ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Should Domain Controllers be placed in Separate Server rooms?


Member

Posts: 10
Date: Jun 11, 2010
Should Domain Controllers be placed in Separate Server rooms?
Permalink  
 


Hi Y'all,

 

I am interested in learning about your thougts on protecting domain controllers (DCs), in particularly in determining whether should be placed in separate server rooms.

 

Currently all our DCs reside in the data center along with other web, database and application servers and the entire datacenter is managed by a team of IT server operators (about 30 or so) all of whom have equal access to all servers including all DCs. Not all of them are Domain Admins though, but I believe they are all part of the Server Operators Builtin group in our domain.

 

As we evaluate the security of our environment, the question of whether to move all DCs into a separate room, and under the administration of only a handful of Domain Admins came up, and thus my question.

 

Are we taking on any additional risk by letting them be in the data center, or should be moving  them to a special designated room?

 

Thanks,

Andy



__________________

Music is the soul of life! & IT Management Best-Practices 



Newbie

Posts: 1
Date: Dec 16, 2010
Should Domain Controllers be placed in Separate Server rooms?
Permalink  
 


My question is why would you give server operators Domain admin privileges?

This is a common misconception in an AD environment. AD is designed to allow a granular level of access without giving the keys to the kingdom which is what you are doing when adding anyone outside of the AD function role in the Built-In groups. Server operators should be restricted from access to a domain controller.

The most I would give would be delegated access to the security logs or possibly, abillity to restart different services.. Applications, file and print services whenever possible should be installed\shared on member servers. If you do go the route of allowing administrators other than true AD administrators access to your domain controllers, you should think about applying policies that allow the admins RDP access but limit them to EXACTLY what they need to be on the DC for.

Regardless of where you server is physically located, if they are in the Domain Admins group, they will be able to RDP to the server unles you firewall that segment off which then introduces another layer of complexity...



__________________


Newbie

Posts: 3
Date: Dec 16, 2010
Should Domain Controllers be placed in Separate Server rooms?
Permalink  
 


Hello,

I concur w/ Amerenan. Physical security/access is certainly one aspect of overall AD/DC security, but so is RDP access, group memberships (such as Server Oper) and the like.

Ask yourself if you know/trust the members of those groups. Ask yourself if you are willing to 'vouch' for any issues the members of those groups might cause. Limit your own exposure and you'll sleep better at night.

A few other aspects to be mindful of and have 'an answer' to are phys security of backups and network security of any VM files which host Virtual Domain Controllers.

If you have access to a VMDK file that "is" a DC, you could consider that 'physical' access even though you may not ever step foot into the 'secured' datacenter.

Cheers! Hilde



__________________


Newbie

Posts: 2
Date: Dec 17, 2010
RE: Should Domain Controllers be placed in Separate Server rooms?
Permalink  
 


Well, if you had a separate room for DCs I would go this way, because obviously it increases security (you can't steal a DC with your AD replica). But this could be too expensive to maintain.

__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me