Providing Security for Domain Controllers
Since the domain controllers hold the keys to the kingdom, they need to receive special attention. Domain controllers offer two primary types of access: physical access and network access. With physical access, someone can physically access the computer, such as putting a CD in the CD-ROM drive and typing at the keyboard. Physical access could also result in someone stealing the computer. Network access requires a bit more sophistication from the attacker, but there are plenty of avenues into the domain controller. The network access that needs to be considered includes acquiring user account names, share names, data, and communications with the domain controller.
One of the most important security measures you can take for your domain controllers is to secure them physically. The actual box, tower, or blade needs to be secured. This means behind a door with a lock that only administrators have the key to. In addition to placing the domain controller in a locked room, you need to consider providing these additional security measures to lock down your domain controllers:
Use physical access controls to secure the lock to the server room as described in Chapter 2.
Use smart cards on the servers as described in Chapter 10, so users must use two-factor authentication to access the domain controllers.
Do not leave users logged on to the domain controllers. It is a misconception that a user must log on to the domain controller for ...