I came across an excellent book titled, Assessing Network Security. It’s written by three Microsoft security researchers who understand Domain Controllers (DCs) inside out. I found it quite insightful and I strongly recommend it if you are in charge of IT Security. They describe DC security with a single sentence – “Defending the keys to the kingdom”, and I couldn’t agree with them more. DCs are the nerve center of IT. They authenticate and authorize all users and computers in a Windows domain network—assigning and enforcing security policies for all computers and installing or updating software. Considering the kind of critical role it plays, it is often a target of Advanced Persistent Threats (APTs).
McAfee Labs have been doing their own DC threat research and their results are consistent with our friends in Redmond. At a high-level we can break down the threats into three categories:
1. Server Side vulnerabilities
These are traditional sever side code execution vulnerabilities like those in netbios/rpc. Conficker was one such threat that had a major impact on the French Navy and the UK Ministry of Defense. It exploited the netbios service on windows servers, to drop its payload. The addition of 3rd party apps brings about their share of vulnerabilities and introduces further risk as well.
This includes a laundry-list of threats like viruses, trojans, rootkits, drive by downloads, etc. The can be further divided into two categories
- Known-malware – Security community is aware of these and an AV will be expected to stop these
- Unknown-malware – Latest & greatest polymorphic malware or targeted malware which can evade standard security solutions
3. Network threats
These threats are numerous as well, and include
- Brute force – weak password discovery over SMB or RDP
- Denial of Service (DoS)/Distributed DoS – Disruption of normal services via open ports
- DNS Spoofing/Cache Poisoning – Data is introduced into a DNS server’s cache database, rerouting a request for a web page, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker’s).
- Man in the Middle – By spoofing DNS records, attacker can do man in the middle attack and see all traffic from victims
- Information gathering – Scan the computer to gather target information like open ports, netbios info, public sharing, etc.
- ARP Spoofing – Spoof the ARP address, so that the attacker can redirect traffic to malicious server in the same LAN
That’s quite an intimidating list of threat vectors, and it’s easy for a DC admin to get overwhelmed. There is no single security product/technology, which will provide such a broad protection. What is needed is a multi-layered security strategy, and McAfee provides that through a broad product portfolio of security solutions. McAfee’s Server Security Suite contains application whitelisting, antivirus and memory protection. This solution addresses threat vectors #1 & #2. McAfee recommends to deploy Network Security Platform (NSP) or Next-Gen Firewall (NGFW) at the datacenter perimeter to address #3. This dual security layer strategy is vital for comprehensive Domain Controller protection. Going back to the original analogy, the keys to the kingdom need to be safely locked in a box, AND the castle needs a deep moat at its perimeter.