Best Practices

Previous page
Table of content
Next page

Best Practices

  • Physically secure domain controllers.

    All domain controllers should be stored in network server rooms secure from nonauthorized personnel. A domain controller should not be used as a desktop computer. The domain controllers ideally should be stored in a card-key-access room where access is restricted to network administrators.

  • Leave domain controller computer accounts in the Domain Controllers OU.

    Domain controllers should have consistent application of security settings. You can ensure that the same security settings are applied to domain controllers by keeping all domain controllers in a common OU. The Domain Controllers OU is defined by default as the Active Directory storage location for domain controller computer accounts. Ensure that the domain controller computer accounts remain in this default OU.

  • Develop the baseline domain controller settings in a security template.

    Defining the security settings in a security template ensures that the security settings are reproducible. You can import the security template into a GPO linked to the Domain Controllers OU to ensure consistent application. In addition, the security template provides documentation of the security settings defined by your company for domain controllers.

  • Apply the security template in a separate GPO linked to the Domain Controllers OU.

    By applying the security template in a GPO other than the default domain controllers policy, you allow users to disable the security template settings by either unlinking the GPO from the Domain Controllers OU or deleting the GPO entirely. If the security template is imported into the Domain Controllers OU, it will be more difficult to modify changes and reverse the settings of the security template.

  • Enable auditing and increase log setting.

    Auditing should be defined in a GPO applied at the domain controller s OU to ensure that the Security Log contains relevant information about potential attacks against your company s domain controllers.

  • Store baseline security templates in a central, secure location.

    To ensure that version control is maintained, maintain a single store for all security templates or use version control software such as Microsoft Visual SourceSafe. Version control ensures that a single master version of the security template is maintained and applied to computers.

  • Restrict who can manage and link GPOs.

    You can protect domain controllers from incorrect security settings by restricting who is delegated permissions to modify the GPO that applies the security settings. In addition, you can restrict which users and groups can link GPOs to the Domain Controllers OU.

  • Install more than one domain controller in each domain.

    By installing two or more domain controllers in each domain, you ensure that at least one domain controller exists for the domain in case a domain controller fails. The second domain controller ensures that a domain controller is available to handle authentication requests and modifications to Active Directory objects in the event of a domain controller failure.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Snort Cookbook
FileMaker Pro 8: The Missing Manual
Managing Enterprise Systems with the Windows Script Host
Mapping Hacks: Tips & Tools for Electronic Cartography
Programming Microsoft ASP.NET 3.5
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy