Security Watch

Borrowing Security from Windows NT

Microsoft looks back for clues on securing Active Directory.

• By Roberta Bragg
• 10/26/2004

The Windows 2000 Server and Windows Server 2003 AD database is writable on every domain controller (DC) in the forest. This has many advantages, including reducing the impact of replication latency in large forests and distributing management across geographic locations. But it adds a huge risk when DCs reside outside the datacenter in branch offices and other administratively sparse locations.

It's a security conundrum. The advantages of multi-master replication over the Windows NT 4.0 model are many. However, Windows NT 4.0 had one security advantage: changes can't be made at the backup domain controller (BDC). Since this server's security information can't be overwritten, a BDC in a branch office is more secure than AD DC. Part of the smaller risk is due to the reduction in domain information available; NT is a much simpler system, but the fact that the BDC user database is read-only makes it harder to attack. This keeps compromise of the branch office BDC from being such a huge threat to the enterprise.

Microsoft will be borrowing from this model in the future—the Longhorn model for AD will include a read-only DC. The DC might even be able to issue Kerberos tickets good only at the local branch. Being able to lock down processing and prevent changes to AD from the branch office can reduce security risk, so keep your eyes open for this change in the Longhorn server beta, scheduled out as early as late next year.

Of course, we live in the now. What can you do to improve security at branch office locations today?

• Increase physical security for branch office DCs. The DC should be in a locked room or cabinet, and only accessible to those with the rights to administer the DC. Log access by physically recording who, what, when and where the DC console was used.
• Require two-factor authentication (two different forms of credentials before authentication is complete. For example, require biometrics and a password.)
• Disable alternative access to the DC, including disabling floppy drives, unused USB ports, CD-ROM drives, serial ports and so on.
• Protect the WAN connection. Don't allow the connection to share a wiring closet with the telco equipment for the entire office building. At a minimum, require a secured connection. Ensure that cabinets are kept locked and only authorized personnel are allowed entrance.
• Ensure DCs are kept away from excessive heat or cold, water or other fluids, chemicals, or smoke.
• Consider requiring the password entry mode of SYSKEY. If you do, be aware that this means someone who knows the password must be present if the machine needs to reboot.
• Don't allow users to use the DC for Web browsing, e-mail or any user-based activity.
• Restrict the number and type of services that run on the DC.
• Use general hardening principals for AD. The more secure you make your entire AD infrastructure, the more secure your branch office DCs will be. (I'm writing an e-book on AD security, available here.)
• Download Microsoft's own AD security guide.
• Ask questions at the weekly AD Security chats. There's one each week hosted by Sanjay Tandon, the AD program manager for security, and other experts. You might find a solution to a current problem, or some insight into the future.