Tip

Improving the default domain controller Group Policy Objects

When Windows Server 2003 is used to establish an Active Directory based network, there are two default Group Policy Objects: the default domain GPO and the default domain controller GPO. These Group Policy Objects are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default Group Policy Objects. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default Group Policy Objects intact, it will be easier to return to a default setting if you make a configuration mistake.

In my previous tip, I explored

Requires Free Membership to View

security improvements to the default domain Group Policy Object. In this tip I'll explore security improvements to the default domain controller GPO.

The default domain controller Group Policy Object applied security policy settings to the domain controller OU. There are three areas of the GPO we need to examine: user rights assignment, security options, and event log policy.

In the User Rights Assignment policy, you should make the following changes to improve domain controller security:

User Right Default Setting Recommended Setting
Allow log on locally Account Operators
Administrators
Backup Operators
Print Operators
Server Operators
Administrators
Backup Operators
Server Operators
Shut down the system Account Operators
Administrators
Backup Operators
Print Operators
Server Operators
Administrators
Backup Operators
Server Operators

Reducing the number of people who can log on locally to a domain controller or who can shut down the system will result in fewer people attempting to gain physical access to the domain controllers.

In the Security Options policy, here are my recommendations to improve domain controller security:

Security Option Default Setting Recommended Setting
Audit: Audit the access of global system objects Not defined Disabled
Audit: Audit the use of Backup and Restore privilege Not defined Disabled
Audit: Shut down system immediately if unable to log security audits Not defined Disabled
Devices: Allow undock without having to log on Not defined Disabled
Devices: Allowed to format and eject removable media Not defined Administrators
Devices: Prevent users from installing printer drivers Not defined Enabled
Devices: Restrict CD-ROM access to locally logged-on user only Not defined Enabled
Devices: Restrict floppy access to locally logged-on user only Not defined Enabled
Devices: Unsigned driver installation behavior Not defined Do not allow installation
Domain controller: Allow server operators to schedule tasks Not defined Disabled
Domain controller: Refuse machine account password changes Not defined Disabled
Domain member: Digitally encrypt or sign secure channel data (always) Enabled Enabled
Domain member: Disable machine account password changes Not defined Disabled
Domain member: Maximum machine account password age Not defined 30 days
Domain member: Require strong (Windows 2000 or later) session key Not defined Enabled
Interactive logon: Do not display last user name Not defined Enabled
Interactive logon: Do not require CTRL+ALT+DEL Not defined Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available) Not defined 0 logons
Interactive logon: Prompt user to change password before expiration Not defined 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Not defined Enabled
Interactive logon: Require smart card Not defined Enabled (Requires PKI environment and smart card devices)
Interactive logon: Smart card removal behavior Not defined Force logoff
Microsoft network client: Digitally sign communications (always) Not defined Enabled
Microsoft network client: Digitally sign communications (if server agrees) Not defined Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Not defined Disabled
Microsoft network server: Amount of idle time required before suspending session Not defined 15 min
Microsoft network server: Digitally sign communications (always) Enabled Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled Enabled
Microsoft network server: Disconnect clients when logon hours expire Not defined Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Not defined Enabled
Network access: Restrict anonymous access to Named Pipes and Shares Not defined Enabled
Network security: Do not store LAN Manager hash value on next password change Not defined Enabled (requires updated legacy clients)
Network security: LAN Manager authentication level Send NTLM response only Send NTLMv2 responses/reject LM (requires updated legacy clients)
Network security: LDAP client signing requirements Not defined Require signing (or use Negotiate signing if pre Windows 2000 SP3 domain controllers are used)
Recovery console: Allow automatic administrative logon Not defined Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Not defined Disabled
Shutdown: Allow system to be shut down without having to log on Not defined Disabled
Shutdown: Clear virtual memory pagefile Not defined Enabled
System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links) Not defined Enabled
System settings: Optional subsystems Not defined Enabled (create a blank list of subsystems)
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Not defined Enabled (requires PKI)

Then the third and final policy to alter is the Event Log policy, here are my recommendations there:

Event Log Policy Default Setting Recommended Setting
Maximum application log size Not defined (No change)
Maximum security log size Not defined 131,072 KB (or larger)
Maximum system log size Not defined (No change)
Prevent local guests group from accessing application log Not defined Enabled
Prevent local guests group from accessing security log Not defined Enabled
Prevent local guests group from accessing system log Not defined Enabled
Retain application log Not defined (No change)
Retain security log Not defined (No change)
Retain system log Not defined (No change)
Retention method for application log Not defined (No change)
Retention method for security log Not defined Overwrite events as needed
Retention method for system log Not defined Overwrite events as needed

The only additional caveat to these Event Log policy recommendations is the need to backup and clear out the security log on a regular basis. Performing a backup and clearing on a weekly or monthly basis will ensure that you don't consume all of the available storage space on the server's drive and that all security events are retained and not overwritten. The reason I don't recommend setting the retention method to no overwrite is that this may cause security events to fail to be recorded and will force a system shutdown in the event the security logs becomes full. By regularly backing up the security log before it begins overwriting itself you can avoid all of these issues. Adjust the maximum size of the security log to be about 20% larger than you typically need during your backup cycle (weekly or monthly).


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


 

This was first published in April 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.