Improving the default domain controller Group Policy Objects

When Windows Server 2003 is used to establish an Active Directory based network, there are two default Group Policy Objects: the default domain GPO and the default domain controller GPO. These Group Policy Objects are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default Group Policy Objects. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default Group Policy Objects intact, it will be easier to return to a default setting if you make a configuration mistake.

In my previous tip, I explored security improvements to the default domain Group Policy Object. In this tip I'll explore security improvements to the default domain controller GPO.

The default domain controller Group Policy Object applied security policy settings to the domain controller OU. There are three areas of the GPO we need to examine: user rights assignment, security options, and event log policy.

In the User Rights Assignment policy, you should make the following changes to improve domain controller security:

Reducing the number of

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Group Policy Management Using Active Directory to manage Macs in a Windows environment Group Policy Object modeling simplifies network security Microsoft Group Policy Tutorial Is a Group Policy setting changing my user rights? Mastering account lockout values in Group Policy Group Policy Object security in Windows Deny access to Windows system properties with GPOs Advanced Group Policy for Windows Vista Windows Server 2008's Group Policy has faster searching and filtering Why don't I have proper Windows Server 2003 rights to open a GPO? Active Directory Administration Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors Active Directory database basics: Performing an offline defrag Branch office security: Pros and cons of read-only domain controllers Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

people who can log on locally to a domain controller or who can shut down the system will result in fewer people attempting to gain physical access to the domain controllers.

In the Security Options policy, here are my recommendations to improve domain controller security:

Then the third and final policy to alter is the Event Log policy, here are my recommendations there:

The only additional caveat to these Event Log policy recommendations is the need to backup and clear out the security log on a regular basis. Performing a backup and clearing on a weekly or monthly basis will ensure that you don't consume all of the available storage space on the server's drive and that all security events are retained and not overwritten. The reason I don't recommend setting the retention method to no overwrite is that this may cause security events to fail to be recorded and will force a system shutdown in the event the security logs becomes full. By regularly backing up the security log before it begins overwriting itself you can avoid all of these issues. Adjust the maximum size of the security log to be about 20% larger than you typically need during your backup cycle (weekly or monthly).

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.