Improving the default domain controller Group Policy Objects
When Windows Server 2003 is used to establish an Active Directory-based network, there are two default GPOs: the default domain GPO and the default domain controller GPO. This article recommends several ways to improve upon the default settings in these two GPOs.
When Windows Server 2003 is used to establish an Active Directory based network, there are two default Group Policy...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Objects: the default domain GPO and the default domain controller GPO. These Group Policy Objects are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.
I usually recommend that you do not make changes directly to either of these two default Group Policy Objects. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default Group Policy Objects intact, it will be easier to return to a default setting if you make a configuration mistake.
In my previous tip, I explored security improvements to the default domain Group Policy Object. In this tip I'll explore security improvements to the default domain controller GPO.
The default domain controller Group Policy Object applied security policy settings to the domain controller OU. There are three areas of the GPO we need to examine: user rights assignment, security options, and event log policy.
In the User Rights Assignment policy, you should make the following changes to improve domain controller security:
User Right | Default Setting | Recommended Setting |
Allow log on locally | Account Operators Administrators Backup Operators Print Operators Server Operators |
Administrators Backup Operators Server Operators |
Shut down the system | Account Operators Administrators Backup Operators Print Operators Server Operators |
Administrators Backup Operators Server Operators |
Reducing the number of people who can log on locally to a domain controller or who can shut down the system will result in fewer people attempting to gain physical access to the domain controllers.
In the Security Options policy, here are my recommendations to improve domain controller security:
Security Option | Default Setting | Recommended Setting |
Audit: Audit the access of global system objects | Not defined | Disabled |
Audit: Audit the use of Backup and Restore privilege | Not defined | Disabled |
Audit: Shut down system immediately if unable to log security audits | Not defined | Disabled |
Devices: Allow undock without having to log on | Not defined | Disabled |
Devices: Allowed to format and eject removable media | Not defined | Administrators |
Devices: Prevent users from installing printer drivers | Not defined | Enabled |
Devices: Restrict CD-ROM access to locally logged-on user only | Not defined | Enabled |
Devices: Restrict floppy access to locally logged-on user only | Not defined | Enabled |
Devices: Unsigned driver installation behavior | Not defined | Do not allow installation |
Domain controller: Allow server operators to schedule tasks | Not defined | Disabled |
Domain controller: Refuse machine account password changes | Not defined | Disabled |
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | Enabled |
Domain member: Disable machine account password changes | Not defined | Disabled |
Domain member: Maximum machine account password age | Not defined | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Not defined | Enabled |
Interactive logon: Do not display last user name | Not defined | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Not defined | Disabled |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | Not defined | 0 logons |
Interactive logon: Prompt user to change password before expiration | Not defined | 14 days |
Interactive logon: Require Domain Controller authentication to unlock workstation | Not defined | Enabled |
Interactive logon: Require smart card | Not defined | Enabled (Requires PKI environment and smart card devices) |
Interactive logon: Smart card removal behavior | Not defined | Force logoff |
Microsoft network client: Digitally sign communications (always) | Not defined | Enabled |
Microsoft network client: Digitally sign communications (if server agrees) | Not defined | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Not defined | Disabled |
Microsoft network server: Amount of idle time required before suspending session | Not defined | 15 min |
Microsoft network server: Digitally sign communications (always) | Enabled | Enabled |
Microsoft network server: Digitally sign communications (if client agrees) | Enabled | Enabled |
Microsoft network server: Disconnect clients when logon hours expire | Not defined | Enabled |
Network access: Do not allow storage of credentials or .NET Passports for network authentication | Not defined | Enabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Not defined | Enabled |
Network security: Do not store LAN Manager hash value on next password change | Not defined | Enabled (requires updated legacy clients) |
Network security: LAN Manager authentication level | Send NTLM response only | Send NTLMv2 responses/reject LM (requires updated legacy clients) |
Network security: LDAP client signing requirements | Not defined | Require signing (or use Negotiate signing if pre Windows 2000 SP3 domain controllers are used) |
Recovery console: Allow automatic administrative logon | Not defined | Disabled |
Recovery console: Allow floppy copy and access to all drives and all folders | Not defined | Disabled |
Shutdown: Allow system to be shut down without having to log on | Not defined | Disabled |
Shutdown: Clear virtual memory pagefile | Not defined | Enabled |
System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Not defined | Enabled |
System settings: Optional subsystems | Not defined | Enabled (create a blank list of subsystems) |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Not defined | Enabled (requires PKI) |
Then the third and final policy to alter is the Event Log policy, here are my recommendations there:
Event Log Policy | Default Setting | Recommended Setting |
Maximum application log size | Not defined | (No change) |
Maximum security log size | Not defined | 131,072 KB (or larger) |
Maximum system log size | Not defined | (No change) |
Prevent local guests group from accessing application log | Not defined | Enabled |
Prevent local guests group from accessing security log | Not defined | Enabled |
Prevent local guests group from accessing system log | Not defined | Enabled |
Retain application log | Not defined | (No change) |
Retain security log | Not defined | (No change) |
Retain system log | Not defined | (No change) |
Retention method for application log | Not defined | (No change) |
Retention method for security log | Not defined | Overwrite events as needed |
Retention method for system log | Not defined | Overwrite events as needed |
The only additional caveat to these Event Log policy recommendations is the need to backup and clear out the security log on a regular basis. Performing a backup and clearing on a weekly or monthly basis will ensure that you don't consume all of the available storage space on the server's drive and that all security events are retained and not overwritten. The reason I don't recommend setting the retention method to no overwrite is that this may cause security events to fail to be recorded and will force a system shutdown in the event the security logs becomes full. By regularly backing up the security log before it begins overwriting itself you can avoid all of these issues. Adjust the maximum size of the security log to be about 20% larger than you typically need during your backup cycle (weekly or monthly).
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.