Domain Controller Checklist
Domain Controller (DC), like any IT infrastructure is not immune from attack. This post is a quick collection of best practices and measures that can be considered to safeguard a domain controller by minimizing the attack surface.
Physical or virtual hardware layer.
- UEFI and Secure Boot
- No snapshot backup (restoration to point in time backup to avoid USN rollback)
OS Layer
- Supported version of windows server OS
- WinRE recovery environment in dedicated partition and configured
- Windows server core version
- SMB1 removed
- Do not disable or unbind IPV6 as is not supported/recommended by MS https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
- Separate page file drive with page file disabled on system drive.
- DNS pointing to other domain controllers or DNS servers, loopback IP of the server as the last DNS server.
- Hypervisor tools are installed and up to date in case of virtual machine.
- No additional software or service enablement. In case of AV, exclusion list followed.
Active Directory Layer
- Read only domain controller (RODC), writeable DC only if there is requirement and adequate physical security
- Strict replication enabled
- Root PDC configured to reliable and highly availble time service. Rest of the DCs are following domain hierarchy for time
- Tier Model of Administration and use of Privileged Access Workstations (PAW)
-
Multihomed avoided. If requried
- Other NICs are configured not to register them into DNS
- Proper binding order ( Set-NetIPInterface -InterfaceIndex <DC servicing interface index> -InterfaceMetric 1)
- DNS server configured to listen only on DC servicing network interface