Securing Win 2003 Domain Controllers

A domain controller, as its name implies, has administrative rights to the entire Windows domain and all computers in the domain. So you have to spend more effort to ensure the security of your domain controllers and keep them safe. This article will walk you through some of the security measures that should be deployed on a domain controller.

Physical Security for Domain Controllers

The first step (and often overlooked) is to protect the physical security of your domain controllers. That is, you should place the server in a locked room and strictly review and record access to the room. Don't have "secure security". This view mistakenly believes that putting such a critical server in a remote place without any protection can protect against stubborn data spies and Destroy the attack of the molecule.

Because the police specializing in crime prevention research tells us that we have no way to make our own home, company, car, and of course our servers have 100% security. Security measures do not guarantee that your valuables will not be taken by those “bad guys”, it can only increase the difficulty and difficulty of obtaining valuables. If you can keep their attack process for a longer period of time, then they will abandon the attack or stop trying, and even the chances of catching them on the spot will increase greatly.

After physical security, you should deploy a multi-layered defense plan. The server room with locks is just the first floor. This can only be considered as perimeter security, like a fence around your yard or a lock on your door. In case the surrounding security is breached, some security measures should be set up to protect the target (this time DC) to protect them. You may install a security alert system to notify you or the police when your fence or door lock is compromised. Similarly, you should consider deploying an alert system between servers, which sounds an audible alert when an unauthorized user (who doesn't know the password to unlock the alert system) enters the server. It is also conceivable to install detectors on the door and infrared detectors to prevent illegal entry through doors, windows and other holes (we strongly recommend reducing the number of doors, windows and holes as much as possible).

When deploying your multi-layered security plan from the inside out, you should ask yourself a question repeatedly "What if this security measure fails?" What new obstacles can we deploy on the intruder's attack line? “ Just as you put your money and jewelry in a fenced, locked, alarm-protected room, you should also consider the security of the server itself. Here are some guidelines:

Remove all removable storage device drives, such as floppy drives, optical drives, external hard drives, Zip drives, flash drives, and more. This will increase the difficulty for an intruder to upload a program (such as a virus) to a server or download data. If you don't use these devices, you can also remove the ports that need to be used by these external devices (closed or physically removed from the BIOS). These ports include USB/IEEE 1394, serial, parallel, SCSI, and more.

Lock the chassis to prevent unauthorized users from stealing the hard drive or damaging the machine components.

Place the server in a closed, locked server rack (ensuring good ventilation) and the power supply should preferably be placed in the server rack. To avoid intruders can easily cut off the power or UPS to interfere with the system's power supply.

Preventing remote intrusion of domain controllers

If you think your physical security plan is perfect enough, then you should turn your attention to preventing hackers, hackers, and attackers. Access your domain controllers over the network. Of course, the best way to do this is to disconnect the domain controller from the network, but in this case, the domain controller is useless. Therefore, you have to step through them to reinforce them to defend against general attack methods.

Secure domain accounts

The easiest (for hackers), the most unexpected and most common method is to log in to the system through a valid account password. Get access to the network and domain controllers.

In a typical installation, if a hacker wants to log in to the system, he only needs two things: a legitimate account number and its corresponding password. If you are still using the default administrator account ——Administrator, this will make the hacker's invasion much easier. All he needs to do is collect some information. Unlike other accounts, this default administrator account will not be locked for multiple failed logins. This means that the hacker just keeps guessing the password (through the "brute force" method to crack the password) until he gets administrator privileges.

That's why the first thing you should do is to rename your system's built-in account. Of course, if you just renamed and forgot to change the default description (“computer/domain built-in management account”) it doesn't make much sense. So you should avoid intruders quickly find an account with administrator privileges. Of course, keep in mind that all you do can only slow down the intruder. A determined and capable hacker can still bypass your security measures (for example, the SID of an administrator account cannot be changed, it usually ends with 500. Some hackers can use the tool SID number to identify management. Account number).

