connected to the Internet.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Repeat these steps: You must complete these steps on each of your domain controllers.

  • To configure a domain controller to automatically download and install security updates

    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click System.

    2. Click the Automatic Updates tab, and then select the check box labeled Keep my computer up-to-date. With this setting enabled, Windows Update software may be automatically updated prior to applying any other updates.

    3. Click Automatically download the updates, and install them on the schedule that I specify.

    4. Select the day and time for the updates to occur, and then click OK to close the System Properties window.

      IMPORTANT: Security updates often require that your domain controllers be restarted. Choose a day and time that minimizes the impact to your users.

      System Properties

Using Windows Update

Windows Update is the online extension of Windows that helps you keep computers that are connected to the Internet up-to-date. You can run Windows Update to ensure that Automatic Updates has installed all the latest security updates. Windows Update is useful if Microsoft notifies you of a new security issue and you want to immediately ensure that your computers are up-to-date.

Requirements

  • Credentials: You must be logged on as a member of the Server Operators or Domain Admins groups.

  • Repeat these steps: You must complete these steps on each one of your domain controllers.

IMPORTANT: Security updates often require that you restart your domain controllers. When running Windows Update, be sure to consider the impact that restarting your domain controllers can have on your users.

  • To run Windows Update to manually download and install security updates

    1. Click Start, click All Programs, and then click Windows Update.

    2. In Internet Explorer, click Scan for updates, and then wait until the scan is 00 percent complete.

    3. Windows Update automatically selects any necessary critical security updates that are missing from your domain controller. If any updates are available, click Review and Install Updates, click Install Now, and then follow the installation instructions on your screen.

    4. Repeat these steps until no critical updates are available for your domain controller.

Creating a Reserve File to Enable Recovery from Disk-Space Attacks

Many security-related attacks involve an attempt to consume the system resources of the targeted system. One of the commonly attacked system resources is available disk space. In a disk-space attack, the attacker uses all space on a disk by adding a large number of objects to the directory.

You can improve how quickly you recover from a disk-space attack by proactively creating a reserve file on the disk that contains your Active Directory database (Ntds.dit). A reserve file is simply a large file that takes up, or reserves, available space on a disk. If an attacker exhausts all the other disk space by adding a large number of unauthorized objects to the directory, you can delete the reserve file to regain space and begin to restore normal operation.

IMPORTANT: If a disk-space attack occurs on a domain controller, in addition to deleting the reserve file, you also need to delete the unauthorized objects that fill the disk space. For more information about deleting unauthorized objects after a disk-space attack, see "Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part II" on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22040.

The following procedure reserves disk space by creating a file on the same disk as the Active Directory database. The reserve file size should be the larger of 250 megabytes (MB) or 1 percent of the size of the logical disk volume where the Active Directory database is stored. By default, the reserve file is located in the systemroot\Ntds folder. You should perform this procedure on every domain controller in your network.

Requirements

  • Credentials: You must be logged on to the domain controller as a member of the Domain Admins or Enterprise Admins groups.

  • Repeat this step: You should perform this procedure on every domain controller in your network.

  • Tools: Fsutil.exe.

  • To create a reserve file to enable recovery from disk-space attacks

    1. Click Start, click Run, type cmd, and then click OK.

    2. At the command prompt, type the following command, and then press ENTER:
      fsutil file createnew %systemroot%\ntds\reservefile 256000000

This command creates a reserve file called Reservefile (250 MB in size) in the directory that contains the Active Directory database on the domain controller. If Active Directory stops working because of a lack of available disk space, you can delete this file to create free disk space.

Verifying New Settings

Use the following procedure to verify that the reserve file has been created on your domain controllers.

Requirements

  • Credentials: You must be logged on to the domain controller as a member of the Domain Admins or Enterprise Admins group.

  • Tools: My Computer.

  • Repeat these steps: If you have more than one domain controller, you should verify the creation of the reserve file on each of your domain controllers.

