In order to protect domain controllers from local and network attacks, you should use Group Policy settings. Ideally, you will modify the Default Domain Controllers Policy or create a new Group Policy Object (GPO) and link it to the Domain Controllers organizational unit (OU). In either case, you should configure the following settings to protect your domain controllers.

These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment node.                        

• Allow log on locally                       
• Access this computer from the network

These settings exist under the Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options node.                       

• Domain controller: LDAP server signing requirements                       
• Domain member: Digitally encrypt or sign secure channel data
• Network access: Allow anonymous SID/Name translation                       
• Network access: Do not allow anonymous enumeration of SAM accounts and shares
• Network access: Let Everyone permissions apply to anonymous users