In Case of Security Breach, ‘Read Only’!
In the world of IT, one of the more common questions to ask is:
How important is security in your environment?
It’s one of the first questions that I ask myself when implementing an infrastructure on a network. In the implementation of a secure domain, you must not underestimate the value of a read-only domain controller (RODC). Understanding this aspect helps administrators in a remote office defend against security threats, such as hackers or unauthorized users, who are capable of accessing sensitive information such as credit card info, balance reports, and confidential material.
In this post, I will discuss the benefits of developing an implementation strategy for RODCs, and the consequences of not doing so. That’s right, I like to hear the bad news before I get to the good news first. But before we begin, we need to understand what RODC is and what it can do.
So what is a RODC?
According to Microsoft, an RODC is a server that has a ‘domain controller that can be deployed in locations where physical security cannot be guaranteed.’
It does two things:
- Hosts Active Directory’s database read-only partitions.
- Responds to security authentication requests.
It is meant to be used for branch offices in locations where a systems administrator would not be nearby. This is crucial to point out because you do not want to make the mistake of installing an RODC in the main headquarters rather than the branch office, since the branch office is likely to be located remotely.
There are certain aspects to consider when introducing this element to an environment and we must be able to detail the negatives and positives. Which leads me to the consequences of not having an RODC in a remote location.
Consequences of not having an RODC
One of the biggest consequences of not having an RODC is the security risk of hackers being able to exploit a server due to lack of security in branch offices. The assumption is, if a hacker can get into a server’s writable domain controller, you can kiss your sweet systems administrator job goodbye. But, do not fret, because RODC addresses this problem, and comes with added benefits.
Benefits of RODC
If your company chooses to implement this system, it would create an environment that would deter those who would compromise your infrastructure. Hackers would not be able to enter without proper rights due to several factors.
One of the things that helps make it more secure is how RODC is designed. It is not writable and, therefore, does not require an administrator with domain-level privileges for access. This is because of administrator role separation, which is another facet to consider in the implementation of RODCs. This mechanism helps to administer an RODC through the addition of an agent who is not a member of the Domain Admins group. This secures the space so that only those with the proper authorization can utilize the system.
Another set of advantages include faster logon times, thanks to credential caching, which helps improve the performance of revalidation of credentials for additional client requests.
A final component, and one that is very crucial in terms of security, is the unidirectional replication component. This allows replication of sensitive information to not take place between the writeable domain controller in the main office and the RODC in the branch office. You only need to make changes from the writeable DC.
In conclusion, RODCs maintain a level of security that can guarantee a safe space for the organization, the network, and most importantly, your position in that organization. Be mindful, young sysadmins, and stay secure!
For more details and general information on RODCs, click on the video and links below:
