Manage

Improving the default domain controller Group Policy Objects

When Windows Server 2003 is used to establish an Active Directory-based network, there are two default GPOs: the default domain GPO and the default domain controller GPO. This article recommends several ways to improve upon the default settings in these two GPOs.

James Michael Stewart

Published: 19 Apr 2004

When Windows Server 2003 is used to establish an Active Directory based network, there are two default Group Policy...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Objects: the default domain GPO and the default domain controller GPO. These Group Policy Objects are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.

I usually recommend that you do not make changes directly to either of these two default Group Policy Objects. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default Group Policy Objects intact, it will be easier to return to a default setting if you make a configuration mistake.

In my previous tip, I explored security improvements to the default domain Group Policy Object. In this tip I'll explore security improvements to the default domain controller GPO.

The default domain controller Group Policy Object applied security policy settings to the domain controller OU. There are three areas of the GPO we need to examine: user rights assignment, security options, and event log policy.

In the User Rights Assignment policy, you should make the following changes to improve domain controller security:

User Right	Default Setting	Recommended Setting
Allow log on locally	Account Operators Administrators Backup Operators Print Operators Server Operators	Administrators Backup Operators Server Operators
Shut down the system	Account Operators Administrators Backup Operators Print Operators Server Operators	Administrators Backup Operators Server Operators

Reducing the number of people who can log on locally to a domain controller or who can shut down the system will result in fewer people attempting to gain physical access to the domain controllers.

In the Security Options policy, here are my recommendations to improve domain controller security:

Security Option	Default Setting	Recommended Setting
Audit: Audit the access of global system objects	Not defined	Disabled
Audit: Audit the use of Backup and Restore privilege	Not defined	Disabled
Audit: Shut down system immediately if unable to log security audits	Not defined	Disabled
Devices: Allow undock without having to log on	Not defined	Disabled
Devices: Allowed to format and eject removable media	Not defined	Administrators
Devices: Prevent users from installing printer drivers	Not defined	Enabled
Devices: Restrict CD-ROM access to locally logged-on user only	Not defined	Enabled
Devices: Restrict floppy access to locally logged-on user only	Not defined	Enabled
Devices: Unsigned driver installation behavior	Not defined	Do not allow installation
Domain controller: Allow server operators to schedule tasks	Not defined	Disabled
Domain controller: Refuse machine account password changes	Not defined	Disabled
Domain member: Digitally encrypt or sign secure channel data (always)	Enabled	Enabled
Domain member: Disable machine account password changes	Not defined	Disabled
Domain member: Maximum machine account password age	Not defined	30 days
Domain member: Require strong (Windows 2000 or later) session key	Not defined	Enabled
Interactive logon: Do not display last user name	Not defined	Enabled
Interactive logon: Do not require CTRL+ALT+DEL	Not defined	Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)	Not defined	0 logons
Interactive logon: Prompt user to change password before expiration	Not defined	14 days
Interactive logon: Require Domain Controller authentication to unlock workstation	Not defined	Enabled
Interactive logon: Require smart card	Not defined	Enabled (Requires PKI environment and smart card devices)
Interactive logon: Smart card removal behavior	Not defined	Force logoff
Microsoft network client: Digitally sign communications (always)	Not defined	Enabled
Microsoft network client: Digitally sign communications (if server agrees)	Not defined	Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers	Not defined	Disabled
Microsoft network server: Amount of idle time required before suspending session	Not defined	15 min
Microsoft network server: Digitally sign communications (always)	Enabled	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled	Enabled
Microsoft network server: Disconnect clients when logon hours expire	Not defined	Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication	Not defined	Enabled
Network access: Restrict anonymous access to Named Pipes and Shares	Not defined	Enabled
Network security: Do not store LAN Manager hash value on next password change	Not defined	Enabled (requires updated legacy clients)
Network security: LAN Manager authentication level	Send NTLM response only	Send NTLMv2 responses/reject LM (requires updated legacy clients)
Network security: LDAP client signing requirements	Not defined	Require signing (or use Negotiate signing if pre Windows 2000 SP3 domain controllers are used)
Recovery console: Allow automatic administrative logon	Not defined	Disabled
Recovery console: Allow floppy copy and access to all drives and all folders	Not defined	Disabled
Shutdown: Allow system to be shut down without having to log on	Not defined	Disabled
Shutdown: Clear virtual memory pagefile	Not defined	Enabled
System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Not defined	Enabled
System settings: Optional subsystems	Not defined	Enabled (create a blank list of subsystems)
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies	Not defined	Enabled (requires PKI)

