Home » Active Directory » Domain Controller Checklist

Domain Controller (DC), like any IT infrastructure is not immune from attack. This post is a quick collection of best practices and measures that can be considered to safeguard a domain controller by minimizing the attack surface.

Physical or virtual hardware layer.

  • UEFI and Secure Boot
  • No snapshot backup (restoration to point in time backup to avoid USN rollback)

OS Layer

  • Supported version of windows server OS
  • WinRE recovery environment in dedicated partition and configured
  • Windows server core version
  • SMB1 removed
  • Do not disable or unbind IPV6 as is not supported/recommended by MS https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
  • Separate page file drive with page file disabled on system drive.
  • DNS pointing to other domain controllers or DNS servers, loopback IP of the server as the last DNS server.
  • Hypervisor tools are installed and up to date in case of virtual machine.
  • No additional software or service enablement. In case of AV, exclusion list followed.

Active Directory Layer

  • Read only domain controller (RODC), writeable DC only if there is requirement and adequate physical security
  • Strict replication enabled
  • Root PDC configured to reliable and highly availble time service. Rest of the DCs are following domain hierarchy for time
  • Tier Model of Administration and use of Privileged Access Workstations (PAW)
  • Multihomed avoided. If requried
    • Other NICs are configured not to register them into DNS
    • Proper binding order ( Set-NetIPInterface -InterfaceIndex <DC servicing interface index> -InterfaceMetric 1)
    • DNS server configured to listen only on DC servicing network interface

Leave a Reply

Your email address will not be published. Required fields are marked *