|
 |
STANDARDS & GUIDELINES
STANDARD—Microsoft Domain Controller (Appendix F)
Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer
STANDARD
A standard is a level of quality that requires conformity.
IntroductionThe domain controllers in a Microsoft Windows network as well as backup domain controllers are central to the security of all devices on that network and must be secured to a high level. The actions necessary to secure domain controllers include the following:
- Realize that the domain controller (DC) is the keeper of the "crown jewels" and that the security of all the machines in the domain depends upon securing the DC well.
- Maintain physical security. The security of the network is dependent on physically securing and carefully maintaining the domain controller and any backup DC's.
- Secure the DC according to the Microsoft and SANS Step-by-step recommendations for a domain controller. See OIT Security Resources for the licensed SANS materials and other resources.
- Use only a single-purpose machine.
-
- The domain controller function is incompatible with other functions such as web server, mail server, ftp server, or mail client that increase the risk of compromise to an unacceptable level.
- Severely restrict access to the DC from the Internet and the unneeded parts of the University network.
-
- Limit the DC to communicating with specific devices (or an IP range if not practical to individually list the devices) on the University network.
- Deny access to unknown machines on the Internet and U network using either filtering, firewall, or non-routed network addressing.
- See www.umn.edu/oit/security/MSFiltering Quickstart.html for further information, including examples and a presentation describing MS filtering.
- Request a quarterly vulnerability scan from OIT Security and Assurance.
-
- ISS network-based tool to be used to find certain vulnerabilities.
- Additional scans available as necessary.
Resources and Links:
|
