Return to: U of M Home

STANDARDS & GUIDELINES

STANDARD—

Microsoft Domain Controller (Appendix F)

Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer

STANDARD
A standard is a level of quality that requires conformity.

Introduction

The domain controllers in a Microsoft Windows network as well as backup domain controllers are central to the security of all devices on that network and must be secured to a high level. The actions necessary to secure domain controllers include the following:

• Realize that the domain controller (DC) is the keeper of the "crown jewels" and that the security of all the machines in the domain depends upon securing the DC well.
• Maintain physical security. The security of the network is dependent on physically securing and carefully maintaining the domain controller and any backup DC's.
• Secure the DC according to the Microsoft recommendations for a domain controller.
• Use only a single-purpose machine.
• • The domain controller function is incompatible with other functions such as web server, mail server, ftp server, or mail client that increase the risk of compromise to an unacceptable level.
• Severely restrict access to the DC from the Internet and the unneeded parts of the University network.
• • Limit the DC to communicating with specific devices (or an IP range if not practical to individually list the devices) on the University network.
  • Deny access to unknown machines on the Internet and U network using either filtering, firewall, or non-routed network addressing.
  • See www.umn.edu/oit/security/MSFiltering Quickstart.html for further information, including examples and a presentation describing MS filtering.
• Run a network based vulnerability scan (Qualys) and take corrective action on vulnerabilities detected. 

Resources and Links:

• OIT information: http://www.umn.edu/oit/
• OIT Security information: http://www.umn.edu/oit/security/
• Policy links: http://www.umn.edu /oit/policies/index.html