Domain Controllers (DC) controls the server's authentication approvals and user verification. The DC controls the access to the Active Directory, therefore having a vulnerable DC means being exposed to some of the most devastating attacks organizations can suffer from.
There are many tactics and mechanisms out these to secure DCs since it Is such a critical link in the network. But most organizations miss the fact that by configuring DCs for enhanced security, you will be able to prevent most of the attacks.
This article will detail Domain Controller’s special configuration settings for user rights to address its unique security needs and threats.
Set ‘Access this computer from the network’ is to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’:
The default configuration of this setting includes 'Everyone', which means that unauthenticated users can read files such as shared printers and folders files.
Set ‘Add workstations to domain’ to ‘Administrators’:
The default value of this setting is to allow all authenticated users to add workstations to the domain. If this will be the case in a DC, a non-admin account that has been compromised can be used to add a malicious computer allow the attacker to intrude the network.
Set ‘Allow log on through Remote Desktop Services’ to ‘Administrators’:
This is the default value of this setting, so make sure it is not changed if possible. In case you need to have a group of users with remote desktop access to the DC (for example, help disk users), you can allow the Remote Desktop Users group to have access. Make sure only relevant users are in this group.
Make sure that only Administrators can ‘Create symbolic links’:
This setting is configured to Administrators b default. Make sure it remains like that or you'll be exposed to Symbolic links attacks.
Create Symbolic Link in Windows is set to 'Administrators' (DC only) – The Policy Expert:
Ensure ‘Deny access to this computer from the network’ to include ‘Guests’:
This is the default value of this setting. Make sure that keeping this default configuration may be a good practice in terms of security, but can limit users with specific administrative tasks to perform them. The impact of each policy rule should be examined before it is implemented.
Deny Access to This Computer From the Network – Best Practices for DC and Member Server
Ensure ‘Deny log on through Remote Desktop Services’ to include ‘Guests’:
This setting is configured by default to include no one. Once the baseline Member Server is joined to the domain, there is no reason for local accounts to have remote access to the DC.
Ensure ‘Enable computer and user accounts to be trusted for delegation’ is set to ‘Administrators’:
This setting is configured by default to allow only administrators to be trusted for delegation. Changing this configuration can end up in attackers gaining access to the network in a way that will be very hard to track and detect.
Ensure ‘Impersonate a client after authentication’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE’:
By default, only Administrators, Local Services, Network Services, and Service are allowed to impersonate a client after authentication, so you need to make sure this has not been changed. This configuration is critical security-wise. If an attacker compromises a user with the right to impersonate after authentication, he can trick a client and make him connect to the service, and then impersonate this client and elevate his privileges to the client's level. The good thing is that there is no expected impact on production by setting this value, but you should check for 100% certainty.
Set ‘Log on as a batch job’ to ‘Administrators’:
The default configuration of this setting is to allow both Administrators and Backups Operators to log on as a batch job. Although it presents only a low-risk vulnerability, it should be restricted in high-security environments such as DCs.
Ensure ‘Manage auditing and security log’ is set to ‘Administrators’:
This is the default configuration of this setting. In case you have Exchange running in the environment, you should also allow 'Exchange Servers' to manage auditing and security logs.
Giving the ability to manage auditing and security logs can allow attackers to erase evidence of their malicious activity, which is critical to the organization for stopping and recovering from attacks.
Ensure ‘Synchronize directory service data’ is set to ‘No One’:
Although 'No One' is the default configuration of this setting, in Domain Controller the ability to synchronize directory service data is part of the core functions. DCs can perform Active Directory synchronization inherently. This setting is especially critical since if an attacker gains this user right, he can read all the information in the directory.
Automate DC Hardening:
The previous configuration recommendations are unique to Domain Controllers and differ from Member Servers. Embracing these User Rights recommendations will help you to enhance the security posture of your DCs. But you should note that implementing these settings without generating an impact analysis can have devastating results and even end up in downtime if your DCs. Therefore, you should check what will be the impact of each value (even if it is configured like your policy by default).
You can generate an impact analysis report or manually checking each value in a lab environment, by automating the entire process. Hardening automation tools will automatically generate an impact analysis by learning your production. They will push your desired policy onto your production from a single point of control. Finally, they will monitor your compliance posture, alert, and remediate every configuration drift.
