Compromising Domain Controllers (DC) is equivalent to endangering the entire Active Directory. The logic behind this is simple—when an attacker gets access to the Domain Controller, he will be able to access and change everything related to the AD domain. A hacker who has got access to Domain Controllers may:
- cause damage to AD DS database
- access the security database and the information therein
- leak the security configuration information
- change security configurations to access domain resources
- steal computer/user account information and passwords
- get control over computers, users, and organizational units
Some Best Practices to Protect Domain Controllers
The Domain Controller compromise situation is very disastrous for the organization. It makes the entire Active Directory unreliable and undependable. That is why AD administrators are very protective about Domain Controllers. Here are some tips to protect Domain Controllers:
Secure Domain Controllers physically
Securing Domain Controllers physically is very important. One should keep Domain Controllers separated from other servers. A locked room with no access to unauthorized users is the best option. Also, entries should be monitored through some electronic mechanism. Virtual domain controllers need to be run on dedicated hosts. Ensure that Domain Controllers have very strong passwords and only authorized users have it.
Implement a mechanism to administer Domain Controllers
There should be a dedicated administrative policy for Domain Controllers. Membership to Domain Administrators group and Enterprise Administrators group should be very limited. Audit all the activities on Domain Controllers. Also, be careful while delegating administrative rights of domain controllers.
Limit network access to Domain Controllers
Network access to domain controllers should be extremely limited.
Use the most updated version of Windows Server
Use the newest version of Windows Server OS that is possible on your infrastructure. Instead of upgrading domain controllers, install it newly (after OS or Server role change).
Implement effective security measures
Implement a security policy and configure adequate security measures to protect Domain Controllers. Security policies can be enforced through GPOs. One can modify the default DC policy or can create a new GPO and enforce it on the Domain controllers Organizational Unit. Various Microsoft tools and trusted third-party tools like LepideAuditor Suite (http://www.lepide.com/lepideauditor/) can be tried for the purpose.
Limit what is run on Domain Controllers
Domain Controllers should run only applications and services that are essential for its functioning and security. Reliable third party applications can be used to block unnecessary software applications.
Keep web browsers and surfing out of DC
Domain Controllers should not be used for surfing. Even privileged accounts shall not do it. Make it a part of the policy, and block web browsers technically. Effective policy, security configurations, and preventive measures together can prevent surfing completely.
Backup Domain Controllers
Backup Domain Controllers using Windows Server features. When there is requirement, one can restore it easily. However, it is recommended to audit backup and restoration actions.
What to do after a fallout?
There are few things one can do after they realize the Domain Controller compromise:
Recover from a good backup : A good backup always brings smiles back on the admin’s face even after the worst attacks on Domain Controllers. Restore everything from the backup—system state data, files, and applications.
Eliminate the chances of future compromises : Find the vulnerabilities that caused DC fallout and fix them so that similar events do not occur in future.
Domain Controller, being the brain of Active Directory domain, needs special protection. If the Domain Controller becomes the target of an attack, it is fatal to the entire organization. But there are many things one can do prevent such attacks, to secure domain resources, and to protect Active Directory. One of the most convenient ways is to try an Active Directory Auditing and Group Policy Auditing Tool.