ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What are the implications of having physical access to a Domain Controller?


Member

Posts: 16
Date: May 24, 2012
What are the implications of having physical access to a Domain Controller?
Permalink  
 


Hey there,

I have a simple question that we've been grappling with - What are the implications of having physical access to a Domain Controller?

What's prompting the question is that we're in the midst of colocating some of our servers to an offsite data-center, which will house most of our file,  DB and app servers, and there've been some suggestions that we might as well house our DCs there as well. 

Note that they won't be any additional physical security controls for them, so all our Server Operators will have access to these DCs as well.

We've been able to maintain a small number of Enterprise Admins and Domain Admins, and maintin seperation of duties, so we think we might be OK, but nonetheless, I thought of asking the question, as the thought seems a little unsettling.

What do you guys think? What are the implications of having physical access to a Domain Controller?

Thanks guys.

Chad.



__________________


Member

Posts: 12
Date: Jun 27, 2012
RE: What are the implications of having physical access to a Domain Controller?
Permalink  
 


Chad,

If you have unrestricted physical access to a Domain Controller, or any Windows machine for that matter, I believe there are ways in which you could own the machine within about 10-15 minutes. 

If you have restricted physical access, you can still do a lot, such as attach a network sniffer, a keystroke logger or the like, or tamper hardware.

In general, you should ensure that only highly trusted IT personnel have physical access to domain controllers.

Cheers,

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me