Physical security for Domain Controllers in Data Centers

Physical Domain Controllers in Datacenter

In datacenters, physical DCs must be installed at dedicated racks or in segments separate from the general server set. If possible, the DCs must be configured with the Trusted Platform Module (TPM) and all the volumes are encrypted with Bitlocker Drive Encryption. This lowers Performance, but protects the Directory against the dangers of removing the disk from the server. Bitlocker can also protect the system against attacks like Rootkits. The reason is that if the boot files change, it will go to the recovery server so the original binary can be loaded.

Virtual Domain Controllers

In the case that DCs are implemented virtually, it must be ensured that they are placed on separate physical hosts away from other virtual machines. If third-party virtualization platforms are used, it’s best to implement virtualized DCs on HyperV servers on Windows Server 2012. This will reduce the level of attacks. It is also best to isolate virtual DC storage, which prevents storage administrators from accessing virtual machine files.

2. Physical security for Branch Domain Controllers

Physical Domain Controller

Generally, in environments that have only multiple servers, physical security is not at a level such as security in the data center. Domain Controllers must be configured with TPM and Bitlocker. If the DCs are not located in more secure rooms in the Branch Office, it’s better to use Read-Only Domain Controllers (RODCs).

Virtual Domain Controller

If possible, virtual DCs in Branch Office should be placed on separate Physical Host. If this does not work, TPM and Bitlocker must be enabled on the hosts. Based on the size and security of the Branch Office, it is better to use RODCs in the Branchs.

Side sites with low physical security

If the infrastructure contains Locations that can only be set up for a physical server, the server that has the Virtualization Workload functionality must be launched in Remote Location. TPM and Bitlocker must also be configured on all server volumes. In this scenario, you need to set up a RODC on one of the virtual machines.

3- Domain Controllers Operating System

All DCs must be updated to the latest version of the Windows Server, and DCs should be removed from service with older operating systems. By upgrading servers to upgradeable operating systems, you can enjoy new features and higher security. DCs should be installed and promoted instead of upgrading. This way, you can make sure that the old files and settings do not inadvertently remain on the DCs.

4- Secure Configuration of Domain Controller

Free tools and some of the tools that are installed on the system by default can be used to create basic security settings.

5- Security Configuration Wizard

All DCs should be locked down as they are created. This can be achieved through the Security Configuration Wizard (which is native in Windows Server, Configuring Service, Registry, System, and WFAS Settings on DCs).

6- AppLocker

Applocer or other Whitelisting software should be used to configure the services and software that are allowed to run on DCs. These software and services should only include the requirements for computers that play the role of AD DS.

7- RDP Restrictions

Group Policy Objects that are linked to all DC DCs in the Forest must be configured to allow RDP Connection permissions for systems and authorized users only. This is accomplished through the combination of User Rights and WFAS settings and should be implemented in GPOs.

8- Patch and Configuration Management for Domain Controllers

Although this may be somewhat contradictory to logic, DCs and other critical infrastructure segments should be patched apart from the public infrastructure of Windows. Usually Enterprise Configuration Management Software is used for all computers in the infrastructure, compromising the Configuration Management Software can endanger and destroy all of the infrastructure components managed by that software. But by isolating Patch & System Management for DCs, you can reduce software installation on the DC.

9- Blocking Internet Access for Domain Controllers

One of the reviews typically performed as part of the Active Directory Security Assessment is the use of Internet Explorer settings in DCs. IE and other Web browsers should not be used in DCs. As previously mentioned, browsing the Internet or infected intranet, using an account with high access in the Windows infrastructure, will bring huge risks to the security of the organization. Attackers can use whatever malware they need to get rid of Active Directory. Using Internet Explorer on DCs should be prohibited not only through policies, but also through technical controls, and DCs should not be allowed to access the Internet. If DCs need replication across sites, a secure connection between sites must be established.

10- Firewall Restriction

Firewalls must be configured correctly to block outbound and inbound domain controllers connections. DCs may require replication between sites and firewalls must be configured to prevent Interstice Communication from encountering problems. Replication in the presence of a firewall has many complications and requires proper design according to the network structure.

11- Active Directory Quota

Using AD Quota, you can restrict the number of Objects the Security Principal has to own and create. AD Quota can be used to reduce the risk of Denial OF Service attacks (DoS) on Directory Service. For example, the owner of an Organizational Unit (OU) could be limited to building only one hundred new users. If the Security Principal, which authorizes the creation of Objects in the Directory, is compromised, and AD Quota is not set up, the attacker can create enough Object to completely fill the disk that has NTDIS.dit included. With this in mind, Directory Service can be protected from DoS attacks. AD Quota can be specified for Security Principals in each Directory Partition. These partitions include Application Partition, Domain Partition, and Configuration Partition.

12- Fine granted password policies for administrator

Using the Fine-Granted Passwords feature, users with administrative privileges and privileged users will have more aggressive password policies than end-users. In addition, users who are members of Local Administrators groups on multiple Domain computers also need to have more solid Password Policies.

13- Active Directory Recycle Bin

Statistics show that over 70% of the reasons for restoring Active Directory objects are due to inaccurate data deletion. However, the use of Active Directory Recycle Bin in malicious removals also makes the recovery solution cost less and less time consuming. (Read more: Restore deleted objects)

14. Manage patches and firmware updates

It is always necessary to install operating system updates at appropriate times. Small organizations typically use Windows Update or the Windows Server Update Service (WSUS) to manage and extend updates to Windows operating systems. This is while larger organizations use solutions such as System Center Configuration Manager. In addition to creating a mechanism for deploying updates for servers, workstations, there should also be separate deployments for highly secure systems such as domain controllers, certificate authorities, and management hosts. By isolating these systems from publicly managed infrastructure, if management or service accounts are compromised, the problem is not simply developed in Infrastructure Secure Systems. (Read more: Tuesday amendment)

15. Use Smart Card

Even if the organization is not currently using the smart card publicly, securely enforced management hosts must be run for privileged accounts. Managed hosts must be configured for Logon using Smart Card for all user accounts.

Computer Configuration \ Policies \ Windows Settings \ Local Policies \ Security Options \ Interactive logon: Require smart card

This setting will require SmartCards in all Interactive Logons. You need to configure secure managed hosts in a way that allows Logon to be allowed only to authorized accounts.

Computer Configuration \ Policies \ Windows Settings \ Local Policies \ Security Settings \ Local Policies \ User Rights Assignment