Best practices for securing domain controllers at the branch office

Companies that implement domain controllers at branch offices face a number of challenges, security-related and otherwise. Follow these best practices to keep branch-office domain controllers secure and effective.

Solution provider takeaway: For Windows customers with branch offices, solution providers can secure domain controllers by following our best practices.

Today's organizations are likely to consist of many branch offices. A typical branch office is a small office in a remote location hosting fewer than 50 employees, connected to the headquarters site by means of a wide area network (WAN) link in a distributed fashion. Due to the high costs associated with purchasing bandwidth, these WAN links are usually slow, unreliable and inefficient; Windows shops address this problem by installing Active Directory (AD) domain controllers at the branch office. Domain controllers are used to authenticate corporate users and provide them with access to domain resources.

Companies face a number of challenges with implementing domain controllers at the branch office, including lack of physical security, stolen domain controllers, lack of administrative role separation, lack of IT support personnel and lack of service isolation, as domain controllers usually reside on servers running other services, such as Exchange.

Windows Server 2008 addresses these concerns. Solution providers should adhere to the following strategies and best practices when deploying and securing domain controllers for customers at the branch office:

  • Use Windows Server 2008 read-only domain controllers (RODCs).
  • Implement BitLocker to encrypt data at the volume level.
  • Leverage server virtualization for service isolation and server consolidation.

Using read-only domain controllers at the branch office

Windows Server 2008 introduces a new type of RODC appropriate for locations where security cannot be guaranteed, such as at branch offices. The RODC hosts a copy of the Active Directory database like any other writable domain controller, but as its name implies, the metadata stored within the AD domain database residing on the domain controller is read-only, and write operations are not supported. This characteristic of RODCs provides an extra layer of security, since any unauthorized data changes, especially changes made with the intent to hurt the organization, will not replicate out to other domain controllers.

Get email updates
Submit your email address to receive systems-related news, tech tips and more, delivered to your inbox. 

Another great feature of read-only domain controllers is that they support credential caching. An RODC will not store user account information such as login ID and password associated with the AD domain on the domain controller. The exception is when you explicitly allow a set of users, such as branch-office employees, to cache their credentials at the branch office in order to support local authentication. This further limits exposure from a security perspective, as only a small number of user accounts are susceptible to compromise, compared to every user account within the domain.

Finally, it is possible to grant a nonadministrative domain user the right to log onto an RODC while minimizing the security risk of access to the Active Directory forest. As a result, they can log on to make changes to an item on the server. However, unlike in the past, they don't have full access to the Active Directory domain.

Encrypting branch-office domain controllers with BitLocker

Microsoft added Windows BitLocker Drive Encryption to Windows Server 2008 mostly as a result of organizations demanding protection not only for their operating systems at the branch office, but also for the vital data stored on the system volume and data storage volumes in these locations. BitLocker Drive Encryption, commonly referred to as just BitLocker, is a hardware-enhanced, data-protection security feature included in all versions of the Windows 2008 family of operating systems. It is an optional component that must be installed if you choose to use it.

BitLocker increases data protection for an operating system by merging two concepts together: encrypting data volumes and guaranteeing the integrity of the operating system's boot components. By leveraging BitLocker on domain controllers in branch offices, solution providers can assure customers that the Active Directory data residing on the domain controller is encrypted and well protected in the event that the server is compromised or stolen.

Leveraging virtualization for service isolation and server consolidation

Another challenge of deploying domain controllers at the branch office is that more than one application may be residing on the same server as the domain controller. For example, the server running the domain controller role at the branch office may also be hosting Exchange, third-party business applications and file and print services. From a domain controller perspective, this is a major security concern. For example, if an administrator logs into the server to manage a third-party application, they would have full privileges to the domain controller and the Active Directory domain, user accounts and any other service running on that machine.

The alternative scenario to address service isolation at the branch office would be to place each service on a dedicated server. Maintaining more servers in order to address service isolation increases hardware and management costs. Fortunately, both challenges can be addressed by leveraging server virtualization technology such as VMware ESX Server or Microsoft's Hyper-V. With a server virtualization platform, your customers can virtualize multiple operating systems and applications at the branch office on a single physical machine. This provides economic benefits and reduced management while bolstering security for domain controllers at the branch office.

In conclusion, Windows Server 2008 introduces superior new features that allow solution providers to protect and secure domain controllers in branch offices that lack physical security. Solution providers should implement RODCs, cache local credentials of branch-office user accounts and encrypt the volumes of domain controllers at branch-office locations, in addition to leveraging virtualization to consolidate servers and isolate services. These best practices will help keep your customers' remote offices secure.

About the author
Ross Mistry is a partner and principal consultant at Convergent Computing in the San Francisco Bay area. He focuses on implementing Active Directory, Exchange and SQL Server solution for Fortune organizations with a global presence. He is the author of
SQL Server 2008 Management & Administrationand co-author of Windows Server 2008 Unleashed and SQL Server 2005 Management & Administration, as well as a contributing writer on Exchange Server 2007 Unleashed, Hyper-V Unleashed and SharePoint Server 2007 Unleashed. Ross is also a Microsoft SQL Server MVP and frequently speaks at international conferences such as SQL Server PASS and Dev Connections.

Dig Deeper on MSP technology services

Cloud Computing
Data Management
Business Analytics