se curit y-24-7.co m http://security-24-7.co m/hardening-guide-fo r-windo ws-2008-r2-do main-co ntro ller-and-dns-server/?

pfstyle=wp

Hardening guide for Windows 2008 R2 Domain Controller and DNS Server
T his guide explains how to install and conf igure Domain Controller and DNS server based on Windows 2008 R2 platf orm, f or a new f orest in a new domain. Installation phase 1. Install Windows 2008 R2 server (either standard of enterprise edition). Important note: T he f irst domain controller in the f orest root domain must be installed on physical hardware and not as a virtual server. 2. Login f or the f irst time to the new server, using administrator account. 3. Start -> Run -> dcpromo.exe 4. Click Next twice -> select Create a new domain in a new f orest -> click Next -> specif y the FQDN of the new f orest root domain -> click Next -> on the f orest f unctional level, choose Windows Server 2008 R2 -> click Next -> leave DNS server select and click Next -> click Yes on the warning message -> choose a location f or the database, logs and sysvol f olders -> click Next -> specif y complex password f or the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select Reboot on completion. 5. Allow the server to restart when the installation process completes. 6. Login to the new domain controller f or the f irst time using domain administrator account. 7. Start -> Run -> cmd.exe 8. Write the commands bellow to synchronize the PDC emulator with external reliable time source: w32t m /cong /comput er:<> /manualpeerlist :t ime.windows.com /syncfromags:manual /updat e exit 9. Start -> Administrative Tools, right-click Active Directory Module f or Windows PowerShell, and then click Run as administrator. 10. Write the commands bellow to protect all OUs in the domain f rom accidental deletion: import -module act ivedirect ory Get -ADOrganizat ionalUnit -lt er * -Propert ies Prot ect edFromAccident alDelet ion | where {$_.Prot ect edFromAccident alDelet ion -eq $false} | Set -ADOrganizat ionalUnit Prot ect edFromAccident alDelet ion $t rue exit 11. Server Manager -> right click on Features -> Add Features -> select Windows Server Backup Features -> click Next -> click Install -> click Close. 12. Start -> Administrative Tools -> Windows Server Backup -> f rom the Actions pane, click on Backup Schedule -> click Next -> choose Full server -> Specif y a backup time -> click Next -> click the check box f or your destination disk -> click Next -> click Yes to conf irm that the destination disk will be ref ormatted -> verif y the label f or the destination disk -> click Next -> verif y the inf ormation on the Summary page -> click Finish -> On the Conf irmation page -> click Close.

13. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name > right click on Reverse Lookup Z ones -> New Z one -> click Next -> choose Primary zone -> leave Store the zone in Active Directory checked -> click Next -> select To all DNS Servers running on domain controllers in this f orest -> click Next -> choose IPv4 Reverse Lookup Z one -> click Next > on the Network ID f ield, put the f irst 3 octats of the network segment the Domain controller resides in -> click Next -> select Allow only secure dynamic updates -> click Next -> click Finish. 14. Perf orm the above step f or all other network segments reside in your organization. 15. From the lef t pane, expand the server name -> expand Forward Lookup Z ones -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Z one Transf ers tab -> select Allow zone transf ers -> select Only to servers listed on the Name Servers tab -> click OK. 16. Perf orm the above step f or all other Forward Lookup zones and Reverse Lookup zones in your f orest. IPv6 DNS settings 1. In-order to conf igure IPv6 address f or the DNS server, start -> Control Panel -> under Network and Internet, click on View network status and tasks -> click Change adapter settings -> right click on the relevant Local Area Connection icon -> Properties -> click on Internet Protocol Version 6 (T CP/IPv6) -> Properties -> select Use the f ollowing IPv6 address -> if you are not f amiliar with IP addressing, you can use 2001:0db8:29cd:1a0f :857b:455b:b4ec:7403 -> enter a Subnet pref ix length of 64 -> click OK -> click close. 2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name > expand Reverse Lookup Z ones -> right click on Reverse Lookup Z ones -> New Z one -> click Next -> choose Primary Z one -> click Next -> choose To all DNS servers running on domain controllers in this f orest -> click Next -> choose IPv6 Reverse Lookup Z one -> click Next -> on the IPv6 Address Pref ix f ield type the IPv6 subnet pref ix (in this example: 2001:0db8:29cd:1a0f ::/64) -> click Next -> select Allow only secure dynamic updates -> click Next -> click Finish. 3. Right click on the new Reverse Lookup Z one -> properties -> Z one Transf ers tab -> select Allow zone transf ers -> select Only to servers listed on the Name Servers tab -> click OK.