Detailed analysis of security for domain controllers

A lot of people don't know what a domain controller is. What is the role? In fact, the role of this thing is very large. However, if it does not pay attention to protection and security, it will be infected by viruses. Now let me introduce you. Introduce this so-called domain controller. A domain controller, as its name implies, has administrative rights to the entire Windows domain and to all computers in the domain. So you have to spend more effort to ensure the security of your domain controllers and keep them safe. This article will walk you through some of the security measures that should be deployed on a domain controller.

Physical Security for Domain Controllers

The first step (and often overlooked) is to protect the physical security of your domain controllers. That is, you should place the server in a locked room and strictly review and record access to the room. Don't have "secure security". This view mistakenly believes that putting such a critical server in a remote place without any protection can protect against stubborn data spies and Destroy the attack of the molecule.

Because the police specializing in crime prevention research tells us that we have no way to make our own home, company, car, and of course our servers have 100% security. Security measures do not guarantee that your valuables will not be taken by those “bad guys”, it can only increase the difficulty and difficulty of obtaining valuables. If you can keep their attack process for a longer period of time, then they will abandon the attack or stop trying, and even the chances of catching them on the spot will increase greatly.

After physical security, you should deploy a multi-layered defense plan. The server room with locks is just the first floor. This can only be considered as perimeter security, like a fence around your yard or a lock on your door. In case the surrounding security is breached, some security measures should be set up to protect the target (this time DC) to protect them. You may install a security alert system to notify you or the police when your fence or door lock is compromised. Similarly, you should consider deploying an alert system between servers, which sounds an audible alert when an unauthorized user (who doesn't know the password to unlock the alert system) enters the server. It is also conceivable to install detectors on the door and infrared detectors to prevent illegal entry through doors, windows and other holes (we strongly recommend reducing the number of doors, windows and holes as much as possible).

When deploying your multi-layered security plan from the inside out, you should ask yourself a question repeatedly. What if this security measure fails? We can deploy it on the attack line of the intruder. What new obstacles?” Just as you put your money and jewelry in a fenced, locked, alarm-protected room, you should also consider the security of the server itself. Here are some guidelines:

Remove all removable storage device drives, such as floppy drives, optical drives, external hard drives, Zip drives, flash drives, and more. This will increase the difficulty for an intruder to upload a program (such as a virus) to a server or download data. If you don't use these devices, you can also remove the ports that need to be used by these external devices (closed or physically removed from the BIOS). These ports include USB/IEEE 1394, serial, parallel, SCSI, and more.

Lock the chassis to prevent unauthorized users from stealing the hard drive or damaging the machine components.

Place the server in a closed, locked server rack (ensuring good ventilation) and the power supply should preferably be placed in the server rack. To avoid intruders can easily cut off the power or UPS to interfere with the system's power supply.

Preventing remote intrusion of domain controllers

If you think your physical security plan is perfect enough, then you should turn your attention to preventing hackers, hackers, and attackers. Access your domain controllers over the network. Of course, the best way to do this is to disconnect the domain controller from the network, but in this case, the domain controller is useless. Therefore, you have to step through them to reinforce them to defend against general attack methods.

Secure domain accounts

The easiest (for hackers), the most unexpected and most common method is to log in to the system through a valid account password. Get access to the network and domain controllers.

In a typical installation, if a hacker wants to log in to the system, he only needs two things: a legitimate account number and its corresponding password. If you are still using the default administrator account ——Administrator, this will make the hacker's invasion much easier. All he needs to do is collect some information. Unlike other accounts, this default administrator account will not be locked for multiple failed logins. This means that the hacker just keeps guessing the password (through the "brute force" method to crack the password) until he gets administrator privileges.

That's why the first thing you should do is to rename your system's built-in account. Of course, if you just renamed and forgot to change the default description (“computer/domain built-in management account”) it doesn't make much sense. So you should avoid intruders quickly find an account with administrator privileges. Of course, keep in mind that all you do can only slow down the intruder. A determined and capable hacker can still bypass your security measures (for example, the SID of an administrator account cannot be changed, it usually ends with 500. Some hackers can use the tool SID number to identify management. Account number).