1
00:00:06,330 --> 00:00:14,010
The physical security of domain controllers is critically important domain controllers contain all the

2
00:00:14,010 --> 00:00:19,030
credentials in your organization's Active Directory Domain.

3
00:00:19,050 --> 00:00:28,920
If attackers achieve physical access to your domain controllers they can bypass almost any safeguards

4
00:00:29,010 --> 00:00:30,210
that you have.

5
00:00:30,210 --> 00:00:38,400
They then can access most passwords quickly and they can use this information to attack your network.

6
00:00:38,700 --> 00:00:45,900
Therefore you should do the following steps to further secure your Active Directory Domain Controllers.

7
00:00:45,900 --> 00:00:53,310
Those steps include that you only deployed domain controllers where you can ensure physical security

8
00:00:53,640 --> 00:01:01,170
if your server locations do not have dedicated rooms with access control Do not put a domain controller

9
00:01:01,170 --> 00:01:02,600
in that environment.

10
00:01:02,640 --> 00:01:10,260
Use the road disease where possible you can use raw disease as domain controllers in locations with

11
00:01:10,260 --> 00:01:18,210
less security with less physical security because by default rather see as do not store secrets such

12
00:01:18,210 --> 00:01:26,580
as account passwords use bit locker drive encryption to provide an extra level of security consider

13
00:01:26,580 --> 00:01:31,740
and grouped and domain controller a hard drives by using bit locker.

14
00:01:31,770 --> 00:01:37,110
This prevents attackers from accessing the data on server hard drives.

15
00:01:37,110 --> 00:01:47,520
If they are removed from the servers Windows Server 2016 and later supports use in bit locker on Walliams

16
00:01:47,580 --> 00:01:50,370
that's traded as databases.

17
00:01:50,580 --> 00:01:57,740
However it does not support the use of IFRS to protect aided is database files.

18
00:01:57,750 --> 00:02:06,210
Another step is to monitor hot swap disk systems usually servers deploy with a hot swap disk system

19
00:02:06,510 --> 00:02:13,250
which enables you to change a drive without server interruption.

20
00:02:13,340 --> 00:02:22,490
When a hardware failure cures if you have redundant array of independent disks or raid Level One mirroring

21
00:02:22,730 --> 00:02:30,810
in your servers you should ensure that you have monitoring and place so you are aware if any disk is

22
00:02:30,810 --> 00:02:33,330
removed or exchanged.

23
00:02:33,330 --> 00:02:39,920
Otherwise it is simple to remove and possibly replace a hard drive from your domain controller.

24
00:02:39,960 --> 00:02:47,550
If someone possesses your domain controller racecar driver he or she has the same ability to exploit

25
00:02:47,550 --> 00:02:53,490
the system as they would if they had the whole demand controller.

26
00:02:53,490 --> 00:02:56,880
The next step is to protect Virtual Disks.

27
00:02:56,880 --> 00:03:01,900
Many organizations deploy domain controller says virtual machines.

28
00:03:02,010 --> 00:03:10,170
The Virtual Disks used by virtual machines must be as secure as physical disks and the administrators

29
00:03:10,170 --> 00:03:18,390
of your virtual infrastructure must be as trusted as your domain admins sometimes to run in a dedicated

30
00:03:18,390 --> 00:03:26,880
virtual infrastructure for critical components such as domain controllers addresses these risks.

31
00:03:26,880 --> 00:03:35,400
Another step is to store backups in secure locations your domain controller backup contain all the same

32
00:03:35,400 --> 00:03:42,840
information as domain controllers make sure that backups are stored and secure all occasions which only

33
00:03:42,840 --> 00:03:45,810
trusted administrators can access.

34
00:03:45,810 --> 00:03:48,960
Next up we'll be talking about raw disease.

35
00:03:49,020 --> 00:03:49,920
I'll see you there.