Q: How dangerous is it to put domain controllers (DCs) at branch offices where physical security might not match that of our data center?

A: It’s very dangerous. Branch-office DCs solve problems associated with WAN outages, logon performance, and bandwidth, but they also introduce a serious security problem. One of the immutable laws of computer security is that if you have physical access to a computer and sufficient knowledge or tools, you can compromise the OS’s security. That’s bad for any computer, but the implications are much more serious for DCs. If an attacker can take over a DC, he can ultimately take over all the computers, account files, and other resources in the domain, including the domain servers—and the information and applications on them—back at the corporate data center. So in reality, your domain is only as secure as the most vulnerable DC in your domain—regardless of the physical security at your data center. Furthermore, the risk isn’t limited to the immediate domain of a compromised DC. Because of the SID filtering limitation between domains in a forest, there’s no way to prevent a rogue administrator in one domain from assuming Administrator authority in other domains in the forest. And, of course, an attacker that compromises a local DC can assume Administrator authority on that computer.