Showing results for 
Search instead for 
Did you mean: 

Using firewall rules to restrict domain controller promotion (DCPROMO)

I am currently using McAfee HIPS on my domain controllers.  I am wanting to restrict dcpromo from being ran on a member server in the event an account in the domain gets compromised and someone tries to run dcpromo on a member server in order to get a copy of the AD database.  Has anyone tried to do this or have any suggestions on how to accomplish this?  I am also running virusscan and application control (solidcore).  Any help would be greatly appreciated!

1 Reply
Reliable Contributor greatscott
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Using firewall rules to restrict domain controller promotion (DCPROMO)

its been awhile since i have ran dcpromo. if it drops some sort of registry key, or starts a specific program, you could write a custom IPS signature to prevent this activity from occurring. If you ever did need to promote a domain controller, you would simply disable HIPS momentarily on that system.

Message was edited by: greatscott on 3/4/14 3:39:59 PM CST
McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.