Domain controllers, as their name, has administrative privileges for all computers across the Windows domain and domain. So you have to spend more energy to ensure the security of domain controllers, and maintain its security. This article will take you to understand some security measures that should be deployed on a domain controller.
Physical security of the domain controller
The first step (also a step that is often overlooked) is to protect your domain controller's physical security. That is, you should put the server in a lock-locked room and strictly review and record the access to the room. Don't have "hidden, you have a good security", mistakenly think that such a key server is placed in a remote place without any protection, you can resist those stubborn data spy and destroy molecules. s attack.
Because the police specializing in crime prevention research tell us that we have no way to make our own home, company, car, and of course, including our server has 100% security. Security measures do not guarantee that your valuable items are not taken by those "bad people", which can only increase their difficulties and difficulties in obtaining valuables. If you can make their attack processes last longer, they will give up attacks or stop trying, and even the possibility of catching them will increase.
After physical security, you should deploy a multi-storey defense program. The server with lock is just the first layer. This can only be considered a peripheral security, just like the fence around you or the lock of your home door. In case of the peripheral security, it should be further set up for the protection target (at this time, DC) to protect them. You may have a security alert system to inform you or the police when your fence or door lock is destroyed. Similarly, you should consider deploying alarm system between servers, when an unauthorized user (he doesn't know the password of the alert system) enters the server, it issues a sound alert. Also consider installing the detector on the door, as well as infrared detectors to prevent illegal entry of the door, windows and other holes (we strongly recommend, to reduce the number of doors, windows and holes).
When you deploy your multi-storey security plan from the outside, you should repeatedly ask yourself "If this security measures have been invalid? Can we deploy a new obstacle on the invader's attack line?" You should also consider the security of the server itself like you put your own money and jewelry in a fence, lock, alarm system protected. There are some guidelines below:
Remove all removable storage devices drivers such as floppy drives, optical drives, external hard drives, ZIP drives, flash drives, and more. This will increase the intruder to upload the program (such as virus) or download data. If you don't use these devices, you can also remove ports that these external devices need to be used (close or physically removal from the BIOS). These ports include USB / IEEE 1394, serial port, parallel port, SCSI interface, etc.
Lock the chassis to prevent unauthorized users from stealing hard drives or damage the machine components.
Place the server in a closed server rack (make sure to provide a good ventilation), the power supply can be placed in the server rack. To avoid invasive people can easily turn off the power or UPS to interfere with the power supply of the system. Prevention of remote invasion of domain controllers
If you think your physical security plan is perfect, you will transfer your attention to prevent hackers, hackers, and attackers from accessing your domain controllers through the network. Of course, the "best" method is to disconnect the domain controller from the network, but the domain controller is unused. Therefore, you have to reinforce them in some steps to resist the general attack methods.
Safeguard the security domain account
The easiest (for hackers), the most common, the most common method is to access the system through a legal account password, to obtain access to the network and domain controller. In a typical installation, hackers want to land the system, only two things: an legal account, and its corresponding password. If you still use the default administrator account --Administrator, this will make hackers have a lot of intrusion. What he needs to do is just collecting some information. Unlike other accounts, this default administrator account will not be locked because of multiple failed to log in. This means that hackers will solve the password by cracked the password by "violent crack") until he got the administrator privilege.
That's why the first thing you should do is to rename the system's built-in account. Of course, if you just rename, I forgot to modify the default description ("Computer / Domain's Built-in Management Account") does not make sense. So you have to avoid the invaders quickly find an account with administrator privileges. Of course, keep in mind that the measures you do can only slow down intruders. A firm, capable hacker is still able to bypass your safety (for example, the SID of the administrator account cannot be changed, it usually ends with 500. Some hackers can use the tool SID to distinguish management The account number of the staff).
In Windows Server 2003, a completely disabled built-in administrator account is possible. Of course, if you want to do that, you must first create another account and give the administrator's permissions. Otherwise, you will find that you cannot perform some privileged tasks. Of course, the built-in guest account should be prohibited (this is the default). If some users need to have permissions, create a new account for him, and restrict its access.
All accounts, especially management accounts should have a strong password. A strong password should contain more than 8 characters, numbers, and symbols, should write a mixture, and should not be the words in the dictionary. Users must pay attention to writing their passwords with a pen or telling other people (social engineering is also unauthorized access to access rights). It is also possible to enforce the password to change on a certain basis by group strategies. Redirect Active Directory Database
The database of the Active Directory contains a lot of core information and should be properly protected. One of the methods is to transfer these files from the default location known to the attacker (in the system volume) to other locations. If you want to make more in-depth protection, consider moving the AD database file to a redundant or mirror volume so you can restore it when the disk is incorrect.
The database files for the Active Directory include: ntds.dit; edb.log; temp.edb
Note: Move the database file of the active directory to a physical hard disk different from the system volume, or improve the system performance of DC.
You can follow the steps below to transfer the database and log files of the Active Directory through the NTDSUTIL.EXE tool:
1. Restart the domain controller.
2. Press the F8 key when started to access the Advanced Options menu.
3. Select the directory service recovery mode in the menu.
4. If you have more than one Windows Server 2003, select the correct one, press the Enter key to continue.
5. At the time of login, use the user password to recover the account when you upgrade the server when you enhance the server.
6. Click Start | Run, enter the CMD, run the command prompt line.
7. In the command prompt line, enter NTDSUTIL.EXE and execute.
8. In the NTDSUTIL prompt, enter Files. 9. Select the database or log file you want to move, enter the Move DB to or Move Logs To.
10. Enter twice Quit, exit NTDSUTIL, return to the command prompt line, and turn off the command prompt window.
11. Restart the domain controller again to enter Windows Server 2003 in normal mode. Use syskey to protect password information security
The domain account password information saved in the active directory is the most sensitive security information. System Key - Syskey is used to encrypt account password information in a directory service database saved in a domain controller.
Syskey has three working modes. Mode One, that is, all defaults in Windows Server 2003, the computer randomly generates a system key (SYSTEM Key) and saves the key after encryption. In this mode, you can log in to the local computer as usual.
In mode II, the system key use and mode one in the same generation mode and storage method, but it uses an additional password specified by the administrator to provide further security. When you restart your computer, you must enter the additional password specified by the administrator when you start, and this password is not saved locally.
Mode three is the highest security method. A computer random system key will be saved on a floppy disk, not a computer locally. If you don't have the physical access of the floppy disk, you cannot boot the system when you insert the floppy disk when prompted.
Note: Before using patterns 2 and patterns, consider the features they are related. For example, the administrator may need a floppy disk containing the Syskey password locally, which means that you will not be able to implement the server remote restart if the server is inserted into the floppy disk.
You can create a System key by following the following methods:
1. Click Start | Run, enter the CMD, run the command prompt line.
2. In the command prompt line, enter Syskey and execute.
3. Click Update. Select Encryption Enabled.
4. If you need a syskey's start password, click Password Startup.
5. Enter a robust password (the password can contain 12 to 128 characters).
6. If you don't need to start password, click System Generated Password.
7. The default option is Store Startup Key Locally. If you want to save your password in a floppy disk, select Store Startup Key On Floopy Disk.
If you use the pattern three, save your password in the floppy disk, make sure the floppy disk has a backup.
Please note that if you lose the key floppy disk, or it is damaged, or you have forgotten the password specified by the administrator, then you can't restore, you can only re-install the domain controller.
to sum up
Protecting your domain controller is an important step in your network security policy. In this article, we discussed how to ensure the physical security of the domain controller, how to ensure the security of the domain account, and the database files for the active directory, and how to use the SysKey tool to protect the account password information stored in the domain controller.