In Windows Server 2003, it is possible to completely disable the built-in administrator account. Of course, if you want to do that, you must first create another account and give it administrator privileges. Otherwise, you will find that you are not able to perform certain privileged tasks yourself. Of course, the built-in guest account should be banned (this is the default). If some users need to have the guest's privileges, create a new account with a less visible name and limit access to it.

All accounts, especially administrative accounts, should have a strong password. A strong password should contain more than 8 characters, numbers and symbols, which should be mixed, and should not be words in the dictionary. Users must be careful not to write down their passwords with pens or to tell others (social engineering is also a common method of unauthorized access). Group policies can also be used to force passwords to change on a certain basis.

Redirect Active Directory Database

The Active Directory database contains a lot of core information and is a part that should be properly protected. One way to do this is to move these files from the default location (in the system volume) that is known to the attacker to other locations. If you want to do more in-depth protection, consider moving the AD database file to a volume with redundancy or mirroring so that you can recover it if something goes wrong with the disk.

The database files of Active Directory include: Ntds.dit; Edb.log; Temp.edb

Note: Move the database files of Active Directory to a physical hard disk different from the system volume, or Improve DC system performance.

You can use the NTDSUTIL.EXE tool to transfer the database and log files of Active Directory by following these steps:

1. Restart the domain controller.

2. Press the F8 key at startup to access the advanced options menu.

3. Select Directory Service Recovery Mode from the menu.

4. If you have more than one Windows Server 2003 installed, select the correct one and press Enter to continue.

5. At the time of the login prompt, log in using the user password of the Active Directory recovery account that was specified when you upgraded the server.

6. Click to start |  Run, enter CMD, run the command prompt line.

7. In the command prompt, type NTDSUTIL.EXE and execute it.

8. In the prompt line of NTDSUTIL, enter FILES.

9. Select the database or log file you want to move and enter MOVE DB TO or MOVE LOGS TO.

10. Enter QUIT twice, exit NTDSUTIL, return to the command prompt, and close the command prompt window.

11. Restart the domain controller again to enter Windows Server 2003 in normal mode.

Securing password information with Syskey

Domain account password information stored in Active Directory is the most sensitive security information. The system key (System Key - Syskey) is used to encrypt the account password information stored in the domain controller's directory service database.

Syskey has three working modes. Mode one is the default used in all Windows Server 2003. The computer randomly generates a system key and encrypts the key and saves it locally. In this mode, you can log in to your local computer as you normally would.

In Mode 2, the system key uses the same generation and storage methods as in Mode 1, but it uses an additional password specified by the administrator to provide further security. When you restart your computer, you must enter the additional password specified by the administrator at startup, which is not saved locally.

Mode 3 is the most secure method of operation. The system key randomly generated by the computer will be saved on a floppy disk instead of the computer. If you do not have physical access to the floppy disk and insert the floppy disk when prompted, you will not be able to boot the system.

Note: Before using Mode 2 and Mode 3, please consider their related features. For example, you might need an administrator to insert a floppy disk with a syskey password locally, which means that you will not be able to remotely reboot the server without inserting a floppy disk on the server side.

You can create a system key in the following ways:

1. Click to start |  Run, enter CMD, run the command prompt line.

2. In the command prompt, type SYSKEY and execute it.

3. Click UPDATE. Check ENCRYPTION ENABLED.

4. If you need a syskey start password, click PASSWORD STARTUP.

5. Enter a strong password (the password can contain 12 to 128 characters).

6. If you don't need to start your password, click SYSTEM GENERATED PASSWORD.

7. The default option is STORE STARTUP KEY LOCALLY. If you want to save the password on a floppy disk, check STORE STARTUP KEY ON FLOOPY DISK.

If you use mode 3 and save the password on a floppy disk, make sure the floppy disk has a backup.

Please note that if you lose your key floppy, or if it is compromised, or if you have forgotten the password specified by the administrator, you will not be able to recover and you will only be able to reinstall the domain controller.

Summary

Protecting your domain controller is an important step in your network security strategy. In this article, we discussed how to secure the physical security of domain controllers, how to secure domain accounts, relocate database files in Active Directory, and how to use Syskey tools to protect account password information stored in domain controllers.