January 17th, 2004, 05:49 AM
Simplified Domain Controller Hardening, Part 1
This is my first tutorial, so I hope that you all find it both helpful and entertaining. I also hope that no one minds another tutorial on this subject. My goal is to present a simple and practical guide to hardening Windows 2000 Domain Controllers. This is not meant to be an in-depth tutorial on the subject, but rather a "Getting Started". For a more in-depth tutorial, Check out the excellent tutorial "Hardening Win2k" by nebulus200, which can be found here .
Before we get into the subject any further, if you do not have the latest Service Pack and patches for Windows 2000 and other software running on your Domain Controllers, STOP! Use this time to get the patches and install them now. Without them, the rest of our security countermeasures don't mean squat!
Now that I've got that out in the open, let us continue....
Windows 2000 Domain Controllers also host more services than their Windows NT counterparts. Active Directory, DNS, and DHCP are all installed by default on 2000 Domain Controllers. Domain Controllers are both the Crown Jewel and Achellies Heel of your Windows 2000 Domain. The provide a centralized management point for all security information and administrative tasks, but when a Domain Controller is compromised, nothing on your Domain can be assumed to be secure. Therefore, it is absolutely critical that they be as secure as possible.
A minimalist approach is desired when dealing with Domain Controllers. They should be selectively installed only when there exsists a need for their specialized security, but always have a minimum of two Domain Controllers per Domain for redundancy purposes. Services such as application, file, and printer sharing should not be provided by domain controllers. These are best handled by member servers, as their compromise, while damaging, doesn't have as great an impact on the security of the Domain. Now, let's discuss how to secure a domain controller.
Most hackers will start off an attack by first footprinting the system. Most good ones will do this in ways that are not likely to raise eyebrows, and preferably by not even touching the target systems by using whois queries, DNS zone transfers, and the like. This makes your DCs vulnerable because they host DNS.
One easy way to thwart much of this is by submitting decoy information to your domain registrar, and by disabling zone transfers. Windows 2000 enables zone transfers by default. Under "Administrative Tools" - "DNS", select the forward lookup zone for your domain and bring up the properties window. From there, click on the "Zone Transfers" tab and uncheck the "Allow zone transfers" checkbox. If you use backup DNS servers, disabling zone transfers in their entirety is not a good idea, as the backup DNS servers will need to update. For this situation, leave zone transfers on and select the "Only to the following servers" radio button. Enter the IP address of your backup DNS server(s) in the box, then click apply.
Next, a hacker is sure to begin penetration testing of your system to see where you may be vulnerable. This most likely begins with a portscan of your perimeter to see what services are allowed to get through to the network. By default, Windows 2000 Domain Controllers listen on a myrad of ports, including FTP, SMTP, DNS, WWW, Kerberos, various NetBIOS ports, LDAP, IPSec, and SMB, just to name a few. If you are not using a service, disable it. For Services that you do use, configure IPSec filters for those ports on the server itself. And of course, block all services at the firewall that can be blocked without limiting your internet functionality.
Part 2 will explore the issue of service and port hardening in more depth.
For a complete list of Windows 2000 services with their port numbers, consult the Windows 2000 Resource Kit on Microsoft's website.
That's all for Part 1. I'm going to try to keep each part fairly short so it's not such an intimidating read for all the noobs. Thanks for reading it and I'd appreciate your input.