Professional Documents
Culture Documents
0
Lock it down in 10 steps March 2, 2005
1. Use Windows Server 2003 – Out of the box, the Windows Server 2003 version of the Active
Directory is significantly more secure than the Windows 2000 version. That doesn’t mean that you
can’t make Windows 2000’s version highly secure. It just means that you can make your job easier by
using the Windows Server 2003 version, which doesn't require as much work to secure. If you can’t
upgrade to Windows Server 2003, try to ensure that you disable all pre-Windows 2000 features, such
as “Permissions compatible with pre–Windows 2000 servers."
3. Protect DNS – Active Directory is highly dependant upon DNS. In particular, service records are
critical for telling computers where important domain controller-level functions are on the network.
Since DNS contains critical information about an Active Directory network, it is important to ensure
that the DNS servers that hold your Active Directory records are secure from snooping, both
electronically and physically. One recommended configuration is allowing only Secure Dynamic
Updates. Here’s a link on how to enable this setting.
4. Protect your FSMOs – Flexible Single Master Operations roles, or FSMOs, are very important to
Active Directory. In particular, the PDC Emulator is responsible for many important functions, like time
synchronization, preferential Group Policy updates, and account lockout processing. Furthermore, the
Schema Master controls updates to the Schema and must also be protected. You might consider fault
tolerant servers and solid backups as well as other common countermeasures to protect your FSMO
servers.
5. Enable auditing – Auditing allows administrators to determine what has happened with their Active
Directory. By turning on auditing, you can audit: Account Management, Logon Events, Policy Change,
and Privilege Use. Although it should go without saying, auditing is useless if you don’t regularly
inspect the logs.
6. Disable unnecessary services and remove unnecessary applications – Because all domain
controllers should ideally be used only as domain controllers, it makes sense to avoid running any
unnecessary services and software on them. Ensure that only a minimal set of applications and
services are running. Avoid using your domain controller as a file server or a Web server whenever
possible.
7. Install a security template – Security templates are an effective means of providing consistent
security across your domain and should be considered by the prudent, security-conscious
administrator. If the predefined templates (e.g. HiSecDc.inf) don’t meet your needs, create a custom
template.
8. Prioritize patches for domain controllers – Microsoft releases critical and standard security
updates on a monthly basis (sometimes more often), and administrators need to ensure that domain
controllers are at the top of the priority list to get patched as quickly as possible.
Page 1
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.
(Active Directory: Lock it down in 10 steps – TechRepublic.com)
9. Set up physical security – Ensure your domain controllers are physically protected by being
quarantined to a locked room or closet. If a malicious employee or visitor can get physical access to a
domain controller and log on with an administrator account, that person could cause significant harm
to your Active Directory infrastructure.
10. Plan a fault tolerant topology – Since security is always about protecting against threats we
currently know about, it's likely that at some point something will sneak up on you. Will you be able to
recover? Keep in mind that because the Active Directory is a multi-master replication model, having
more than one DC means that there are few instances (FSMOs are one example) where the loss of a
DC will really hurt your directory. However, you must understand Active Directory’s replication
schemes and disaster recovery methods and plan your topology to mitigate the most common
problems and outages you can anticipate. Plan and be prepared.
Jeremy Smith is a subject matter expert in Microsoft Exchange and Active Directory as well IT security.
He currently works as a solutions engineer for the leading 911 systems maker in the United States, Plant
Equipment, Inc., where he helps design enterprise solutions for emergency 911 environments.
Page 2
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.
(Active Directory: Lock it down in 10 steps – TechRepublic.com)
Additional resources
• Sign up for the Windows 2000 Server newsletter, delivered on Tuesdays
• Sign up for the Windows Server 2003 newsletter, delivered on Wednesdays
• See all of TechRepublic's newsletter offerings
• Secure Windows Server 2003 Active Directory (TechProGuild)
• Know these five key FSMO roles in Active Directory (TechProGuild)
• Organizing and maintaining Active Directory (TechProGuild)
Version history
• Version: 1.0
• Published: March 2, 2005
Thanks!
Page 3
Copyright ©2005 CNET Networks, Inc. All rights reserved.
To see more downloads and get your free TechRepublic membership, please visit
http://techrepublic.com.com/2001-6240-0.html.