![]() When possible, domain controllers should be configured with Trusted Platform Module (TPM) chips and all volumes in the domain controller servers should be protected via BitLocker Drive Encryption. In datacenters, physical domain controllers should be installed in dedicated secure racks or cages that are separate from the general server population. Datacenter Domain Controllers Physical Domain Controllers ![]() Domain controllers may be physical or virtual machines, in datacenters, branch offices, or remote locations. This section provides information about physically securing domain controllers. Because of this threat, domain controllers should be secured separately and more stringently than the general infrastructure. Compromising a domain controller can provide the most direct path to destruction of member servers, workstations, and Active Directory. What matters isn't how long an attacker has privileged access to Active Directory, but how much the attacker has planned for the moment when privileged access is obtained. If privileged access to a domain controller is obtained by a malicious user, they can modify, corrupt, or destroy the AD DS database and, by extension, all of the systems and accounts that are managed by Active Directory.īecause domain controllers can read from and write to anything in the AD DS database, compromise of a domain controller means that your Active Directory forest can never be considered trustworthy again, unless you can recover using a known good backup and to close the gaps that allowed the compromise.ĭepending on an attacker's preparation, tooling, and skill, irreparable damage can be completed in minutes to hours, not days or weeks. Ten Immutable Laws of Security (Version 2.0).ĭomain controllers provide the physical storage for the Active Directory Domain Services (AD DS) database, in addition to providing the services and data that allow enterprises to effectively manage their servers, workstations, users, and applications. Law Number Three: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. Applies to: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |