Should Domain Controllers be placed in Separate Server rooms?
Hi Y'all,
I am interested in learning about your thougts on protecting domain controllers (DCs), in particularly in determining whether should be placed in separate server rooms.
Currently all our DCs reside in the data center along with other web, database and application servers and the entire datacenter is managed by a team of IT server operators (about 30 or so) all of whom have equal access to all servers including all DCs. Not all of them are Domain Admins though, but I believe they are all part of the Server Operators Builtin group in our domain.
As we evaluate the security of our environment, the question of whether to move all DCs into a separate room, and under the administration of only a handful of Domain Admins came up, and thus my question.
Are we taking on any additional risk by letting them be in the data center, or should be moving them to a special designated room?
My question is why would you give server operators Domain admin privileges?
This is a common misconception in an AD environment. AD is designed to allow a granular level of access without giving the keys to the kingdom which is what you are doing when adding anyone outside of the AD function role in the Built-In groups. Server operators should be restricted from access to a domain controller.
The most I would give would be delegated access to the security logs or possibly, abillity to restart different services.. Applications, file and print services whenever possible should be installed\shared on member servers. If you do go the route of allowing administrators other than true AD administrators access to your domain controllers, you should think about applying policies that allow the admins RDP access but limit them to EXACTLY what they need to be on the DC for.
Regardless of where you server is physically located, if they are in the Domain Admins group, they will be able to RDP to the server unles you firewall that segment off which then introduces another layer of complexity...
I concur w/ Amerenan. Physical security/access is certainly one aspect of overall AD/DC security, but so is RDP access, group memberships (such as Server Oper) and the like.
Ask yourself if you know/trust the members of those groups. Ask yourself if you are willing to 'vouch' for any issues the members of those groups might cause. Limit your own exposure and you'll sleep better at night.
A few other aspects to be mindful of and have 'an answer' to are phys security of backups and network security of any VM files which host Virtual Domain Controllers.
If you have access to a VMDK file that "is" a DC, you could consider that 'physical' access even though you may not ever step foot into the 'secured' datacenter.
Well, if you had a separate room for DCs I would go this way, because obviously it increases security (you can't steal a DC with your AD replica). But this could be too expensive to maintain.
