Borrowing Security from Windows NT
Microsoft looks back for clues on securing Active Directory.
- By Roberta Bragg
Is there such a thing as a read-only copy of Active Directory (AD)? Why would
this be important?
The Windows 2000 Server and Windows Server 2003 AD database is writable on
every domain controller (DC) in the forest. This has many advantages, including
reducing the impact of replication latency in large forests and distributing
management across geographic locations. But it adds a huge risk when DCs reside
outside the datacenter in branch offices and other administratively sparse locations.
It's a security conundrum. The advantages of multi-master replication over
the Windows NT 4.0 model are many. However, Windows NT 4.0 had one security
advantage: changes can't be made at the backup domain controller (BDC). Since
this server's security information can't be overwritten, a BDC in a branch office
is more secure than AD DC. Part of the smaller risk is due to the reduction
in domain information available; NT is a much simpler system, but the fact that
the BDC user database is read-only makes it harder to attack. This keeps compromise
of the branch office BDC from being such a huge threat to the enterprise.
Microsoft will be borrowing from this model in the future—the Longhorn
model for AD will include a read-only DC. The DC might even be able to issue
Kerberos tickets good only at the local branch. Being able to lock down processing
and prevent changes to AD from the branch office can reduce security risk, so
keep your eyes open for this change in the Longhorn server beta, scheduled out
as early as late next year.
Of course, we live in the now. What can you do to improve security at branch
office locations today?
- Increase physical security for branch office DCs. The DC should be in a
locked room or cabinet, and only accessible to those with the rights to administer
the DC. Log access by physically recording who, what, when and where the DC
console was used.
- Require two-factor authentication (two different forms of credentials before
authentication is complete. For example, require biometrics and a password.)
- Disable alternative access to the DC, including disabling floppy drives,
unused USB ports, CD-ROM drives, serial ports and so on.
- Protect the WAN connection. Don't allow the connection to share a wiring
closet with the telco equipment for the entire office building. At a minimum,
require a secured connection. Ensure that cabinets are kept locked and only
authorized personnel are allowed entrance.
- Ensure DCs are kept away from excessive heat or cold, water or other fluids,
chemicals, or smoke.
- Consider requiring the password entry mode of SYSKEY. If you do, be aware
that this means someone who knows the password must be present if the machine
needs to reboot.
- Don't allow users to use the DC for Web browsing, e-mail or any user-based
- Restrict the number and type of services that run on the DC.
- Use general hardening principals for AD. The more secure you make your entire
AD infrastructure, the more secure your branch office DCs will be. (I'm writing
an e-book on AD security, available here.)
- Download Microsoft's own AD security guide.
- Ask questions at the weekly AD Security chats.
There's one each week hosted by Sanjay Tandon, the AD program manager for
security, and other experts. You might find a solution to a current problem,
or some insight into the future.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.