The domain controllers are the key to ensuring your Active Directory is safe and secure. However, many aspects of your domain controllers may go unnoticed unless you are 100% aware what is happening behind the scenes. An important consideration is the point at which domain controllers receive many of their default security settings. You will recall that two default GPOs help configure the environment: the Default Domain Policy, targeted to the entire domain, and the Default Domain Controller Policy, targeted to the domain controllers. Finally, if you are upgrading from Windows NT to Windows 2000 or Server 2003, you will need to be aware of how the security is different on upgraded servers from those that are freshly installed. 13.4.1 Default Domain Policy The GPO that is linked to the domain is primarily targeted to configure the domain user 's Account Policies. This includes the Password Policy, Account Lockout Policy, and Kerberos Policy. Figure 13-4 shows you the Default Domain Policy regarding the Account Policies. Figure 13-4. Account Policies in the Default Domain Policy The Default Domain Policy controls more than just the Account Policies. Table 13-2 lists the default settings in the Default Domain Policy. Table 13-2. Default Domain Policy default configurations and values Computer configuration | Policy setting | Value | Password Policy | Enforce password history | 24 passwords remembered | | Maximum password age | 42 days | | Minimum password age | 1 day | | Minimum password length | 7 characters | | Password must meet complexity requirements | Enabled | | Store passwords using reversible encryption | Disabled | Account Lockout Policy | Account lockout duration | Not defined | | Account lockout threshold | 0 invalid logon attempts | | Reset account lockout counter after | Not defined | Kerberos Policy | Enforce user logon restrictions | Enabled | | Maximum lifetime for service ticket | 600 minutes | | Maximum lifetime for user ticket | 10 hours | | Maximum lifetime for user ticket renewal | 7 days | | Maximum tolerance for computer clock synchronization | 5 minutes | Local Polices\Security Options | Network security: force logoff when logon hours expire | Disabled | Public Key Policies | Encrypting File System | Administrator is configured as a Data Recovery Agent | The User Configuration portion of the Default Domain Policy is not configured for any setting. 13.4.2 Default Domain Controller Policy The GPO that is linked to the domain controllers OU is targeted to configure only the domain controllers. This primary focus is on the user rights for the domain controllers, as shown in Figure 13-5. Figure 13-5. User Rights Assignment in the Default Domain Controller Policy The Default Domain Controller Policy does more than just configure user rights for the domain controllers. Table 13-3 lists the default settings in the Default Domain Controller Policy. Table 13-3. Default Domain Controller Policy default configurations and values Computer configuration | Policy setting | Value | Audit Policy | Audit account logon events | Success | | Audit account management | No auditing | | Audit directory service access | No auditing | | Audit logon events | Success | | Audit object access | No auditing | | Audit policy change | No auditing | | Audit privilege use | No auditing | | Audit process tracking | No auditing | | Audit system events | No auditing | User Rights Assignment [1] | Access this computer from the network | Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS Everyone Pre-Windows 2000 Compatible Access | | Add workstations to domain | Authenticated Users | | Adjust memory quotas for a process | Administrators LOCAL SERVICE NETWORK SERVICE | | Allow logon locally | Account Operators Administrators Backup Operators Print Operators Server Operators | | Back up files and directories | Administrators Backup Operators Server Operators | | Bypass traverse checking | Authenticated Users Administrators Everyone Pre-Windows 2000 Compatible Access | | Change the system time | Administrators Server Operators | | Create a pagefile | Administrators | | Debug programs | Administrators | | Deny access to this computer from the network | <domain>\Support_* | | Deny logon locally | <domain>\Support_* | | Enable computer and user accounts to be trusted for delegation | Administrators | | Force shutdown from a remote system | Administrators Server Operators | | Generate security audits | LOCAL SERVICE NETWORK SERVICE | | Increase scheduling priority | Administrators | | Load and unload device drivers | Administrators Print Operators | | Log on as a batch job | <domain>\IIS <domain>\IUSR <domain>\IWAM <domain>\Support_* LOCAL SERVICE | | Log on as a service | NETWORK SERVICE | | Manage Auditing and Security Log | Administrators | | Modify firmware environment variables | Administrators | | Profile system performance | Administrators | | Remove computer from docking station | Administrators | | Replace a process level token | <domain>\IWAM LOCAL SERVICE NETWORK SERVICE | | Restore files and directories | Administrators Backup Operators Server Operators | | Shut down the system | Administrators Backup Operators Print Operators Server Operators | | Take ownership of files and other objects | Administrators | Local Policies/Security Options | Domain controller: LDAP server signing requirements | None | | Domain controller: digitally encrypt or sign secure channel data (always) | Enabled | | Microsoft network server: digitally sign communications (always) | Enabled | | Microsoft network server: digitally sign communications (if client agrees) | Enabled | | Network security: LAN Manager authentication level | Send NTLM response only | [1] User rights not included here are either not defined or are defined but are left empty. The User Configuration portion of the Default Domain Controller Policy is not configured for any setting. 13.4.3 Default Security for Upgrades If the domain controllers are upgraded from Windows NT 4.0 domain controllers, the security for these settings is much different. In such cases, a special security template is used to configure many of these settings for both the Default Domain Policy and Default Domain Controller Policy. The security template is named DCUP.INF and is automatically applied to the domain controller being upgraded. This watered-down security template is used for an upgrade to ensure compatibility of the existing applications with Windows Server 2003. The proper method to boost the security of upgraded domain controllers is to configure them with a security template that is provided by Microsoft or one of the leading security institutes that provide security templates of their own. Web sites where you can find additional security templates include: - www.microsoft.com/windowsserver2003/security/default.mspx
- www.cisecurity.com
| Not all the security templates that you find are supported by Microsoft. However, they are still excellent references and include good combinations of security settings. | | These templates will typically reconfigure the weak security areas that the DCUP.INF file left open . The following include the main areas that are left insecure by the default template: |