Protecting a Windows Domain Controller

Every Windows domain controller in your network also acts as a KDC, and needs to be secured appropriately. The general advice that pertains to Unix KDCs also applies to a Windows domain controller. Just like a Unix KDC, the Windows domain controller contains all of the authentication information (and much more). To properly secure a Windows domain controller, first disable all unnecessary services, disallow logins to the server except for a small number of administrative users with secure passwords, and apply the latest set of service packs from Microsoft.

Unfortunately, a default installation of Windows 2000 Server will install and enable Internet Information Services (IIS), which, unpatched, contains several security vulnerabilities that allow an attacker to gain administrative control of your server. Therefore, it is recommended to keep the machine disconnected from the network until IIS is disabled or removed. To remove IIS, open the Add/Remove Programs item in the Control Panel, choose Add/Remove Windows Components, and uncheck Internet Information Services.


Note that thanks to Microsoft’s new “Secure by Default” philosophy, Windows 2003 Server no longer installs and activates IIS by default. Readers who are using Windows Server 2003 to build a Kerberos KDC will not have to manually disable and remove IIS.

With IIS out of the way, a good next step is to apply the latest batch of service packs from Microsoft. Doing this as early as possible ...

Get Kerberos: The Definitive Guide now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.