Then the third and final policy to alter is the Event Log policy, here are my recommendations there:

Event Log Policy	Default Setting	Recommended Setting
Maximum application log size	Not defined	(No change)
Maximum security log size	Not defined	131,072 KB (or larger)
Maximum system log size	Not defined	(No change)
Prevent local guests group from accessing application log	Not defined	Enabled
Prevent local guests group from accessing security log	Not defined	Enabled
Prevent local guests group from accessing system log	Not defined	Enabled
Retain application log	Not defined	(No change)
Retain security log	Not defined	(No change)
Retain system log	Not defined	(No change)
Retention method for application log	Not defined	(No change)
Retention method for security log	Not defined	Overwrite events as needed
Retention method for system log	Not defined	Overwrite events as needed

The only additional caveat to these Event Log policy recommendations is the need to backup and clear out the security log on a regular basis. Performing a backup and clearing on a weekly or monthly basis will ensure that you don't consume all of the available storage space on the server's drive and that all security events are retained and not overwritten. The reason I don't recommend setting the retention method to no overwrite is that this may cause security events to fail to be recorded and will force a system shutdown in the event the security logs becomes full. By regularly backing up the security log before it begins overwriting itself you can avoid all of these issues. Adjust the maximum size of the security log to be about 20% larger than you typically need during your backup cycle (weekly or monthly).

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

Dig Deeper on Windows systems and network management

What to configure in Windows Server local security policy Organizations should configure the local security policy for new servers to handle patch management and for protection against unauthorized access.

Troubleshooting poor Windows logon performance in Active Directory environments Battling slow client logon times is a common (and frustrating) problem for Windows admins. Find the steps to quickly diagnose and resolve these issues when they crop up.

Troubleshooting account lockouts in Group Policy While the account lockout setting in Group Policy is designed to protect systems from attackers, it can also be an inconvenience to users. Directory services expert Gary Olsen explains how to troubleshoot account lockout issues and offers tips for deciphering which problems are worth debugging.

Unlocking Group Policy account lockout secrets While Microsoft designed the account lockout settings to protect your environment from attackers, they can also be a real inconvenience for users. Directory services expert Gary Olsen explains how to get the security you want from the Account Lockout tool, without the aggravation.

Server Security - Terminal Services for Windows Server 2003 To adequately analyze server security in Terminal Server environments we must divide the servers into their multiple roles and look at the security of each role separately.

Server hardening This excerpt from Microsoft Windows Group Policy Guide discusses the basic security baseline for a member server that is running in a Windows Server 2003 Active Directory domain. In addition, best practice security configurations in the security templates, specific types of member servers and domain controllers will be covered.

Please create a username to comment.

Decide between SAN vs. hyper-converged for your virtual storage

Design your systems with virtualization architecture in mind

5 tips to ease Kubernetes adoption and legacy VM management

How to start your cloud career

Save money on instances with these cloud discounts

Google joins bare-metal cloud fray

SQL Server database design best practices and tips for DBAs

SQL Server in Azure database choices and what they offer users

Using a LEFT OUTER JOIN vs. RIGHT OUTER JOIN in SQL

4 ways to fix Windows 10 boot problems

When not to convert basic disks to dynamic disks

Project Limitless' 5G PC and what desktop admins need to know

Understand VDI market shifts from traditional VDI to cloud

Compare offerings from 3 major desktop-as-a-service providers

How to use VMware Horizon Performance Tracker

Dig Deeper on Windows systems and network management

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.