Is it possble to Encrypt Primary domain controller, to secure from hacking or taking over authentication ?

Dear EE's

Is there anyway to secure domain controller and active directory environment from hacking or taking over authentication to manipulate?

Please advice.
LVL 1
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ganesh Kumar ASr Infrastructure SpecialistCommented:
This guide would help to plan for securing AD : http://technet.microsoft.com/en-us/library/cc773365(v=ws.10).aspx

Word document :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&sqi=2&ved=0CDAQFjAC&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FD%2F1%2F8%2FD1866CDE-9824-40F4-836A-4C8C233693F1%2FBest%2520Practices%2520for%2520Securing%2520Active%2520Directory.docx&ei=_dYfVMvIBcKQuASl94KwCQ&usg=AFQjCNHhbSXImv0d7fpc6eEhFzlC6WM1kA&sig2=wCtDwFuF1fTjav1tFkmX4w&bvm=bv.75775273,d.c2E


a) Review firewall configuration have Cisco ASA 5505 or some better firewall for internal and external access.
b) All AD OS must be done with OS hardening.
c) Inspect AD for unauthorized user account and disable it
d) Rename default Administrator account
e) Force GPO to change the password frequently or urge to keep complex passwords
f) Keep good Antivirus for all system and scan it periodically.
g) WiFi Security is must.
h) Keep 2 layer of protection and allow only certain ports through firewall.
i) Keep Domain Controllers in different VLAN.
j) Require passwords of 15 or more characters - Disable LAN Manager (LM) hashes from being stored on your computers      (http://support.microsoft.com/kb/299656)
k) Do not show/store the last username used to login (http://support.microsoft.com/kb/310125) -
l) Do not cache passwords: This setting will prevent users from logging in when the domain controller is unavailable  (http://4sysops.com/archives/manage-stored-windows-passwords/) -
0
Dave BaldwinFixer of ProblemsCommented:
The most common way for people to login to a system that they aren't authorized on is to ask a 'friend' to let him use his login.  That's what Edward Snowden did at the NSA.
0
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
is there anyway use usb as the authentication key.?
0
btanExec ConsultantCommented:
cert based using token and smartcard can be bypass if malware has smartcard proxy scheme (which happened in real incident already) but we should minimally have it enforced for such critical DC and enforced in all administrator and no remote admin where possible (and if need to, get VPN at minimal which is also client cert based). The auth key is based on the 2Factor held by the user per se...

do check out below as it include GPO harden setting and restricted grp etc - primary threat include pass the hash and Kerberos Golden Ticket

Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 2
http://www.microsoft.com/en-sg/download/details.aspx?id=36036
Protection from Kerberos Golden Ticket
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

and I kind of like this below tips and note there is Microsoft Security compliance manager free for download on recommended setting and document that is pretty handy as overall compliance.
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx

Bitlocker disk encryption and EFS file encryption are just part and parcel of the scheme of hardening ...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shamil MohamedIT Infrastructure Engineer/IT Systems ManagerAuthor Commented:
Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.