Using firewall rules to restrict domain controller promotion (DCPROMO)
I am currently using McAfee HIPS on my domain controllers. I am wanting to restrict dcpromo from being ran on a member server in the event an account in the domain gets compromised and someone tries to run dcpromo on a member server in order to get a copy of the AD database. Has anyone tried to do this or have any suggestions on how to accomplish this? I am also running virusscan and application control (solidcore). Any help would be greatly appreciated!
Re: Using firewall rules to restrict domain controller promotion (DCPROMO)
its been awhile since i have ran dcpromo. if it drops some sort of registry key, or starts a specific program, you could write a custom IPS signature to prevent this activity from occurring. If you ever did need to promote a domain controller, you would simply disable HIPS momentarily on that system.
Message was edited by: greatscott on 3/4/14 3:39:59 PM CST