There are many things that you can do as an administrator to reduce or eliminate risks associated with your Domain Controllers. In this article, we’ll take a look at some tools you can employ to help with this.
Attack Surface – This concept refers to software, protocols and ports are used by servers that allow them function. These items are the areas of vulnerability and should be monitored or even disabled if not needed. By reducing the attack surface, you can greatly reduce the chance of an attacker being able to access a current or future vulnerability. The tools and applications listed below will help you reduce your overall attack surface.
Security Configuration Wizard
The Security Configuration Wizard (SCW) can be launched from Administrative Tools. This tool helps you to create a policy that will enable services, firewall rules and other settings that will allow your server to perform its assigned role. By doing this, it also will help disable services, protocols and ports that are not needed. The wizard will lead you through the steps of creating or editing a policy for the roles installed on the server. Figure 1 below shows a screenshot of the Security Configuration Wizard. You must have administrator privileges on the server.
Security policies created with SCW can be deployed using Group Policy. In order for SCW to properly run, all applications that use IP protocol and ports must be running on the server when you launch SCW.
Microsoft Security Compliance Manager
The Security Compliance Manager (SCM) is a free that allows you to configure and manage computers in your Active Directory environment by creating baseline policies based on security best practices.
AppLocker allows you to create rules that will allow or deny applications from running. AppLocker can control the following types of applications: .exe, .com, .js, .ps1, .vbs, .cmd, .bat, .mst, .msi, .msp, .dll and .ocx. If you do not want users to be able to store executable files on their home drive, you can restrict that using AppLocker. You can also restrict applications that are permitted to run on domain controllers.
Patches and Updates
Domain controllers should have the most up to date patches and updates. It is important though to only install the patches that are relevant. It may be that you need to patch and update your domain controllers separate from the other computers in your environment. This will ensure that the domain controllers have the updates needed without installing unnecessary software.
Remote access to domain controllers should be restricted using Group Policy to only those who are authorized.
Web Browsing on Domain Controllers
It is a bad practice to allow web browsing from domain controllers. The problem is that when logged on as an administrator, you could inadvertently download malicious software.