Domain controllers (DCs) are a central element of the network architecture; they manage the authentication and authorization of user identities and computers in a Windows domain. Attacks on DCs can be carried out with a variety of methods, including pass-the-hash, exploitation of software vulnerabilities, and insider threats. A compromised DC gives attackers potentially far-reaching access to the network, including the ability to manipulate user accounts, change policies, escalate access authorizations, and steal sensitive data. Moreover, the integrity of the information stored on the network is at risk because attackers are able to manipulate or delete data. Therefore, you need to secure your DCs, as well as the servers and workstations that access them. The free Microsoft Security Compliance Toolkit (SCT) [1] provides an important basis for this endeavor.

Active Directory (AD) is one of the most sensitive structures on the network. This central role makes the DC a preferred target for hackers and cybercriminals. Unfortunately, the default domain controller policy responsible for DC security settings only provides rudimentary configurations that often do not offer the protection you need. In this article, I look at how security can be optimized with the help of Microsoft baselines and the free Policy Analyzer.

Securing Networks

The baselines from the SCT are a set of preconfigured security settings based on best practices and expert recommendations. One key benefit of this collection of settings is that it provides a solid foundation for security configuration, significantly reducing the need to research and configure each setting manually, which saves time and resources while making sure the systems are resilient to known threats and attack vectors. The baselines also make it easier to meet legal and industry-specific compliance requirements by suggesting configurations that comply with common security standards and regulations.

Unfortunately, the settings of the Default Domain Controller Policy are pretty rudimentary and do not implement numerous items that Microsoft recommends in its own security baselines. A comparison (which I will come to in a moment) gives you an overview of the important options that are not set – despite being recommended by Microsoft. You will always want to implement the Microsoft security baselines in all environments. The default settings after installing AD might be guaranteed to work in any environment, but they offer no more than a minimum level of security, and that is just not good enough in these times.

Microsoft offers security settings in the form of SCT baselines that you can distribute automatically by Group Policy, with areas for the Default Domain Controller Policy in AD. This policy specifically protects the domain controller. The toolkit includes the Policy Analyzer, a tool that lets you determine the delta between your current policies and Microsoft's recommendations. It makes sense to compare the settings and, ideally, to implement the specifications to the extent possible.

You can automatically implement the current Microsoft security recommendations as Group Policy templates in the Active Directory for domain controllers, member servers, standalone servers, and workstations. Of course, it is also possible to change individual settings. However, you should only do this if the values are causing issues on your network. In this case, though, it often makes more sense to check why parts of the network or some applications cannot handle the configurations devised by experts. Disabling should be your last resort because it ultimately affects security. In any case, it makes sense to check all the changes in a test environment first, if possible.

Group Policies

Security recommendations are implemented on the basis of group policies that you integrate into Active Directory. To secure servers, simply download the Windows Server 2022 Security Baseline.zip file. The Policy Analyzer mentioned earlier is delivered to your computer in the PolicyAnalyzer.zip file. The first archive contains various guidelines specific to the Windows server's task, including, for example, special policies for DCs, but also for member servers and for servers that are not part of AD domains.

Documentation in the form of Excel tables is included in the scope of delivery. The New Settings in Windows Server 2022.xlsx spreadsheet documents all configurations for Windows Server 2022, including the registry items that the policy settings change. All settings are available in FINAL-MS Security Baseline Windows Server 2022.xlsx. Several tabs are available for this at the bottom of the spreadsheet. The GP Reports directory also contains HTM files for all policies from the SCT that can be opened in your browser. All the configured settings are listed and documented there, giving you a comprehensive picture of what the baselines implement on the network.

Installing Policies on a DC

The use of the policies is simple. SCT comes with a number of ADMX and ADML files to match. You only need to copy these to the C:\PolicyDefinitions directory on a DC if they are not already in place, as is the case, for example, if you are implementing policies for Windows 11 23H2, because they are not included in the scope of delivery of Windows Server 2022.

If you work in an organization with central storage locations for ADMX files, you will need to copy the SCT templates to this directory. The ADML files contain the language information of the policy in question. Microsoft provides a Baseline-ADImport.ps1 script to help you import policies by copying the required files into the correct directories. However, this does not mean that the servers will execute the policies; it only ensures that all the required files are in place in a production environment.

The script also imports the new group policies into AD, but does not link them, which means they are not active as yet but are available for editing. Implementation takes place later when the settings are imported into new or existing group policies (e.g., the Default Domain Controllers Policy ) or by linking the imported policies to containers or organizational units. The Default Domain Controllers Policy is linked to the Domain Controllers container in which the DC computer accounts reside, where you can, of course, use and extend AD's standard policies.

Microsoft also offers the MSFT Windows Server 2022 – Domain Controller policy (Figure 1), which can be linked to the Domain Controllers container parallel to the Default Domain Controllers Policy . However, at this point, it is a good idea to proceed very carefully before you set the values from the baselines. You need to make sure the policies do not overwrite each other. Although the settings only apply to the DCs, they affect all computers, services, and users who log on to the DCs. Despite this, it still makes sense to implement the baselines as separate policies. If problems occur, you then just need to disable the new policy. If you import all the new settings into the default policy, things are more difficult.

Figure 1: The Microsoft baselines are implemented as a Group Policy, with the option of flexible configuration.