Fantastic Article regarding Domain Controller Security

I’ve been recently doing a bit of reading regarding corporate domain security and I came across this short but detailed Microsoft Article that references some best practices.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack

One interesting thing that I came across and it might already be common knowledge is the recommendation to enable BitLocker on Domain Controllers.

I figure if anybody is looking at working on their homelab and building skills, you might as well start off with good/best practices which would follow you from the homelab to the corporate world.

The article also has links that open up further security documents such as Administering security policy settings, Avenues to Compromise and configuration of firewall for AD Domains and Trusts.

As I continue to review and read more into these, I wanted to share this link in case anybody else has an interest in this topic.

The trouble with hacks

/rant

I want to rant. I’ve been working as an IT/Sysadmin for about 2 years now and there are two things that I am haunted by.

  1. DNS
  2. Group Policies

Now, I am always learning and I am by no means an expert at windows systems administration. I took on more and more responsibilities that removed me from the ‘IT Support’ role and let me grow into Systems Administration and I continue to learn daily.

Now, not get into specifics, but taking over a AD infrastructure that was neglected by hacks is terrifying. I refer to hacks, as in people that neglect the network, that don’t have a proper vision for documentation and structure and that don’t understand how AD and GPOs work.

Within the IT SysAdmin community “It’s always DNS” is a common phrase and a joke at times. Well god dam, I can’t believe how accurate it is or how powerful DNS is in a network.

You know what irks me? People that use crafty stupid hostnames for critical servers or any server at that. Stupid names such as “Sugar Baby” “Super Man” “Bat Man”, etc… you get the gist.

When you take over a network and have critical servers with stupid naming conventions like that, it can get very easy to shut down the wrong server or make changes because all of the names are so irrelevant. Especially when nothing is documented and you are left to your own to research and investigate carefully.

Not that I’ve had that happen, but I have had a mishap with a DNS record that was named something ridiculous. The server wasn’t even around anymore but a critical server was using that DNS record for a link to an IP in it’s hostfile. Something I never thought to check nor look into.

The other thing that annoys me is the ignorance of not knowing how to properly setup GPO’s and push them out to AD. You do NOT need to enforce everything. Stop doing that. After spending time looking around and cleaning up GPO’s, you wonder what would drive a person to just enforce everything.

Sure, if it’s a critical policy that you want in every OU regardless if it has Inheritance blocking or not but don’t enforce everything just because you are trying to push the policy out faster or believe that it will guarantee that the policy will get to the clients.

I cannot believe that a novice admin is correcting domain wide issue that a senior IT director of many years had made.

I can spend the rest of my afternoon ranting about stuff that I’ve come across but that’s not the point of this post. I wanted to get DNS and GPO’s off my chest only.

I suppose you will find this in any job/career. People that want to take initiative, drive, pride in their work and do the best with what they can. Others will just let things fall into disarray and not bother.

/rant