It’s dangerous to place a domain controller (DC) at a branch office because if an attacker can physically take over a DC, he can take over all the computers in the domain. Windows Server 2008’s read-only domain controller (RODC) feature can limit the risks associated with placing domain controllers (DCs) at remote sites, but RODCs don’t address all the risks. The combination of BitLocker Drive Encryption and a Trusted Platform Module in Windows Server 2008 can make it difficult for someone to exploit physically vulnerable domain controllers (DCs).
This is Randy Franklin Smith’s last Access Denied column. Watch for Jan De Clercq’s new Windows Gatekeeper Q&A column in the April Security Pro VIP.