The domain controller is just a controller. They control authentication, authorization, and accounting work, and typically control the lifecycle of Security identities for all events in your company that are used as Windows Components.
In itself, domain controllers have some special security considerations. So how do you rate this? To enhance the entire environment around the domain controller, pay attention to the following five points.
1. Restrict physical access.
This is the only biggest relief factor you can provide for your overall Domain Controller security package. The primary problem here is that your domain controller is higher than all the central security organizations on your network, and, as you know, if you have the right to perform local physical access to the machine, there are many trivial ways to obtain information rights by disabling the hard disk. The hash algorithm provides everything a hacker needs to make it a real and legal user who can pass verification. If you control the disk of the domain controller, this is easy to achieve. Not to mention the use of these hash algorithms to achieve real login and change the possibility of login scripts, as well as install malicious programs copied to other domain controllers.
If you have a physical, non-virtualized) domain controller, buy a cage and a security lock before you do anything and place them behind it. Do not let the domain controller run under the management service desk, or make your data center a small box without locks. It owns the key to the company's security and wealth field, so you need to protect it like you protect the check: Put it under the protection of locks and keys.
2. Reasonable design from the very beginning.
A properly designed Active Directory topology will include threats, so that even domain controllers will be compromised, but your entire forest network does not have to be destroyed or rebuilt. Make sure that your forests and domains reflect your real and physical locations in different cities, counties, and countries; match your organizational unit with the machine type and personnel in your company, and let the Security Group represent the hierarchy of your organizational structure. If the domain controller used in a forest for Europe is compromised, you do not have to recreate the domain controller for Asia.
3. Virtualize your domain controller.
By using a virtual machine as your domain controller, you can use BitLocker or other full drive encryption products to encrypt the disk where your virtual hard disk is located. Then, make sure that the host running these VMS is not added to this domain. If someone steals your host and Domain Controller for some reason, for an attacker who inserts malicious files into your directory, another obstacle is the possibility of decrypting a hard disk to obtain access to a virtual hard disk.
4. Follow the best practices of the Security Trust.
As security experts have said, understand your scope. There is a good guide for understanding the trust and various considerations about TechNet. Pay attention to the selective authentication section, which contains a good method to prevent Random Access attacks.
5. Ensure that the password in the directory service recovery mode is safer than any other password.
The Directory Service Restore Mode is a special mode. When an error occurs, you can use it to repair the Active Directory offline. The Directory Service Restore Mode password is a special backdoor that provides management access to directories. You use it in an offline text mode. Use a password as something that can enter the forest to protect it, because it is like this. You can also download a hotfix for Windows Server 2008, which will synchronize the restored password of the Directory Service with the domain administrator account. Alternatively, if you have installed Service Pack 2, you can use the following command:
ntdsutil "set dsrm password" "sync from domain account<DomainAdminAccount>" q q
In short, if a domain controller is stolen or your company's assets are put in an unauthenticated State in other ways, you can no longer trust that machine. But unfortunately, because that domain controller contains all the valuable things and passwords about your IT identity, the best and most likely to regret and suffer) we recommend that you only destroy the forest and recreate it. This is the most standard and proactive best practice. It constitutes the first point in this article.