Using firewall rules to restrict domain controller promotion (DCPROMO)
I am currently using McAfee HIPS on my domain controllers. I am wanting to restrict dcpromo from being ran on a member server in the event an account in the domain gets compromised and someone tries to run dcpromo on a member server in order to get a copy of the AD database. Has anyone tried to do this or have any suggestions on how to accomplish this? I am also running virusscan and application control (solidcore). Any help would be greatly appreciated!
Re: Using firewall rules to restrict domain controller promotion (DCPROMO)
its been awhile since i have ran dcpromo. if it drops some sort of registry key, or starts a specific program, you could write a custom IPS signature to prevent this activity from occurring. If you ever did need to promote a domain controller, you would simply disable HIPS momentarily on that system.
Message was edited by: greatscott on 3/4/14 3:39:59 PM CST
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.