How to comply a Read-only Domain Controller (RODC) architecture with directory services requirements for an Active Directory Domain

Overview

This article guides professionals on how to comply a Read-only Domain Controller (RODC) architecture with directory services requirements for an Active Directory Domain.

Implementing this control should be considered at a minimum as medium importance.

PS. G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.

 

How to implement this security control

This can be implemented by doing the following.

  1. Ensure compliance with VPN and IPSec requirements in the Network Insfrastucture STIG.
  2. Ensure IPSec and other communications and security configurations for the management and replication of the RODC uses the minimum required Group Policy Objects (GPOs) to provide the required functionality.
  3. Replicate only the information needed to provide the functionality required. If full replication of all directory data is not needed, then replicated selective ID and authentication information as needed to the RODC.
  4. Include an inspection of the RODC server in the DMZ when inspection for least privilege.

 

 

How to verify this security control is implemented

  1. Verify that the site has applied the Network Infrastructure STIG to configure the VPN and IPSec.
  2. Verify that IPSec and other communications and security configurations for the management and replication of the RODC will be managed by use of the minimum required Group Policy Objects (GPOs).
  3. Include an inspection of the RODC server in the DMZ when inspection for least privilege.
  4. Verify that required patches and compatibility packs are installed if RODC is used with Windows 2003 (or earlier) clients.
  5. If RODC server and configuration does not comply with requirements, then this is a finding.

 

Why you should implement this security control

The RODC role provides a unidirectional replication method for selected information from your internal network to the DMZ. If not properly configured so that the risk footprint is minimized, the internal domain controller or forest can be compromised.

RODC is considered part of the site’s Forest or Domain installation since it is not a standalone product, but rather a role of the Windows AD DS full installation or Server Core installation. It is possible to have Windows 2003 clients authenticated using RODC, however, compatibility packs are needed.

 

Note that RODC is not authorized for use across the site's perimeter firewall.

 

Reference(s)

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.