0

I'm helping a customer stand up an Azure environment and they decided to stand up a server (DC) on their own without asking for help.

The only access method is supposed to be IPsec, but they forgot to disable the Azure-assigned public IP while standing up the server, so their DC ended up public on the Internet with no firewall whatsoever - including Windows Firewall (disabled while troubleshooting other networking/replication issues).

The symptoms that led to this discovery were random account lockouts originating from Chinese IP addresses in the Security log on the domain controller.

I've since fixed the situation by re-enabling Windows Firewall, creating an Azure security group, and deleting the public IP so that it's secured by IPsec. I also recommended they just decommission that server entirely and spin up a new one.

But I'm still curious - what attack surfaces are there for a domain controller that has no firewall whatsoever on the open Internet? If they decide not to decommission it, is there anything to look for in terms of compromise?

  • 3
    If you're unsure, don't waste time on figuring out *if* or *how* it was compromised. You need to presume that it is indeed compromised. Domain controllers are trivial to set up, anyway, so just kill this one and build a new one from the ground up. – EEAA Jun 10 '16 at 16:27
  • Right, I get that. Traditional wisdom says domain controllers should be as protected as possible, so my question is more - what's the worst that could happen? –  Jun 10 '16 at 16:30
  • 3
    What's the worst that could happen? You were exploited by an as-of-yet unannounced remotely-exploitable rootkit-level vulnerability. Seriously, it's not worth your time thinking through all of that. Just shoot the server in the head and move on. – EEAA Jun 10 '16 at 16:32

0 Answers0