Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2003 : Creating Role-Specific Server Configurations (part 1) - Securing Domain Controllers

4/9/2011 11:48:32 AM
Once a baseline security configuration for your servers is in place, you can consider the special needs of the servers performing particular roles in your enterprise. Domain controllers, infrastructure servers, file and print servers, and application servers all are vulnerable to unique threats, and their security requirements can be quite different. By combining the policy settings in a role-specific GPO with those in your baseline configuration, you can create a secure environment for each server role without much duplication of effort.

Securing Domain Controllers

On a Windows Server 2003 network that uses Active Directory, no servers are more vital than the domain controllers. Because domain controllers provide authentication services for most network operations and store and distribute group policies, their failure or compromise can be a catastrophe for network productivity.

Tip

Be sure to understand the operational differences between the various server roles, including domain controllers, infrastructure servers, application servers, and file and print servers.


Isolating Domain Controllers

Because of the importance of domain controllers, your security measures should minimize the threats to the computers in every possible way. Physically, domain controllers should always be in a secured location, such as a server closet or a data center, which is accessible only to administrative personnel who have reason to be there. Secure the console with a complex password, so that even people who are in the room for other reasons are not able to access the server.

In addition to limiting physical access to your domain controller, you should limit the access provided by the network connection. This means reducing the number of open ports on the computer by minimizing the number of applications and services it runs.

Many domain controllers running Windows Server 2003 also run the DNS Server service, because DNS is intimately associated with Active Directory, but you should avoid running services and applications that are unnecessary to the domain controller role.

Setting Audit and Event Log Policies

When you install Active Directory on a computer running Windows Server 2003 and create a new domain, the system puts the domain controller’s computer object in an organizational unit called Domain Controllers and creates a GPO that is linked to that organizational unit. The Domain Controllers container’s GPO provides some additional security settings beyond the default settings in the domain’s GPO, but you might want to augment or modify them.

For example, the Domain Controllers container’s GPO enables the following audit policies, but configures them to audit only successes:

  • Audit Account Logon Events

  • Audit Account Management

  • Audit Directory Service Access

  • Audit Logon Events

  • Audit Policy Change

  • Audit System Events

Depending on the policy settings you use in your baseline security configuration, you might want to modify these settings to audit failures as well as successes, or to define additional policies such as Audit Object Access and Audit Process Tracking. If you decide to implement additional audit policies, be sure to consider the Event Log policies as well, because you might have to specify a larger maximum size for the security log to hold all the entries that these policies create.

Assigning User Rights

The default domain GPO created by Windows Server 2003 contains no user rights assignments, but the default Domain Controllers container’s GPO does. Most of the user rights that the GPO assigns using these policies are intended to give administrators the access they need to manage the domain controller, while granting users only the minimum rights they need to use the domain controller’s services. For the most part, the settings for the User Rights Assignment policy in the default Domain Controllers container’s GPO are acceptable, and you should use them on your domain controllers. However, there are a few changes that you might want to make.

Debug Programs The Debug Programs user right enables you to use a debugging tool to access any process running on the computer or even the operating system kernel itself. Software developers use these tools to debug applications that they are in the process of creating. This user right provides access to sensitive areas of the operating system that a potential intruder might be able to abuse. By default, the GPO linked to the Domain Controllers organizational unit grants this right to the Administrators group (see Figure 1). However, if no one in your organization is developing or debugging software, you can revoke the Debug Programs user right from the Administrators group and close what could be a serious security breach.

Figure 1. The Debug Programs Properties dialog box


Add Workstations To Domain By default, all authenticated users have the right to add up to ten computer accounts to an Active Directory domain. Adding an account creates a new computer object in the Computers container. Computer accounts are full security principals in Windows Server 2003, able to authenticate and access domain resources. This right can allow any authenticated user to create unauthorized domain workstations that an intruder could use when the computer account is idle.

Many large network installations rely on IT support personnel to install new workstations and manually create new computer objects. In this case, you can revoke the Authenticated Users group’s Add Workstations To Domain right without causing problems.

Allow Log On Locally The Allow Log On Locally user right enables specified users and groups to log on to the computer interactively from the console. Obviously, users with this right have access to many important operating system elements, and could cause a great deal of damage, either accidentally or deliberately. It is therefore important to grant this right only to users and groups that absolutely need it.

Tip

Users who connect to a domain controller using Terminal Services also require the Allow Log On Locally user right. Be sure to account for these users when modifying the default user rights assignments.


