Microsoft recently published an excellent Active Directory Security document. Laura Robinson is the lead author of the document and there are serious heavy hitters in the acknowledgements section including Laura Hunter, Dean Wells, and others. You can download the document using the link below:
Best Practices for Securing Active Directory
Joe brought up an excellent point on the DS-MVP list stating that we all know that best practice is to not run additional and unnecessary software on domain controllers but was this documented. The document above addresses this.
From page 27 of the document:
Protecting Domain ControllersDomain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks. Domain controllers should not be permitted to access the Internet, and security settings should be configured and enforced by Group Policy Objects (GPOs). Detailed recommendations for the secure installation, configuration, and management of domain controllers are provided in the Securing Domain Controllers Against Attack section of this document.
Microsoft also recently released a shorter document that is worth downloading and reading.
Securing Active Directory: An Overview of Best Practices
I appreciate Microsoft and everyone who took time to write, edit, and review this important document.. Many times we can tell our customers best practices but they often don't believe it unless they see it come from a Microsoft site or document.
If you have worked around Active Directory long enough this is a common problem. Domain Controllers used as file servers/app servers/etc. This is simple, reduce your attack vectors don't install unnecessary software on your DCs. Also look into RODCs and Server Core as other easy ways to help secure DCs.
You may also see similar posts on other MVP blogs. Joe has asked us to get the word out about this.