A compromised domain controller puts the entire Active Directory (AD) at risk. The logic behind this is simple – when an attacker gets access to the Domain Controller, they will be able to access and change everything related to the Active Directory domain.
What is a Domain Controller?
A Domain Controller (DC), is the Windows Server role housing Active Directory Domain Services (AD DS). Active Directory is essentially a database containing users, computers, and other resources providing identity and access permissions in the environment.
Domain Controllers duplicate directory service information for their domains, including users, authentication credentials and enterprise security policies.
Possible Threats to a Domain Controller
A hacker who has got access to Domain Controllers may:
- cause damage to the AD DS database
- access the security database and the information contained within it
- leak the security configuration information
- change security configurations to access domain resources
- steal computer/user account information and passwords
- get control over computers, users, and organizational units
Best Practices for Securing Domain Controllers
Attackers who want to compromise a business-critical network often find and attack domain controllers on the enterprise network as Active Directory contains the ‘keys to the kingdom’ in the identity information it contains. This makes the entire Active Directory unreliable and unpredictable which is why AD administrators are very protective of Domain Controllers. Here are some tips to protect Domain Controllers:
Secure Domain Controllers Physically
Domain Controllers should be isolated from other hosts and virtual machines (VMs) in the environment, regardless of whether they run on physical hosts or virtual machines. This separation layer helps to protect against an attacker pivoting from another compromised host or VM in the environment to Domain Controllers.
If DCs are in remote or branch office locations with poor physical security, an option is to use a read-only Domain Controller that provides a read-only copy of Active Directory. Also, encrypting the drives of DCs in the environment offers encryption at rest protection against an attack.
Implement a Mechanism to Administer Domain Controllers
There should be a dedicated administrative policy for Domain Controllers. Membership in the Domain Administrators group and Enterprise Administrators group should be very limited, keeping to the bare minimum number of users. In addition, all activities on Domain Controllers should be regularly monitored and audited.
Limit Network Access to Domain Controllers
Network access to Domain Controllers should be extremely limited. Only trusted IP ranges and devices should have access to domain controllers to lower their attack surface. Additionally, they should be restricted to only include Domain or Private firewall profiles, and not allow guest or public traffic.
Block Internet Access
It is highly recommended that no web browser should be used on a Domain Controller. Often Domain Controllers are given Internet access for convenience, but this is a significant security vulnerability.
When browsing the Internet from a domain controller, an attacker has an easy path to compromising the entire environment by stealing credentials and carrying out privilege escalation attacks.
Use the Most Updated Version of Windows Server
All Domain Controllers should be run on the newest version of Windows Server that is supported within your organization. Instead of upgrading a Domain Controller, install it from scratch (after an OS or a Server role change).
Implement Effective Security Measures
Careless security configurations are often exploited by cybercriminals to gain access to computer systems so it is essential to implement a security policy and configure adequate security measures to protect Domain Controllers. Security policies can be enforced through GPOs. The default Domain Controller policy can be modified or a new one created and enforced on the Domain Controller’s Organizational Unit. Various Microsoft tools and trusted third-party tools like the Lepide Data Security Platform can be used for this purpose.
Limit what is run on Domain Controllers
Domain Controllers should only run applications and services that are essential for their functioning and security. Reliable third-party applications can be used to block unnecessary software applications.
Backup Domain Controllers
Domain Controllers should be backed up using Windows Server. Windows Server Backup features a GUI (graphical user interface) and lets you create incremental backups by using Volume Shadow Copy Service (VSS). The backed-up data is saved into a Virtual Hard Disk (VHD) file – the same file format used for Microsoft Hyper-V.
The advantages of using Windows Server backup for Active Directory backup are affordability, VSS-capability, and the ability to back up either the whole system or Active Directory components only.
What to do After a Fallout?
There are few things that you can do if a Domain Controller is compromised:
Recover from a good backup: A good backup always brings a smile back on the admin’s face even after the worst attacks on Domain Controllers. Restore everything from the backup—system state data, files, and applications.
Eliminate the chances of a future compromise: Find the vulnerabilities that caused DC fallout and fix them so that similar events do not occur in future.
How Lepide Helps Secure Active Directory
As it is crucial to know who, what, where and when, changes are being made to the files, folders and permissions on your network, it is essential to monitor who logs on locally and through Remote Desktop Services. You will need to know who has the rights to shut down the system, backup and restore files and directories, and register a process as a service.
Lepide Active Directory Auditor provides a straightforward way to do this. It includes a range of tools which allow you to keep track of such changes within Active Directory and enables you to audit changes to Group Policy, including changes to security group membership. In addition, it provides threshold alerting tools to help spot suspicious activity and execute an automated response.
Conclusion
The Domain Controller, being the brain of the Active Directory domain, needs special protection. If the Domain Controller becomes the target of an attack, it is fatal to the entire organization. But there are many things one can do to prevent such attacks, secure domain resources, and protect Active Directory. One of the most straightforward ways is to use an Active Directory Auditing software like the Lepide Active Directory Auditor.