  • To verify the creation of the reserve file on a domain controller

    1. Click Start, and then click My Computer.

    2. In My Computer, navigate to the Ntds folder (typically at C:\Windows\Ntds).

    3. Double-click the Ntds folder, view the Reservefile file and verify that it is at least 250 MB in size.

Disabling Automatic 8.3 Name Generation

Many viruses and utilities that are used by attackers are 16-bit applications that expect file names to be compatible with automatic 8.3 name generation. Secure domain controllers do not run 16-bit applications locally. Therefore, you should disable automatic 8.3 name generation to help prevent these viruses and utilities from compromising security on your domain controllers.

To disable automatic 8.3 name generation, you can set the value of the NtfsDisable8dot3NameCreation registry entry to 1. You should disable automatic 8.3 name generation on all your domain controllers.

CAUTION: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Requirements

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Repeat these steps: You must complete these steps on each of your domain controllers.

  • Tools: Regedit.exe (the registry editor)

  • To disable automatic 8.3 name generation on your domain controllers

    1. Click Start, click Run, type regedit.exe and then click OK.

    2. In the registry editor, navigate to
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

    3. Select the NtfsDisable8dot3NameCreation registry entry.

    4. Click Edit, and then click Modify.

    5. In the Value data box, type to disable automatic 8.3 name generation for this domain controller.

    6. Close the registry editor.
      For more information about how to disable automatic 8.3 name generation, see "Best Practice Guide for Securing Active Directory Installations" (for Windows Server 2003) on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=22342.

Protecting Domain Controllers on Restart by Using Syskey

On domain controllers, password information is stored in Active Directory. It is not unusual for password-cracking software to target the Security Accounts Manager (SAM) database or Active Directory to access passwords for user accounts. The System Key utility (Syskey) helps protect your system from password-cracking software. Syskey uses strong encryption techniques to help secure account password information that is stored in the SAM database or in Active Directory.

Syskey Options

System Key Option

Security Level

Description

Mode 1 - System Generated Password:Store Startup Key Locally

Secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry, and it enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.

Mode 2 - Administrator generated password:Password Startup

More secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator-chosen password. Users are prompted for the system key password when the computer is in the initial startup sequence. The system key password is not stored anywhere on the computer.

Mode 3 - System Generated Password:Store Startup Key on Floppy Disk

Most secure

Uses a computer-generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is required for the system to start, and you must insert it at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

Syskey is enabled on all Windows Server 2003 servers in Mode 1 (obfuscated key). Syskey in Mode 2 (console password) or Mode 3 (floppy storage of Syskey password) is recommended for any domain controller that is exposed to physical security threats.

For more information about how to use Syskey to protect domain controllers from unauthorized restarts, see "Chapter 4 - Hardening Domain Controllers" in the Windows Server 2003 Security Guide on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22122.

Disabling Anonymous Access to Active Directory

By default, Active Directory does not grant explicit permissions on objects in the directory to the special identity Anonymous Logon, which represents anonymous connections. However, when you enable Pre-Windows 2000 compatibility on domain controllers that are running Windows Server 2003, the special identity Anonymous Logon is added as a member of the group Pre?Windows 2000 Compatible Access. Because this Pre-Windows 2000 Compatible Access group is assigned Read permissions on the domain root?as well as on user, computer, and group objects-applications and services that use anonymous access can read these objects.

In environments where applications do not require the establishment of anonymous connections to access Active Directory data, it is recommended that you disable anonymous access.

You can disable anonymous access if you have a single Active Directory forest with member servers and domain controllers running only Windows Server 2003 or Microsoft Windows 2000 Server and workstations running only Microsoft Windows 2000 Professional or Windows XP Professional.

You can disable anonymous access as follows:

  • When you create a new domain, accept the default installation setting Permissions compatible only with Windows 2000 or Windows Server 2003 servers.

  • In an existing Windows Server 2003 domain that has pre?Windows 2000 compatible access enabled, remove EVERYONE and ANONYMOUS LOGON from the Pre?Windows 2000 Compatible Access group and have only Authenticated Users as a member.

For information about how to remove the Everyone group and the Anonymous Logon group from the Pre?Windows 2000 Compatible Access group, see "Best Practice Guide for Securing Active Directory Installations" (for Windows Server 2003) on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=22342.

For more information about securing Windows Server 2003, see the following:

For more information about securing DNS, see the following:

For more information about Windows Server 2003, see the following: