It is no secret that Microsoft has shipped server and desktop operating systems to customers with notoriously weak default security. With the past few operating system updates and operating system service packs, it has made some radical changes to improve the default security. That does not, however, correct the security of the existing operating systems installed with weak security, including your Windows Active Directory domain controllers.
In order to verify that security is configured properly, you should perform audits of the domain and domain controllers. Here are the top five security settings that should be audited as a minimum.
|Checklist: Top 5 Windows domain settings to audit|
|1. Domain Account Policy|
|This includes the Password Policy, Account Lockout Policy and Kerberos Policy. The default settings for a Windows 2000 domain allow blank passwords. The proper security settings should force a long, complex password. The password should be changed every month or two, with duplicate passwords disallowed for a year's worth of changes.|
|2. User Rights|
|Domain controllers are by default fairly well secured with regard to user rights. However, all member servers rely on the default user rights configuration, which is not very secure. For example, the Everyone group has the ability to log on locally to every member server, even your Exchange, SQL and SMS servers. These weak security settings should be removed and replaced with more realistic security settings.|
|3. Anonymous Connections|
|Anonymous connections are controlled by Registry settings and can help reduce the attack surface on your domain controllers and servers. By verifying all of the Group Policy settings for anonymous control (Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options), you can increase security on your servers.|
|4. Authentication Protocols|
|The old LAN Manager authentication protocol is still enabled by default for your domain controllers and servers, just in case you need it. This opens a rather large security hole and should be restricted. Under the same node in the Group Policy Object as the anonymous controls, there are two LAN Manager policies that can restrict the use of this protocol.|
|5. Administrator Account|
|You should not use this account for anything but disaster recovery. The account should have a very long, complex and, if possible, dual-user password. It should not be used for services, nor for daily administration. In some cases, it should be disabled. The password for the domain administrator and local Security Accounts Manager Administrator accounts should be changed regularly. This is a laborious task, but there are tools out there to help simplify it.|
Security is important, as is the verification of the security within your domain and on your domain controllers. By taking the appropriate steps to audit security, you are reducing the risk that an attacker will find an easy avenue into your enterprise and servers. You should not only verify these security settings, but also other key security settings like those indicated in the following resources:
|ABOUT THE AUTHOR:|
| Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].
Copyright 2005 TechTarget