The default Domain Controllers container’s GPO grants the Allow Log On Locally user right to the following built-in groups:

  • Account Operators

  • Administrators

  • Backup Operators

  • Print Operators

  • Server Operators

How (or whether) you use the built-in groups is your decision, but, based on their intended use, the Account Operators and Print Operators groups typically do not need to perform their tasks from a domain controller console, so you can usually revoke these two groups’ Allow Log On Locally right.

Shut Down The System You should control the ability to shut down a domain controller very carefully, because shutting down a domain controller can affect systems all over the network. The default Domain Controllers container’s GPO grants this user right to the following groups:

  • Administrators

  • Backup Operators

  • Print Operators

  • Server Operators

In most environments, members of the Backup Operators and Print Operators groups should not need to shut down a domain controller, so you can revoke their right to do this.

Important

For the restrictions imposed by your assignments of Shut Down The System user right to be meaningful, you must also revoke the Security Options policy, Shutdown: Allow System To Be Shut Down Without Having To Log On. If you enable this option, any user can shut down the computer without authentication, which means that they are not subject to user rights restrictions.


Configuring Services

Domain controllers require the following additional services, which you should enable in the System Services container of your Domain Controllers container’s GPO, using the Automatic startup type:

  • Distributed File System

  • File Replication Service

  • Intersite Messaging

  • Kerberos Key Distribution Center

  • Remote Procedure Call (RPC) Locator

Other -----------------
- Exchange Server 2010 Management and Maintenance Practices : The Exchange Control Panel
- Exchange Server 2010 Management and Maintenance Practices : Maintenance Tools for Exchange Server 2010
- Exchange Server 2010 Management and Maintenance Practices : Proper Care and Feeding of Exchange Server 2010
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - Reviewing Site Features and Site Collection Features
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - Understanding and Using Site Variations
- SharePoint 2010 PerformancePoint Services : Examining Reporting Services Reports
- SharePoint 2010 PerformancePoint Services : Examining ProClarity Analytics Server Page Reports
- SharePoint 2010 PerformancePoint Services : Examining KPI Details Reports
- BizTalk 2010 Recipes : Orchestrations - Configuring a Send Port at Runtime
- BizTalk 2010 Recipes : Orchestrations - Binding Orchestrations
- BizTalk 2010 Recipes : Orchestrations - Creating Multipart Messages
- Windows Server 2008 R2 : File Server Resource Manager (part 4)
- Windows Server 2008 R2 : File Server Resource Manager (part 3)
- Windows Server 2008 R2 : File Server Resource Manager (part 2)
- Windows Server 2008 R2 : File Server Resource Manager (part 1) - Installing the File Server Resource Manager Tools & FSRM Global Options
- Windows Server 2008 R2 : Volume-Based NTFS Quota Management
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 3) - Install the Agent on the Edge Transport & Configure the Agent to Use the Certificate
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 2) - Request a Certificate from the Root CA Server
- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 1) - Create Certificate Template & Request the Root CA Server Certificate
- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - An Overview of Site Collection Administration Tools
 
 
Most view of day
- Windows Phone 7 : The Silverlight Controls (part 1) - Display Controls -TextBlock Controls, Image Controls, ProgressBar Controls
- How to Troubleshoot Driver Problems (part 2) - How to Use the Driver Verifier
- System Center Configuration Manager 2007 : Customizing Configuration Manager Reports (part 2) - Customizing Report Data Selection
- Microsoft Systems Management Server 2003 : Running Software Metering Reports
- Windows Server 2008 R2 file and print services : Services for Network File System, Windows Search Service
- Microsoft Word 2010 : Adding Graphics to Your Documents - Drawing Shapes in Word (part 2) - Modifying an AutoShape
- Windows Server 2012 Requirements and Installation : Installing Server 2012 (part 2) - Server with a GUI Install
- System Center Configuration Manager 2007 : Available Reports and Use Cases (part 3) - Client Status Reporting
- Microsoft Project 2010 : Comparing Costs to Your Budget (part 3) - Associate Resources with Their Budget Type, Compare Budget Resource Values
- Managing SharePoint 2010 with Windows PowerShell : Managing SharePoint 2010 Sites (part 2)
Top 10
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 7)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 6)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 5) - Moving Mailboxes
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 4) - Installing Exchange Server 2007 on a Server System
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 3) - Installing Exchange Server 2007 Prerequisites
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 2)
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 1) - Planning Your Migration
- Migrating to Exchange Server 2007 : Deploying a Prototype Lab for the Exchange Server 2007 Migration Process
- Migrating to Exchange Server 2007 : Moving to Native Mode in Exchange
- Migrating to Exchange Server 2007 : Understanding What’s New and What’s Different with Exchange Server 2007
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro