[German]Enterprise environments often deploy Windows servers that act as domain controllers (DCs). Domain controllers are still a central part of the infrastructure for many companies (despite the trend toward the Azure cloud, according to Microsoft). And the identities stored in Active Directory are often the target of attackers. How can you best secure domain controllers in terms of updates? Microsoft has published some thoughts on that.
Advertising
I came across the topic via the following tweet. Michael Niehaus points to Microsoft's Techcommunity post Updating best practices for Domain Controllers, which addresses the topic of securing DCs.
Microsoft writes that protecting domain controllers (DCs) from attacks has always been a priority for administrators. Then they point out some examples of how companies can protect their DCs:
- Restrict the use of domain admin privileges
- Use jumpboxes for RDP or MMC access
- Don't install third-party applications on DCs
- Restrict Internet access to DCs
For those responsible for security, the challenge is to revisit "best practices" on a cyclical basis, and see where improvements can be made. In this context, Microsoft has updated its best practices recommendations for protecting domain controllers from attack.
- For example, Microsoft no longer recommends that DCs should not have Internet access under any circumstances.
- Instead, it is making recommendations that are consistent with the changing security landscape.
While Microsoft still advocates not allowing DCs unfiltered Internet access, and using the Internet via a browser from these servers should still be prohibited. Rather than completely isolating the DCs from Internet access and assuming they will never be attacked, Microsoft recommends a defense-in-depth approach with modern threat protection, always watching for attacks. For example, in the Technet article, Microsoft says Defender for Identity detects identity-based threats and compromised users in on-premises environments and helps customers reduce the attack surface to prevent compromise and lateral movement of attackers on the network.
Advertising
