A common environment for a very small business is to have one server that acts as a domain controller. This server commonly has these roles:
-Maintains the database of usernames and passwords that allow people to log into their computers
Medium sized networks will deploy a backup domain controller in case the primary goes down, because otherwise nobody will be able to log in and there is a backup of these databases. If your business doesn’t have a secondary domain controller, operations would be severely impacted if your server had a problem.
IT ‘best practices’ are to limit the amount of access to critical devices. Each additional person remoting into the server is another way for an attacker to get in. Also, each piece of software running on the server is a potential liability – this just happened with the log4j issue where a huge security flaw was discovered in a common piece of software.
Here are two reasons not to run extra software on domain controllers, or allow users to remote into a domain controller as a domain administrator:
If a computer dies or gets infected, you can remove that computer from the network and fix it without impacting everyone else. If a domain controller dies or gets infected, all your computers, printers, and files are inaccessible until it is fixed. It also can take 10 times as longer to fix a domain controller than a computer, because you must rebuild the database of usernames and passwords, reset all the passwords, set up the printers again, restore the files from a backup, reconfigure QuickBooks, etc.
Someone with remote access to a domain controller (a “domain admin”) has access to the files on every other computer. You can test this by entering this into file explorer on the server: \\computername\c$ You can ransomware, sneakily infect, or destroy any other computer from this server.
If your organization uses remote desktop to access a domain controller for something like QuickBooks, you can strengthen your security greatly by moving QuickBooks to another computer.
Other people agreeing that restricting access to a DC is a good idea: