Worried about DC security at branch offices

[Chauncy Desmond]

Hi All,

Planning AD...I've read the MS branch office planning guides...still on the
fence about placing a DC at each site. We have roughly 10-15 sites around
the globe. For ease of administration and cost, we are using a single domain
model and sites over VPN-based WAN.

I would like to have a DC at each site, but we do not have a full time IT
staff member at just about all of the branch offices. I am worried about the
security of the DC's at these offices, so i am thinking about not putting a
DC at all at most sites and just having users authenticate over WAN.

However, when the WAN link dies, users can not access local network
resources (without using 'local' user accounts, which someone will have to
administer/sync with domain user accounts.)

So back to a DC at each site...if we back up the domain controller to tape,
wont ALL of our AD info be on the tape waiting to be cracked by who knows
what?

Sorry if I seem paranoid...maybe its because i am

Just wondering what others might be doing for AD on a low budget and no IT
staff at branch offices. Any advice is greatly appreciated...

 

[Eric Fleischman [MSFT]]

Hi,

I'm glad to hear you're concerned about this. You're thinking all the right
things and asking all the right questions.

What it comes down to really is whether or not you can safely and securely
deploy a dc in a remote location. In terms of building it, you could TS in
to the server and dcpromo it remotely and of course most administration can
be done remotely. So it really comes down to physical security of the
machine and what happens should there be a larger failure that requires
admin work on the server itself.

If you feel confident that you can deploy it securely (maybe lock it in a
secure location that only a trusted party in the organization has access
to....someone that may even have admin priv's already) this is a safe move.
Should no such location exist, this is clearly a different scenario.

Let's assume that you decide not to deploy a DC out there. In that case, as
you noted, you suffer problems if a WAN link goes down. One way to combat
this may be to have dual links such that if a link to a single link goes
down the site in question can still contact another. Just food for thought,
as I don't know anything about your network topology.

As for tapes, yes, if an untrusted party gets their hands on a tape backup
of a dc that would be a bad thing for sure. I would consider the forest
compromised and want to reset all passwords on all accounts at that point in
time.

The bottom line really is that if you don't have a trusted place for a dc in
a remote location placing a dc there is risky.

So I'm not sure I've answered things so much as I have planted some
thoughts. Just holler if you have any further questions or points for
discussion.

~Eric