domain controller security

[dotdll]

A friend suggested to me that he has left the gateway blank on his domain controller as a security measure. It is a windows 2008 DC on a small business network (about 20 computers). All the computers have internet access  and are plugged into the same switch as the DC, but the DC doesn't have a gateway so it does not have internet access. I suggested that the lack of security patches greatly increases security risk and the lack of a gateway doesn't make up for it, but he was not convinced. Is he correct?

[sc302 Veteran]

In a way yes, in a way no.

 

Yes because it limits anyone on the dc to be able to access the internet and possibly infecting the dc.

 

No because it does not stop a computer that is infected on the network from infecting the dc. 

 

The other side of it is that the dc should be the only dns server on the network, all devices should be pointed to the dc for dns resolution.  If the dc cannot resolve the computer accounts it will then forward the dns traffic up to either a forward or a root dns server for internet dns lookup.  Not having a gateway stops this from functioning.  Having a internet dns server can have very unstable network connectivity on the network (you can see this if you do a search on this forum of complaints all related to dns misconfiguation on an ad network, budman and myself have been over this many times for many years). 

 

here is one, there have been many more

 

https://www.neowin.net/forum/topic/1119406-server-domain-problems/

[+BudMan MVC]

Your friend should not be working in IT (please tell me this is DC he runs on his home network?) would be my comment to such a statement. And should not give advice on things he doesn't understand either. Is he the business owner and figured he could just do the IT himself and save some money, because well he setup his router at home? Or is someone actually paying him to do IT work?

Let me guess he doesn't broadcast his SSID either on his wireless, because it makes it more secure. And he has dhcp turn off because that also is a security issue?

As sc302 correctly points out normally the DC is the dns for the members of the domain. So how exactly is your friend handling that? Is he not patching his DC? Does it get to the internet via a proxy on the local segment?

[neufuse Veteran]

taking out the gateway won't magically secure any system that is on a network...

[Depicus]

If he really wants to secure it I would suggest he removes all network cables

 

 

 

/s

[Roger H. Veteran]

Shutting it down is the best way to secure it!

Yeah, that's like security through obscurity which is also a crock of sh*t.

Moved to Server Support

[SouthGate]

Unless you're downloading them manually it won't receive security updates via Windows Update. Sounds like an infrastructure held together by duct tape.

[dotdll]

Your friend should not be working in IT (please tell me this is DC he runs on his home network?) would be my comment to such a statement. And should not give advice on things he doesn't understand either. Is he the business owner and figured he could just do the IT himself and save some money, because well he setup his router at home? Or is someone actually paying him to do IT work?

Let me guess he doesn't broadcast his SSID either on his wireless, because it makes it more secure. And he has dhcp turn off because that also is a security issue?

As sc302 correctly points out normally the DC is the dns for the members of the domain. So how exactly is your friend handling that? Is he not patching his DC? Does it get to the internet via a proxy on the local segment?

yes he is the owner who decided to do the IT himself, its quite a small shop, only a few employees.

 

He isn't patching it since he thinks having it "off the internet" makes up for the the risk.

[+BudMan MVC]

I am very curious how his other clients that use/need the internet do dns..

Are they pointing to both the dc for the AD dns and some other for looking up google.com for example. Or are they using a proxy?

I don't understand this logic.. What are you worried is going to infect your DC, it should have no inbound rules from the internet. So the only thing it should be doing is asking dns for records, and windows update. You should not be "surfing" on a DC, you should not be installing all kinds of 3rd party crap on a DC. If one of your other boxes on the same segment gets infected, it for sure could infect the DC. The DC might not then be able to call command and control or do stuff on the internet, but it would still be compromised, could infect other machines on your network, etc.

If your not patching it, it even more likely to be open to other machines on your network infecting it with something that a user installs, etc.

IF you want to keep it from talking on the internet, then do so - at your border firewall only allow its IP to talk to dns and the microsoft update servers.

So what other gems of wisdom does your friend have for a secure network??

edit: So he is not IT, that explains it What I would suggest is he gets real IT to look into his setup, does not have be a full time employee. Can be contract work, etc. I believe sc302, still might not 100% use to work for company that supported smaller setups, etc. So for a few $ you could get someone of sc302 skill set to set it all up. Or true you could get someoen that agrees with his no gateway security policy as well Why you need to do some research on who to hire, who else do they support - what are the reviews from those customers, etc.

I use to myself do side work and setup/support smb's, stop by every few weeks to check on things answer any tickets they had, etc. But normally if setup correctly, and you show them how to add/remove users from the domain. Keep their antivirus and backups up to date, there was rarely any need for follow up until they wanted to grow or expand or update some hardware, etc.

Whats the old saying never represent your self in court Someone doing their own IT that is not in the field is like someone being their own lawyer that never went to law school, but they watched a few reruns of ironside

[sc302 Veteran]

Yes, I used to work for a consulting company dealing with small ma and pa shops to enterprise size orgs (2 users to 10,000+ users) in all areas of the above.  No, I don't do it anymore as it has taken its toll on me...ridiculous amount of driving (30-40k miles a year...now I am down to 25-28k miles, still a lot).  I have done a AD setup remotely before and have given instruction on how to manage and support the ad infrastructure with some q and a, it was a decent sized site and this person knew nothing about server or ad other than how to install the os (which was needed for me to remote in and do my thing).

[+BudMan MVC]

yup once you can get in, you can do it all from a beach with a cold beer in your hand and toes in the sand This is the dream of all IT, but it rarely works out that way. I got a new gig in the works though, if that comes through will be 100% work from home. Which sounds real great, but I like bouncing stuff off people in the office, etc.

[sc302 Veteran]

I like being in the office.  I tried the home thing for a year, however it really sucked with wifey wanting me to do things other than work related stuff when I was at home.  It was to the point where I said between the hours of 8 and 5, don't talk to or contact me...that lasted for another month after that then I went back to consulting for a while, then found a desk job where I don't move much and that is where I am at now. 

[binaryzero]

Much easier to work in an office - my favourite part of working in IT is discussion time, bouncing ideas off people.