Domain Controller Checklist

Domain Controller (DC), like any IT infrastructure is not immune from attack. This post is a quick collection of best practices and measures that can be considered to safeguard a domain controller by minimizing the attack surface.

Physical or virtual hardware layer.

• UEFI and Secure Boot
• No snapshot backup (restoration to point in time backup to avoid USN rollback)

OS Layer

• Supported version of windows server OS
• WinRE recovery environment in dedicated partition and configured
• Windows server core version
• SMB1 removed
• Do not disable or unbind IPV6 as is not supported/recommended by MS https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
• Separate page file drive with page file disabled on system drive.
• DNS pointing to other domain controllers or DNS servers, loopback IP of the server as the last DNS server.
• Hypervisor tools are installed and up to date in case of virtual machine.
• No additional software or service enablement. In case of AV, exclusion list followed.

Active Directory Layer

• Read only domain controller (RODC), writeable DC only if there is requirement and adequate physical security
• Strict replication enabled
• Root PDC configured to reliable and highly availble time service. Rest of the DCs are following domain hierarchy for time
• Tier Model of Administration and use of Privileged Access Workstations (PAW)
• Multihomed avoided. If requried
  • Other NICs are configured not to register them into DNS
  • Proper binding order ( Set-NetIPInterface -InterfaceIndex <DC servicing interface index> -InterfaceMetric 1)
  • DNS server configured to listen only on DC servicing network interface