Checklist: Top 5 Windows domain settings to audit

Microsoft has gradually improved the default security settings of their products, but older software like your domain controllers might still harbor some bad default settings. That, according to audit specialist Derek Melber, makes them a prime target for an audit. Melber provides the top five settings to audit in this checklist.

It is no secret that Microsoft has shipped server and desktop operating systems to customers with notoriously weak default security. With the past few operating system updates and operating system service packs, it has made some radical changes to improve the default security. That does not, however, correct the security of the existing operating systems installed with weak security, including your Windows Active Directory domain controllers.

In order to verify that security is configured properly, you should perform audits of the domain and domain controllers. Here are the top five security settings that should be audited as a minimum.

 Checklist: Top 5 Windows domain settings to audit
1. Domain Account Policy
This includes the Password Policy, Account Lockout Policy and Kerberos Policy. The default settings for a Windows 2000 domain allow blank passwords. The proper security settings should force a long, complex password. The password should be changed every month or two, with duplicate passwords disallowed for a year's worth of changes.
2. User Rights
Domain controllers are by default fairly well secured with regard to user rights. However, all member servers rely on the default user rights configuration, which is not very secure. For example, the Everyone group has the ability to log on locally to every member server, even your Exchange, SQL and SMS servers. These weak security settings should be removed and replaced with more realistic security settings.
3. Anonymous Connections
Anonymous connections are controlled by Registry settings and can help reduce the attack surface on your domain controllers and servers. By verifying all of the Group Policy settings for anonymous control (Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options), you can increase security on your servers.
4. Authentication Protocols
The old LAN Manager authentication protocol is still enabled by default for your domain controllers and servers, just in case you need it. This opens a rather large security hole and should be restricted. Under the same node in the Group Policy Object as the anonymous controls, there are two LAN Manager policies that can restrict the use of this protocol.
5. Administrator Account
You should not use this account for anything but disaster recovery. The account should have a very long, complex and, if possible, dual-user password. It should not be used for services, nor for daily administration. In some cases, it should be disabled. The password for the domain administrator and local Security Accounts Manager Administrator accounts should be changed regularly. This is a laborious task, but there are tools out there to help simplify it.


Security is important, as is the verification of the security within your domain and on your domain controllers. By taking the appropriate steps to audit security, you are reducing the risk that an attacker will find an easy avenue into your enterprise and servers. You should not only verify these security settings, but also other key security settings like those indicated in the following resources:

  • Auditing Security and Controls of Windows® Active Directory® Domains
  • Securing Windows Server 2003
    Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].
    Copyright 2005 TechTarget

    Dig Deeper on Windows systems and network management