S 4.138 Configuration of Windows Server as a domain controller

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Domain controllers provide the services that are necessary to administrate a Windows Server in a network based on the Windows 2000 Server and Windows Server 2003 operating systems (referred to collectively in the following as Windows Server), with the Active Directory service (ADS) being the most important of these services. In general, a domain controller also offers the domain name service (DNS), without which the Active Directory cannot be operated. In Windows, the DNS contains references to important Windows Server resources whose integrity is essential for the correct operation of a Windows Server domain. Since a domain controller acts as a login server, it also runs the Kerberos service necessary for login. The Kerberos components on the domain controller also store the secret keys needed in connection with the authentication protocol.

Since every domain controller plays an important role for this reason and data worthy of protection is stored on domain controllers, the following aspects must be taken into consideration during configuration. In addition to these, the aspects described in safeguards S 4.137 Secure configuration of Windows 2000 and S 4.139 Configuration of Windows 2000 as server also apply to a domain controller.

• The security of a domain controller is derived primarily from two essential areas: the security of the operating system configuration and the security of the Active Directory, which uses its own security mechanisms (see also S 3.27 Training to Active Directory administration). The security settings of the operating system are specified primarily using group policies, and the security settings of the Active Directory must be planned and implemented accordingly (see S 2.229 Planning Active Directory, S 2.231 Planning of group policy under Windows).
• Only authorised administrators are allowed to log in locally to a domain controller. Users must not be allowed to work on a domain controller. In a standard installation, normal users are therefore not usually allowed to log in locally to a domain controller.

• A domain controller should not offer any additional infrastructural services (e.g. DFS or DHCP) other than the standard domain controller services absolutely necessary (e.g. Active Directory, Kerberos, and DNS). In particular, it is not recommended to operate a DHCP server on a domain controller for security reasons (see also the Microsoft documentation on DNS and DHCP). Both services run using the same authorisations. Put very simply, this means that it is no longer possible to enforce access rights to DNS data if the DHCP service changes the DNS data.
• A domain controller should not offer any (application) server services, since errors in the server programs could make it possible to compromise the domain controllers and therefore the entire Windows Server domain.

Domain controllers should be configured as securely as possible. The secdc.inf (or securedc.inf Windows 2003 Server) or hisecdc.inf template file should be used after a standard installation. The template files can be found in the Windows Server system directory under %windir%\security\templates and can be configured in the command line using the secedit command and can be viewed or applied using the Security Templates and Security Configuration and Analysis MMC plug-ins. Depending on the environment, it may be necessary to make changes to the settings specified by the secdc.inf (under Windows Server 2003 securedc.inf) and/or hisecdc.inf template. This may be necessary, for example, if there are still old systems in the network (such as OS/2 systems) that offer less secure settings. Additional information on planning the security settings can be found in S 2.231 Planning of group policy under Windows. The migration document "Migrating from Windows NT Server 4.0 to Windows Server 2003", which can be found at the Microsoft Download Centre (http://www.microsoft.com/downloads), is recommended as a supplementary set of rules for the migration of Windows NT Server to Windows 2003 Server. It describes all configuration changes necessary for the migration in detail.

The configuration of the channel used to transmit administrative data between the computers in a Windows Server domain should be as secure as possible (see S 5.89 Configuration of the secure channel under Windows).

• If possible, a domain controller should be operated in the native mode so that all Windows client mechanisms (in Windows 2000 and higher) can be fully exploited. These mechanisms include the use of universal groups, the use of nested groups, and the assignment of RAS access authorisation via group membership, for example. It is possible to switch to the native mode when there are no Windows NT backup domain controllers (BDCs) operated in the domain. It is also possible to operate Windows NT servers and workstations in the native mode. It must be noted, though, that it is impossible to revert back to the mixed mode and therefore back to an NT domain.

• If a domain controller can be booted in the Active Directory Restore mode, it will be possible to make changes to the AD by loading an older state (completely or only in part) from backup media. These changes can be loaded in such a way that they are propagated to all other domain controllers in a domain via the Active Directory replication mechanism after booting normally. It is therefore necessary to ensure that the Active Directory Restore mode is protected accordingly using a suitable password and that it can only be operated in this mode by applying the two-man principle. The Active Directory Restore mode is a command line-based mode and typing errors may have serious consequences such as the deletion or overwriting of the wrong branch of the Active Directory, for example. For this reason, the two-man principle not only offers a control mechanism, but it also provides security by requiring all input to be checked by two people.
• The domain controllers in the forest root domain (FRD) require special protection due to the special role they play in the FRD.

In general, the physical security of every domain controller needs to be guaranteed at all times, for example by installing them in a server room.

Review questions:

• Have the access rights to all domain controllers been assigned restrictively at the operating system level?
• Is the domain controller operated in the native mode?
• Has it been ensured that the Active Directory Restore mode is protected using a suitable password and that this mode can only be operated by applying the two-man principle?