I'll try not to make this ranty as I actually want advice but from a network PoV. The senior server guy has said that Microsoft now state that they only support open network in both directions to every domain controller from any Windows server as there are too many ports required. We are currently working towards micro-segmentation and securing our data center, including renewing our perimeter firewalls. For reference, although all our Windows servers are behind the firewall on private IPv4 address, there are no upstream firewalls or IDS/IPS from our perimeter firewall. Straight onto the Internet.
With the view of everything allowed access to and from the domain controllers, I feel like we're opening a big hole to the one of the most important components of our infrastructure internally, especially if one of the machines is compromised, and I'm finding it hard to see what the point of even being involved in the micro-segmentation project is if we just have permit any any rules to large pieces of the network.
So my question is, what do you currently do to restrict access to DCs (if at all) and is the server guy correct with his statement about open access to and from DCs?
No comments:
Post a Comment