What should I do if a domain controller is stolen?

security windows domain-controller

If I have a Windows 2008 or 2003 domain controller in a remote office (and its own AD site) that gets stolen, what sorts of things should I do to my main network or domain (if anything) in response?

The VPN is keyed off of the IP address of the network so there's nothing that would allow them to gain remote access to the primary network. I assume, at a minimum, I'd want everyone to change their passwords, but what else?


Solution 1:

Microsoft has some recommendations for what to do if a read-only DC is stolen. I don't think they go far enough, though. I lean more toward the approach described here. The big enchilada IMHO is to make sure that you immediately force password changes for all domain accounts; that will go a long way towards reducing the impact.

Solution 2:

Like the person said, change all passwords immediately. Also use NTDSUTIL and forcibly remove all traces of it from your AD. It may sound a bit extreme, but changing the site in question to a different IP subnet might not be a bad idea too.

Related

Uninstall Python packages built from source
localsystem and NT AUTHORITY\SYSTEM account the same?
What can go wrong when Domain Controllers have been moved out of Domain Controller OU?
SQL Server - Connect as another domain user
Running SQL server 2005 and 2008 on same machine?
how to list all server services running on my Linux computer
How can I test if a website is infected with malware?
Login failed--password of account must be changed--error 18488
icacls, Network Service, and setting ACLs on Windows Server 2008
SSD drives and RAID configurations vs LVM
Windows Domain Controller: Create a test environment from a production environment
Difference between "Windows Virtual PC" and "Microsoft Virtual PC"