Home > Windows Tips > Active Directory Administration Tips > Improving the default domain controller Group Policy Objects
Win IT Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

ACTIVE DIRECTORY ADMINISTRATION TIPS

Improving the default domain controller Group Policy Objects


James Michael Stewart
04.20.2004
Rating: -4.27- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


When Windows Server 2003 is used to establish an Active Directory based network, there are two default Group Policy Objects: the default domain GPO and the default domain controller GPO. These Group Policy Objects are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default Group Policy Objects. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default Group Policy Objects intact, it will be easier to return to a default setting if you make a configuration mistake.

In my previous tip, I explored security improvements to the default domain Group Policy Object. In this tip I'll explore security improvements to the default domain controller GPO.

The default domain controller Group Policy Object applied security policy settings to the domain controller OU. There are three areas of the GPO we need to examine: user rights assignment, security options, and event log policy.

In the User Rights Assignment policy, you should make the following changes to improve domain controller security:

User RightDefault SettingRecommended Setting
Allow log on locallyAccount Operators
Administrators
Backup Operators
Print Operators
Server Operators		Administrators
Backup Operators
Server Operators
Shut down the systemAccount Operators
Administrators
Backup Operators
Print Operators
Server Operators		Administrators
Backup Operators
Server Operators

Reducing the number of people who can log on locally to a domain controller or who can shut down the system will result in fewer people attempting to gain physical access to the domain controllers.

In the Security Options policy, here are my recommendations to improve domain controller security:

Security OptionDefault SettingRecommended Setting
Audit: Audit the access of global system objectsNot definedDisabled
Audit: Audit the use of Backup and Restore privilegeNot definedDisabled
Audit: Shut down system immediately if unable to log security auditsNot definedDisabled
Devices: Allow undock without having to log onNot definedDisabled
Devices: Allowed to format and eject removable mediaNot definedAdministrators
Devices: Prevent users from installing printer driversNot definedEnabled
Devices: Restrict CD-ROM access to locally logged-on user onlyNot definedEnabled
Devices: Restrict floppy access to locally logged-on user onlyNot definedEnabled
Devices: Unsigned driver installation behaviorNot definedDo not allow installation
Domain controller: Allow server operators to schedule tasksNot definedDisabled
Domain controller: Refuse machine account password changesNot definedDisabled
Domain member: Digitally encrypt or sign secure channel data (always)EnabledEnabled
Domain member: Disable machine account password changesNot definedDisabled
Domain member: Maximum machine account password ageNot defined30 days
Domain member: Require strong (Windows 2000 or later) session keyNot definedEnabled
Interactive logon: Do not display last user nameNot definedEnabled
Interactive logon: Do not require CTRL+ALT+DELNot definedDisabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)Not defined0 logons
Interactive logon: Prompt user to change password before expirationNot defined14 days
Interactive logon: Require Domain Controller authentication to unlock workstationNot definedEnabled
Interactive logon: Require smart cardNot definedEnabled (Requires PKI environment and smart card devices)
Interactive logon: Smart card removal behaviorNot definedForce logoff
Microsoft network client: Digitally sign communications (always)Not definedEnabled
Microsoft network client: Digitally sign communications (if server agrees)Not definedEnabled
Microsoft network client: Send unencrypted password to third-party SMB serversNot definedDisabled
Microsoft network server: Amount of idle time required before suspending sessionNot defined15 min
Microsoft network server: Digitally sign communications (always)EnabledEnabled
Microsoft network server: Digitally sign communications (if client agrees)EnabledEnabled
Microsoft network server: Disconnect clients when logon hours expireNot definedEnabled
Network access: Do not allow storage of credentials or .NET Passports for network authenticationNot definedEnabled
Network access: Restrict anonymous access to Named Pipes and SharesNot definedEnabled
Network security: Do not store LAN Manager hash value on next password changeNot definedEnabled (requires updated legacy clients)
Network security: LAN Manager authentication levelSend NTLM response onlySend NTLMv2 responses/reject LM (requires updated legacy clients)
Network security: LDAP client signing requirementsNot definedRequire signing (or use Negotiate signing if pre Windows 2000 SP3 domain controllers are used)
Recovery console: Allow automatic administrative logonNot definedDisabled
Recovery console: Allow floppy copy and access to all drives and all foldersNot definedDisabled
Shutdown: Allow system to be shut down without having to log onNot definedDisabled
Shutdown: Clear virtual memory pagefileNot definedEnabled
System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links)Not definedEnabled
System settings: Optional subsystemsNot definedEnabled (create a blank list of subsystems)
System settings: Use Certificate Rules on Windows Executables for Software Restriction PoliciesNot definedEnabled (requires PKI)

Then the third and final policy to alter is the Event Log policy, here are my recommendations there:

Event Log PolicyDefault SettingRecommended Setting
Maximum application log sizeNot defined(No change)
Maximum security log sizeNot defined131,072 KB (or larger)
Maximum system log sizeNot defined(No change)
Prevent local guests group from accessing application logNot definedEnabled
Prevent local guests group from accessing security logNot definedEnabled
Prevent local guests group from accessing system logNot definedEnabled
Retain application logNot defined(No change)
Retain security logNot defined(No change)
Retain system logNot defined(No change)
Retention method for application logNot defined(No change)
Retention method for security logNot definedOverwrite events as needed
Retention method for system logNot definedOverwrite events as needed

The only additional caveat to these Event Log policy recommendations is the need to backup and clear out the security log on a regular basis. Performing a backup and clearing on a weekly or monthly basis will ensure that you don't consume all of the available storage space on the server's drive and that all security events are retained and not overwritten. The reason I don't recommend setting the retention method to no overwrite is that this may cause security events to fail to be recorded and will force a system shutdown in the event the security logs becomes full. By regularly backing up the security log before it begins overwriting itself you can avoid all of these issues. Adjust the maximum size of the security log to be about 20% larger than you typically need during your backup cycle (weekly or monthly).

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Rate this Tip
To rate tips, you must be a member of SearchWinIT.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Microsoft Management Console  (SearchWinIT.com)
snap-in  (SearchWinIT.com)
virtual desktop manager  (SearchWinIT.com)
Zero Administration  (SearchWinIT.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsWebcastsWhite PapersIT DownloadsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 1999 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts