Best Practice: Don't Allow Users or Staff to Remote into Domain Controllers
Call Service
A common environment for a very small business is to have one server that acts as a domain controller. This server commonly has these roles:
-Maintains the database of usernames and passwords that allow people to log into their computers
-Hosts Files
-Hosts Printers
-Hosts QuickBooks
Medium sized networks will deploy a backup domain controller in case the primary goes down, because otherwise nobody will be able to log in and there is a backup of these databases. If your business doesn’t have a secondary domain controller, operations would be severely impacted if your server had a problem.
IT ‘best practices’ are to limit the amount of access to critical devices. Each additional person remoting into the server is another way for an attacker to get in. Also, each piece of software running on the server is a potential liability – this just happened with the log4j issue where a huge security flaw was discovered in a common piece of software.
Here are two reasons not to run extra software on domain controllers, or allow users to remote into a domain controller as a domain administrator:
Reason #1:
If a computer dies or gets infected, you can remove that computer from the network and fix it without impacting everyone else. If a domain controller dies or gets infected, all your computers, printers, and files are inaccessible until it is fixed. It also can take 10 times as longer to fix a domain controller than a computer, because you must rebuild the database of usernames and passwords, reset all the passwords, set up the printers again, restore the files from a backup, reconfigure QuickBooks, etc.
Reason #2:
Someone with remote access to a domain controller (a “domain admin”) has access to the files on every other computer. You can test this by entering this into file explorer on the server: \\computername\c$ You can ransomware, sneakily infect, or destroy any other computer from this server.
If your organization uses remote desktop to access a domain controller for something like QuickBooks, you can strengthen your security greatly by moving QuickBooks to another computer.
Other people agreeing that restricting access to a DC is a good idea:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
https://petri.com/what-is-a-domain-controller/
https://blog.netwrix.com/2017/01/30/best-practices-deploy-and-setup-domain-controller/
Get Experienced IT Services for Your Business
We believe in the power of proactive IT management. That’s why we provide comprehensive monitoring, security, and support to keep your business running smoothly and securely.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
latest blogs
Explore NRVPC Articles: Elevate Your Mindset.
Help Desk
August 26, 2024
What is an IT Support Company in 2023?
Discover the key differences between Managed Service Providers (MSPs) and IT Support Contractors in the ever-growing IT support industry. Learn which model best suits your business needs for network security, proactive maintenance, and user experience in 2023.
August 26, 2024
When to choose an IT Contractor over a Managed Service Provider (MSP)
Explore the differences between Managed Service Providers (MSPs) and IT Contractors in this analysis. Learn when the MSP model works best for businesses, and why complex systems with unique needs may require IT contractors or in-house support instead. Find the right fit for your business technology management.
