You have a new site that your company just purchased. When you inspected the site, you realize that the previous server was stored in a closet in a commonly accessed hallway with no locks. You typically install domain controllers at each site. You also need to ensure that if the domain controller is compromised, none of the administrator or service accounts will be accessible. What should you do?
Domain controllers provide the physical storage for the AD DS database, in addition to providing the services and data that allow enterprises to effectively manage their servers, workstations, users, and applications. If privileged access to a domain controller is obtained by a malicious user, that user can modify, corrupt, or destroy the AD DS database and, by extension, all of the systems and accounts that are managed by Active Directory.
Because domain controllers can read from and write to anything in the AD DS database, compromise of a domain controller means that your Active Directory forest can never be considered trustworthy again unless you are able to recover using a known good backup and to close the gaps that allowed the compromise in the process.
Depending on an attacker's preparation, tooling, and skill, modification or even irreparable damage to the AD DS database can be completed in minutes to hours, not days or weeks. What matters isn't how long an attacker has privileged access to Active Directory, but how much the attacker has planned for the moment when privileged access is obtained. Compromising a domain controller can provide the most expedient path to wide scale propagation of access, or the most direct path to destruction of member servers, workstations, and Active Directory. Because of this, domain controllers should be secured separately and more stringently than the general Windows infrastructure.
Secure Configuration of Domain
Controllers
A number of freely available tools, some of which are installed by
default in Windows, can be used to create an initial security
configuration baseline for domain controllers that can subsequently
be enforced by GPOs. These tools are described here.
Security Configuration Wizard
All domain controllers should be locked down upon initial build.
This can be achieved using the Security Configuration Wizard that
ships natively in Windows Server to configure service, registry,
system, and WFAS settings on a "base build" domain controller.
Settings can be saved and exported to a GPO that can be linked to
the Domain Controllers OU in each domain in the forest to enforce
consistent configuration of domain controllers. If your domain
contains multiple versions of Windows operating systems, you can
configure Windows Management Instrumentation (WMI) filters to apply
GPOs only to the domain controllers running the corresponding
version of the operating system.
Microsoft Security Compliance Toolkit
Microsoft Security Compliance Toolkit domain controller settings
can be combined with Security Configuration Wizard settings to
produce comprehensive configuration baselines for domain
controllers that are deployed and enforced by GPOs deployed at the
Domain Controllers OU in Active Directory.
RDP Restrictions
Group Policy Objects that link to all domain controllers OUs in a
forest should be configured to allow RDP connections only from
authorized users and systems (for example, jump servers). This can
be achieved through a combination of user rights settings and WFAS
configuration and should be implemented in GPOs so that the policy
is consistently applied. If it is bypassed, the next Group Policy
refresh returns the system to its proper configuration.
Patch and Configuration Management for Domain
Controllers
Although it may seem counterintuitive, you should consider patching
domain controllers and other critical infrastructure components
separately from your general Windows infrastructure. If you
leverage enterprise configuration management software for all
computers in your infrastructure, compromise of the systems
management software can be used to compromise or destroy all
infrastructure components managed by that software. By separating
patch and systems management for domain controllers from the
general population, you can reduce the amount of software installed
on domain controllers, in addition to tightly controlling their
management.
Blocking Internet Access for Domain
Controllers
One of the checks that is performed as part of an Active Directory
Security Assessment is the use and configuration of Internet
Explorer on domain controllers. Internet Explorer (or any other web
browser) should not be used on domain controllers, but analysis of
thousands of domain controllers has revealed numerous cases in
which privileged users used Internet Explorer to browse the
organization's intranet or the Internet.
As previously described in the "Misconfiguration" section of Avenues to Compromise, browsing the Internet (or an infected intranet) from one of the most powerful computers in a Windows infrastructure using a highly privileged account (which are the only accounts permitted to log on locally to domain controllers by default) presents an extraordinary risk to an organization's security. Whether via a drive by download or by download of malware-infected "utilities," attackers can gain access to everything they need to completely compromise or destroy the Active Directory environment.
Although Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and current versions of Internet Explorer offer a number of protections against malicious downloads, in most cases in which domain controllers and privileged accounts had been used to browse the Internet, the domain controllers were running Windows Server 2003, or protections offered by newer operating systems and browsers had been intentionally disabled.
Launching web browsers on domain controllers should be prohibited not only by policy, but by technical controls, and domain controllers should not be permitted to access the Internet. If your domain controllers need to replicate across sites, you should implement secure connections between the sites. Although detailed configuration instructions are outside the scope of this document, you can implement a number of controls to restrict the ability of domain controllers to be misused or misconfigured and subsequently compromised.
Perimeter Firewall Restrictions
Perimeter firewalls should be configured to block outbound
connections from domain controllers to the Internet. Although
domain controllers may need to communicate across site boundaries,
perimeter firewalls can be configured to allow intersite
communication by following the guidelines provided in How to
configure a firewall for domains and trusts on the Microsoft
Support website.
DC Firewall Configurations
As described earlier, you should use the Security Configuration
Wizard to capture configuration settings for the Windows Firewall
with Advanced Security on domain controllers. You should review the
output of Security Configuration Wizard to ensure that the firewall
configuration settings meet your organization's requirements, and
then use GPOs to enforce configuration settings.
Preventing Web Browsing from Domain
Controllers
You can use a combination of AppLocker configuration, "black hole"
proxy configuration, and WFAS configuration to prevent domain
controllers from accessing the Internet and to prevent the use of
web browsers on domain controllers.
You have a new site that your company just purchased. When you inspected the site, you...
TASK Read the Regional gardens case study document before attempting this assignment. Background: You have been employed by Regional Gardens as their first Chief Information Officer (CIO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources. You are concerned that the company has no existing contingency plans in case of a disaster. The Board indicated that some of their basic requirements for...
The discussion: 150 -200 words. Auditing We know that computer security audits are important in business. However, let’s think about the types of audits that need to be performed and the frequency of these audits. Create a timeline that occurs during the fiscal year of audits that should occur and “who” should conduct the audits? Are they internal individuals, system administrators, internal accountants, external accountants, or others? Let me start you: (my timeline is wrong but you should use some...
How can we assess whether a project is a success or a
failure?
This case presents two phases of a large business transformation project involving the implementation of an ERP system with the aim of creating an integrated company. The case illustrates some of the challenges associated with integration. It also presents the obstacles facing companies that undertake projects involving large information technology projects. Bombardier and Its Environment Joseph-Armand Bombardier was 15 years old when he built his first snowmobile...