13.4 Default Security Through GPOs

     

The domain controllers are the key to ensuring your Active Directory is safe and secure. However, many aspects of your domain controllers may go unnoticed unless you are 100% aware what is happening behind the scenes. An important consideration is the point at which domain controllers receive many of their default security settings. You will recall that two default GPOs help configure the environment: the Default Domain Policy, targeted to the entire domain, and the Default Domain Controller Policy, targeted to the domain controllers. Finally, if you are upgrading from Windows NT to Windows 2000 or Server 2003, you will need to be aware of how the security is different on upgraded servers from those that are freshly installed.

13.4.1 Default Domain Policy

The GPO that is linked to the domain is primarily targeted to configure the domain user 's Account Policies. This includes the Password Policy, Account Lockout Policy, and Kerberos Policy. Figure 13-4 shows you the Default Domain Policy regarding the Account Policies.

Figure 13-4. Account Policies in the Default Domain Policy
figs/sws_1304.gif

The Default Domain Policy controls more than just the Account Policies. Table 13-2 lists the default settings in the Default Domain Policy.

Table 13-2. Default Domain Policy default configurations and values

Computer configuration

Policy setting

Value

Password Policy

Enforce password history

24 passwords remembered

 

Maximum password age

42 days

 

Minimum password age

1 day

 

Minimum password length

7 characters

 

Password must meet complexity requirements

Enabled

 

Store passwords using reversible encryption

Disabled

Account Lockout Policy

Account lockout duration

Not defined

 

Account lockout threshold

0 invalid logon attempts

 

Reset account lockout counter after

Not defined

Kerberos Policy

Enforce user logon restrictions

Enabled

 

Maximum lifetime for service ticket

600 minutes

 

Maximum lifetime for user ticket

10 hours

 

Maximum lifetime for user ticket renewal

7 days

 

Maximum tolerance for computer clock synchronization

5 minutes

Local Polices\Security Options

Network security: force logoff when logon hours expire

Disabled

Public Key Policies

Encrypting File System

Administrator is configured as a Data Recovery Agent


The User Configuration portion of the Default Domain Policy is not configured for any setting.

13.4.2 Default Domain Controller Policy

The GPO that is linked to the domain controllers OU is targeted to configure only the domain controllers. This primary focus is on the user rights for the domain controllers, as shown in Figure 13-5.

Figure 13-5. User Rights Assignment in the Default Domain Controller Policy
figs/sws_1305.gif

The Default Domain Controller Policy does more than just configure user rights for the domain controllers. Table 13-3 lists the default settings in the Default Domain Controller Policy.

Table 13-3. Default Domain Controller Policy default configurations and values

Computer configuration

Policy setting

Value

Audit Policy

Audit account logon events

Success

 

Audit account management

No auditing

 

Audit directory service access

No auditing

 

Audit logon events

Success

 

Audit object access

No auditing

 

Audit policy change

No auditing

 

Audit privilege use

No auditing

 

Audit process tracking

No auditing

 

Audit system events

No auditing

User Rights Assignment [1]

Access this computer from the network

Administrators

Authenticated Users

ENTERPRISE DOMAIN CONTROLLERS

Everyone

Pre-Windows 2000 Compatible Access

 

Add workstations to domain

Authenticated Users

 

Adjust memory quotas for a process

Administrators

LOCAL SERVICE

NETWORK SERVICE

 

Allow logon locally

Account Operators

Administrators

Backup Operators

Print Operators

Server Operators

 

Back up files and directories

Administrators

Backup Operators

Server Operators

 

Bypass traverse checking

Authenticated Users

Administrators

Everyone

Pre-Windows 2000 Compatible Access

 

Change the system time

Administrators

Server Operators

 

Create a pagefile

Administrators

 

Debug programs

Administrators

 

Deny access to this computer from the network

<domain>\Support_*

 

Deny logon locally

<domain>\Support_*

 

Enable computer and user accounts to be trusted for delegation

Administrators

 

Force shutdown from a remote system

Administrators

Server Operators

 

Generate security audits

LOCAL SERVICE

NETWORK SERVICE

 

Increase scheduling priority

Administrators

 

Load and unload device drivers

Administrators

Print Operators

 

Log on as a batch job

<domain>\IIS

<domain>\IUSR

<domain>\IWAM

<domain>\Support_*

LOCAL SERVICE

 

Log on as a service

NETWORK SERVICE

 

Manage Auditing and Security Log

Administrators

 

Modify firmware environment variables

Administrators

 

Profile system performance

Administrators

 

Remove computer from docking station

Administrators

 

Replace a process level token

<domain>\IWAM

LOCAL SERVICE

NETWORK SERVICE

 

Restore files and directories

Administrators

Backup Operators

Server Operators

 

Shut down the system

Administrators

Backup Operators

Print Operators

Server Operators

 

Take ownership of files and other objects

Administrators

Local Policies/Security Options

Domain controller: LDAP server signing requirements

None

 

Domain controller: digitally encrypt or sign secure channel data (always)

Enabled

 

Microsoft network server: digitally sign communications (always)

Enabled

 

Microsoft network server: digitally sign communications (if client agrees)

Enabled

 

Network security: LAN Manager authentication level

Send NTLM response only


[1] User rights not included here are either not defined or are defined but are left empty.

The User Configuration portion of the Default Domain Controller Policy is not configured for any setting.

13.4.3 Default Security for Upgrades

If the domain controllers are upgraded from Windows NT 4.0 domain controllers, the security for these settings is much different. In such cases, a special security template is used to configure many of these settings for both the Default Domain Policy and Default Domain Controller Policy. The security template is named DCUP.INF and is automatically applied to the domain controller being upgraded.

This watered-down security template is used for an upgrade to ensure compatibility of the existing applications with Windows Server 2003. The proper method to boost the security of upgraded domain controllers is to configure them with a security template that is provided by Microsoft or one of the leading security institutes that provide security templates of their own. Web sites where you can find additional security templates include:

www.microsoft.com/windowsserver2003/security/default.mspx
www.cisecurity.com

Not all the security templates that you find are supported by Microsoft. However, they are still excellent references and include good combinations of security settings.


These templates will typically reconfigure the weak security areas that the DCUP.INF file left open . The following include the main areas that are left insecure by the default template:

  • Registry

  • File system (including SYSVOL and Windows)

  • User rights

  • Account Policies (if they were weak in Windows NT)



Securing Windows Server 2003
Securing Windows Server 2003
ISBN: 0596006853
EAN: 2147483647
Year: 2006
Pages: 139

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net