Improving the default domain GPOs

When Windows Server 2003 is used to establish an Active Directory based network, there are two default GPOs -- the default domain GPO and the default domain controller GPO. These GPOs are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default GPOs. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default GPOs intact, it will be easier to return to a default setting if you make a configuration mistake.

Let's first look at security improvements above and beyond those contained in the default domain GPO. The first area we want to explore is the Account Policies section. This section contains the password policy, account lockout policy, and the Kerberos policy.

Since passwords are the primary and default means by which Windows Server 2003 protects unauthorized use of user accounts, it is important to use and enforce strong passwords. The password policy of a GPO allows network administrators to programmatically force users to comply with a few significant password rules. Here is a table listing the defaults and my recommendations. Notice that the domain GPO defaults for the password policy are already reasonably secure.


Requires Free Membership to View

Enforce password history24 passwords remembered(No change)
Maximum password age42 days30 days
Minimum password age1 day(No change)
Minimum password length7 characters8 characters
Password must meet complexity requirementsEnabled(No change)
Store password using reversible encryptionDisabled(No change)

The account lockout policy is used to manage the automated lockout feature of Windows Server 2003. After a specified number of failed logon attempts due to incorrect passwords, a user account can be locked out. This prevents brute force attacks against the logon prompt. Here is a table listing the defaults and my recommendations

Account lockout durationNot defined0 minutes
Account lockout threshold0 invalid logon attempts5 invalid logon attempts
Reset account lockout counter afterNot defined30 minutes

Note that setting the account lockout duration to 0 (zero) will require an administrator to re-enable a locked out account. While this is the most secure setting, it is not the most convenient, especially for an administrator with lots of fumble-fingered users.

The Kerberos policy defines various settings of ticket management. The default settings of this policy are sufficient for most environments. So, I recommend leaving them as they are. Here is a chart showing the default settings of this policy.

Enforce user logon restrictionsEnabled
Maximum lifetime for service ticket600 minutes
Maximum lifetime for user ticket10 hours
Maximum lifetime for user ticket renewal7 days
Maximum tolerance for computer clock synchronization5 minutes

The remainder of the settings in the default domain GPO are usually sufficiently secure for most environments. However, there are numerous security improvements that can be made to the default domain controller GPO. I'll dive into that topic in the next tip.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in April 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.