First, you really need to state the case for having two domain controllers for
redundancy to maintain domain services.
Data can be effectively protected with proper share and ntfs permissions. The server
must be physically secured. That may mean a bank vault to Verisign. At the very least
the domain controller needs to be in an area not available to the general student
population and in a sturdy case that blocks access to the interior, drive bays, and
ports. Except for possibly encrypted data, if I can get to your domain controller, I
can get your data - and you may never know about it.
The biggest problem is that although share/ntfs permissions can secure data, poor
password control can bypass that security measure. If someone can guess or otherwise
obtain an administrator password for the domain then the data is theirs. Keep in mind
that password policy for domain accounts can only be implemented at the domain level
and will apply to ALL domain accounts. Domain administrator passwords must be complex
and kept confidential. If you can not trust your domain administrators to do that on
their own then you will have to enforce password length and complexity in domain
policy. You also should implement an account lockout policy that has say a threshold
of ten bad attempts and a 10 minute or so lockout period. Passprop can be used to
also lock out "the" administrator account from domain access and that account should
be renamed. Keep in mind that some students think it will be funny to lock out other
users accounts. You will have to decide on how to deal with those students. I also
suggest you enable auditing of logon events for success and failure on the domain
controller or wherever shares will be offered. You will need to considerably increase
the size of the audit log over default. You could then tell when someone was trying
to hack into the server sharers by password guessing and assuming they were from the
domain, you should see an entry as to what domain computer these attacks came from.
Domain administrator credentials should only be used on a trusted machine and never a
student machine where a keyboard logger may be installed. Another thing to consider
is to use a hidden share for your administrator "data" by putting a $ after the share
name. That way the share will not show up in My Network Places, though users that
know the name of it could access it assuming their account had proper permissions. If
students do not need to access shares on each others computers, then consider
changing the user right for access this computer from the network to be just domain
admins group or such for those domain computers. --- Steve
Eric said:
I am in the planning stages of setting up a Windows 2003 domain for a school. I am
still trying to figure out the best and most secure way to separate the "Class" data
and very sensitive "Admin" data. They have only budgeted for 1 server so this is why
i am so worried about this stage.
