Threats to Domain Controllers

Windows 2000 domain controllers are likely targets of attacks that attempt to compromise user and computer accounts, as well as other objects stored within Active Directory. Specifically, Windows 2000 domain controllers face the following threats:

Modification of Active Directory objects
Password attacks
Denial-of-service attacks
Replication prevention attacks
Exploitation of known vulnerabilities

Modification of Active Directory Objects

If attackers can compromise a domain controller, they can effectively make any changes they want to Active Directory. This includes the deletion or modification of existing objects and the creation of new objects in Active Directory. For example, attackers who gain administrative access to a domain controller can create a user account for their purposes, as well as add that user account to any number of administrative accounts in the domain.

Password Attacks

If attackers can gain access to a domain controller, they can back up the Active Directory database by performing a System State backup or by copying the Active Directory database and logs to another computer by booting the domain controller into another OS. This backup of the domain controller can be restored to a remote computer and used to mount an offline password attack. The advantage to the attacker is that the password attack is not taking place against the production network, but on a computer that is removed from the network.

Denial-of-Service Attacks

Attackers can prevent users from performing authentication by performing denial-of-service attacks against domain controllers. Denial-of-service attacks typically take advantage of unpatched Windows 2000 security flaws. Denial-of-service attacks can also be launched against Domain Name System (DNS) servers, preventing clients from finding domain controllers. Clients find domain controllers by requesting a Service (SRV) resource record from a DNS server. If the DNS server is unable to respond, clients will not be able to find a domain controller for their domain.

Replication Prevention Attacks

If attackers are able to disrupt replication between domain controllers, they might be able to prevent the application of Group Policy objects (GPOs), which lock down domain controllers. For example, if you modify the GPO applied to all domain controllers and the GPO is not replicated to all domain controllers, some of the domain controllers will not have the new security settings applied.

Attackers can prevent replication between domain controllers by performing a number of attacks. If DNS resource records are modified or deleted, a domain controller might not be able to find its replication partners. Likewise, if wide area network (WAN) links are blocked, replication traffic might not be able to reach domain controllers at remote sites.

Exploitation of Known Vulnerabilities

Attackers might be able to compromise a domain controller that is not kept up to date with the latest service packs and security updates. For example, if the latest service packs are not applied to a domain controller, attackers might be able to disable it by performing a buffer overflow attack that prevents the OS from responding to any network requests. In the worst case scenario, a buffer overflow might allow attackers to modify configuration and take control of a domain controller.