When Windows Server 2003 is used to establish an Active Directory based network, there are two default GPOs -- the default domain GPO and the default domain controller GPO. These GPOs are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.
I usually recommend that you do not make changes directly to either of these two default GPOs. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default GPOs intact, it will be easier to return to a default setting if you make a configuration mistake.
Let's first look at security improvements above and beyond those contained in the default domain GPO. The first area we want to explore is the Account Policies section. This section contains the password policy, account lockout policy, and the Kerberos policy.
Since passwords are the primary and default means by which Windows Server 2003 protects unauthorized use of user accounts, it is important to use and enforce strong passwords. The password policy of a GPO allows network administrators to programmatically force users to comply with a few significant password rules. Here is a table listing the defaults and my recommendations. Notice that the domain GPO defaults for the password policy are already reasonably secure.
|Enforce password history||24 passwords remembered||(No change)|
|Maximum password age||42 days||30 days|
|Minimum password age||1 day||(No change)|
|Minimum password length||7 characters||8 characters|
|Password must meet complexity requirements||Enabled||(No change)|
|Store password using reversible encryption||Disabled||(No change)|
The account lockout policy is used to manage the automated lockout feature of Windows Server 2003. After a specified number of failed logon attempts due to incorrect passwords, a user account can be locked out. This prevents brute force attacks against the logon prompt. Here is a table listing the defaults and my recommendations
|Account lockout duration||Not defined||0 minutes|
|Account lockout threshold||0 invalid logon attempts||5 invalid logon attempts|
|Reset account lockout counter after||Not defined||30 minutes|
Note that setting the account lockout duration to 0 (zero) will require an administrator to re-enable a locked out account. While this is the most secure setting, it is not the most convenient, especially for an administrator with lots of fumble-fingered users.
The Kerberos policy defines various settings of ticket management. The default settings of this policy are sufficient for most environments. So, I recommend leaving them as they are. Here is a chart showing the default settings of this policy.
|Enforce user logon restrictions||Enabled|
|Maximum lifetime for service ticket||600 minutes|
|Maximum lifetime for user ticket||10 hours|
|Maximum lifetime for user ticket renewal||7 days|
|Maximum tolerance for computer clock synchronization||5 minutes|
The remainder of the settings in the default domain GPO are usually sufficiently secure for most environments. However, there are numerous security improvements that can be made to the default domain controller GPO. I'll dive into that topic in the next tip.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in April 2004