S 2.414 Computer virus protection for domain controllers

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

In order to ensure adequate protection against computer viruses and other malware in an organisation, the organisation must implement a comprehensive computer virus protection concept. The corresponding approach is described in module S 1.6 Protection against malware. The computer virus protection concept must also take into consideration the domain controllers in the organisation.

However, it is necessary to take into consideration some special aspects for domain controllers in order to make sure that the use of a virus protection program will not have any adverse effects on the domain controllers during ongoing operations.

The information provided in this safeguard should be seen as general information. Under some circumstances, it will be necessary to also take into consideration the special instructions provided by the manufacturer of the virus protection program.

When selecting the virus protection software, it must be ensured that the software explicitly supports use on a domain controller. In this regard, it is crucial that the virus protection software uses the application programming interfaces (APIs) provided by the operating system manufacturer.

When the wrong program interfaces are used, the metadata of the files scanned may be changed under certain circumstances when scanned by the virus protection software. In this case, the File Replication Service (FRS) of the operating system may trigger a replication of the supposedly changed file in the organisation. Such unnecessary replications may result in lower system performance and should therefore be avoided. Additional details on compatible virus protection programs can be found in Article 815263 in the Microsoft Knowledge Base.

The virus protection software should be tested thoroughly in a test environment to ensure it functions properly before putting it into use in a production environment. The test environment should model the conditions in the production environment as well as possible to determine whether the software has any impact on the overall performance of the domain controllers.

In order to avoid introducing malware into the organisation, only the Active Directory functionality of the operating system should be used on domain controllers and no other services should be offered, if possible. In particular, a domain controller must not be used as a conventional workstation. This ensures users logged in locally to a domain controller will not be able to surf the Internet, receive emails, or access external data media such as USB storage media or DVD-ROMs, for example.

Likewise, the domain controllers should not be used as file share servers. If files are made available on the domain controllers in the network via file shares, these files will be scanned for malware by the virus protection program every time they are accessed, which may lead to lower performance on the domain controller. For this reason, file shares should be disabled on the domain controller.

As a general rule, the virus protection program should monitor all file accesses transparently in the background. However, there are some files in a Windows server operating system such as directory service database files, log files, and the database files of the file replication service that may impair the function of the domain controllers when accessed by a virus protection program. In order to prevent the virus protection program from generating unnecessary file locks and to ensure the smooth operation of the domain controllers, it is therefore necessary to take the following aspects into consideration.

Access to the Active Directory database and log files by the Extensible Storage Engine (ESE)

The directory service database and log files are opened by Active Directory for exclusive access using ESE. For this reason, the ESE may only access files that are not locked by the virus protection software. At the same time, the virus protection software may only access files that have not been locked by the ESE.

Both the database files and the log files use checksums generated internally by the Active Directory that become invalid after the files are accessed by a virus protection program, which may lead to inconsistencies in databases. An inconsistent database may lead to the failure of the Active Directory.

For this reason, the following files should be exempt from regular virus scans:

• main database file of the Active Directory
• transaction log files of the Active Directory
• working folder of the Active Directory

Access to the database and log files of the file replication service (FRS) by the ESE

As described above, the improper use of virus protection programs may result in concurrent accesses to the database or log files by the replication service. Likewise, changes to the internal checksums of these files may lead to the failure of the Active Directory. For this reason, the following files should be exempt from regular virus scans:

• files in the working folder of the file replication service
• database log files of the file replication service
• staging folder (cache containing the new and changed files to be replicated) and master replica (copy of the distributed file system master and its links to lower levels) of the file replication service
• pre-installation folder of the file replication service

If the file replication service is used to replicate Windows shares whose link targets are on Windows server operating systems, these files in the SYSVOL folder must also be excluded from replication.

File replication using the file replication service (FRS)

The file replication service is used by the Windows server operating systems for the replication of the login scripts and system policies in the SYSVOL folder between domain controllers. If the metadata (security information or time stamp) of a file is changed by a virus protection program, the corresponding file will be replicated again between the domain controllers by the FRS. This behaviour leads to increased replication of the SYSVOL files and therefore to:

• an increase in the bandwidth consumed in the network,
• an increase in the resources consumed on the domain controllers, and
• a large number of files located in the staging folder (this applies especially to the Windows Server 2003 and Windows 2000 Server SP3 operating systems).

The following aspects should be taken into consideration in order to prevent excessive replication:

• A virus protection program that does not change the metadata of the files in the SYSVOL folder should be selected.
• If the organisation cannot select a corresponding program, the SYSVOL directory and all its subdirectories should be exempt from the automatic scans performed by the virus protection program. However, removing these files increases the risk of a virus infection, because executable files such as login scripts will not be scanned any more by the virus protection software in this case, unlike with the files mentioned above. For this reason, only signed login scripts should be used on the domain controllers and administrator workstations when the SYSVOL directories cannot be protected by the virus protection program.

Update function of the Microsoft operating system

Due to the exclusive access rights to files granted to virus protection programs, problems may arise in conjunction with the update function of the Windows server operating systems (Microsoft Update, Windows Update, or Automatic Update functions).

In order to avoid these problems, the following files should be excluded from regular virus scans:

• database files related to the update functionality such as the Datastore.edb file located in the folder %windir%\SoftwareDistribution\Datastore
• the transaction log files stored in the folder %windir%\SoftwareDistribution\Datastore\Logs

Additional details on the files to be excluded can be found online in the Managing Domain Controllers document in the Microsoft Windows Server TechCenter and in Microsoft Knowledge Base Article 822158, which describes recommendations for virus scans performed on Windows Server 2003, Windows 2000, or Windows XP computers.

Instructions for introducing script signatures can be found in the Resources for IT-Grundschutz (see Scanning for viruses by introducing script signatures in the Resources for the Active Directory module).

Review questions:

• Are the domain controllers taken into consideration in the computer virus protection concept?
• Has the virus protection software used been approved by the manufacturer for use on domain controllers?
• Was the virus protection software adequately tested in a test environment before putting it into productive use on the domain controller?
• Are files with the potential to have adverse effects on the domain controller's function when accessed by the virus protection software (e.g. databases and log files of directory and replication services) excluded from the virus scan?
• Are files which are excluded from the test performed by the virus protection software protected adequately against virus attacks?