Manage Learn to apply best practices and optimize your operations.

Improving the default domain GPOs

Part one of an examination of the default domain Group Policy Object settings and recommendations for changes.

When Windows Server 2003 is used to establish an Active Directory based network, there are two default GPOs -- the default domain GPO and the default domain controller GPO. These GPOs are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default GPOs. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default GPOs intact, it will be easier to return to a default setting if you make a configuration mistake.

Let's first look at security improvements above and beyond those contained in the default domain GPO. The first area we want to explore is the Account Policies section. This section contains the password policy, account lockout policy, and the Kerberos policy.

Since passwords are the primary and default means by which Windows Server 2003 protects unauthorized use of user accounts, it is important to use and enforce strong passwords. The password policy of a GPO allows network administrators to programmatically force users to comply with a few significant password rules. Here is a table listing the defaults and my recommendations. Notice that the domain GPO defaults for the password policy are already reasonably secure.

Policy Default Recommended
Enforce password history 24 passwords remembered (No change)
Maximum password age 42 days 30 days
Minimum password age 1 day (No change)
Minimum password length 7 characters 8 characters
Password must meet complexity requirements Enabled (No change)
Store password using reversible encryption Disabled (No change)

The account lockout policy is used to manage the automated lockout feature of Windows Server 2003. After a specified number of failed logon attempts due to incorrect passwords, a user account can be locked out. This prevents brute force attacks against the logon prompt. Here is a table listing the defaults and my recommendations

Policy Default Recommended
Account lockout duration Not defined 0 minutes
Account lockout threshold 0 invalid logon attempts 5 invalid logon attempts
Reset account lockout counter after Not defined 30 minutes

Note that setting the account lockout duration to 0 (zero) will require an administrator to re-enable a locked out account. While this is the most secure setting, it is not the most convenient, especially for an administrator with lots of fumble-fingered users.

The Kerberos policy defines various settings of ticket management. The default settings of this policy are sufficient for most environments. So, I recommend leaving them as they are. Here is a chart showing the default settings of this policy.

Policy Default
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes

The remainder of the settings in the default domain GPO are usually sufficiently secure for most environments. However, there are numerous security improvements that can be made to the default domain controller GPO. I'll dive into that topic in the next tip.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Microsoft Group Policy Management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.