Domain controllers are the heart of Windows-based network. As the name suggests, the activities on the domain can be controlled by them. To just single function their roles can be restricted, or the domain controller can be organized to include number of related functions. Significantly, this decision depending on the network size and several users and processes will access the data. The better the network, the more specialized domain controllers tends to become. Basic measures of security consist of:

  • In order to secure information on system volume, NTFS file system must be used.
  • Securing the domain controller essentially in an access-controlled location.
  • Extracting every service that will not be utilized on the domain controller.
  • Needing smart card access on domain controllers when probable. Passwords are randomly produced and encrypted by making use of stronger methods of encryption. 

In general, the domain controller authenticates the logons of domain and controls the master database and security policy for the purpose of domain. Even though domain controllers and servers can authenticate logons of user, only the domain controllers alter to passwords or additional changes to computer and user accounts. In the network, in order to configure security for domain controllers, one has to start with a recognized state (baseline). Whenever a server is promoted to DC, the security information template of DC is applied. For DCs, the baseline security is offered that is identical to the setup security information for other server types. In addition, two other predefined security templates are present that can be utilized on domain controllers, they are: the hisecdc.inf and securedc.inf. 

          If there are member servers or DCs that are not functioning Windows NT 4.0 SP4 or later in the domain, then securedc.inf template can be utilized. This template offers string security, however it does not need strong encryption, SMB signing, or utilization of NTLM v2 authentication protocol. On the other hand, SMB signing as well as strong passwords are found to be necessary for hisecdc.inf template.  Before using this template in mixed environment on a DC, test every scenario carefully as few down-level clients ay not be capable of connecting to domain controller through hisecdc.inf template.