Default SBS Group Policy Objects


This section of the chapter contains the definitions of the default group policy objects created during the setup of SBS 2003 or the installation of SBS 2003 SP1. You can use this section of the chapter as a reference for these objects if you suspect that a default object has been modified. The objects are listed in the default order as well.

Small Business Server Windows Firewall

This GPO contains elements to configure the Windows Firewall in Windows XP SP2, as shown in Table 20.3. This GPO is created when SBS 2003 SP1 is installed, or when SBS 2003 SP1 is applied to an existing SBS 2003 server. This policy has a WMI filter that allows only Windows XP SP2 workstations to process the policy.

Table 20.3. Policy Settings for Small Business Server Windows Firewall

Policy Element

Setting

Computer Configuration

 

Administrative Templates

 

Network | Network Connections |

 

Windows Firewall | Domain Profiles

 

Windows Firewall: Allow file and

EnabledAllow unsolicited incoming

printer sharing exception

messages from: Local Subnet

Windows Firewall: Allow local port exceptions

Enabled

Windows Firewall: Allow local program exceptions

Enabled

Windows Firewall: Allow Remote Desktop exception

EnabledAllow unsolicited incoming messages from: *

Windows Firewall: Protect all network connections

Enabled

Network | Network Connections | Windows Firewall | Standard Profile

 

Windows Firewall: Allow local port exceptions

Enabled

Windows Firewall: Allow local program exceptions

Enabled

Windows Firewall: Protect all network connections

Enabled

Windows Components | Security Center

 

Turn on Security Center (Domain PCs only)

Enabled

Extra Registry Settings

 

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled

1

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\ PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled: Remote Assistance nd- Windows Messenger and Voice

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*: Enabled:Remote AssistanceWindows Messenger and Voice

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfiles\AuthorizedApplications\List\%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe: *:Enabled:Offer Remote Assistance

%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\SYSTEM32\Sessmgr.exe: *: Enabled:Remote Assistance

Enabled:Offer Remote Assistance

%WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled:Remote Assistance

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\Enabled

1
135:TCP:*:Enabled:Offer Remote

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\135:TCP:*: Enabled:Offer Remote Assistance Port

AssistancePort


Small Business Server Internet Connection Firewall

This policy governs the Internet Connection firewall included with Windows XP prior to SP1 (see Table 20.4). This policy has the PreSP2 WMI filter applied so that Windows XP SP2 and Windows 2000 clients do not apply this policy.

Table 20.4. Policy Settings for Small Business Server Internet Connection Firewall

Policy

Setting

Computer Configuration

 

Administrative Templates

 

Network | Network Connections

 

Prohibit use of Internet Connection Firewall on your DNS domain network

Enabled


Small Business Server Client Computer

This policy customizes the workstation environment of a computer that has been joined to the domain. Table 20.5 lists the settings for a server client computer.

Table 20.5. Policy Settings for Small Business Server Client Computer

Policy

Setting

Computer Configuration

 

Administrative Templates

 

Network | Network Connections

 

Prohibit installation and configuration of Network Bridge on your DNS domain network

Enabled

Prohibit user of Internet Connection Sharing on your DNS domain network

Enabled

System | Logon

 

Don't display the Getting Started welcome screen at logon

Enabled

Extra Registry Settings

 

SOFTWARE\Microsoft\WindowsNT\CurrentVersions\WinLogon\SyncForegroundPolicy

1


Small Business Server Remote Assistance Policy

This policy enables the user of remote assistance through the SBS network. Because these settings exist only in the computer configuration, the user configuration portion of this GPO has been disabled so that it will not get processed with the rest of the User Settings from the other GPOs at logon (see Table 20.6).

Table 20.6. Policy Settings for Small Business Server Remote Assistance Policy

Policy

Setting

Computer Configuration

 

Administrative Templates

 

System | Remote Assistance

 

Offer Remote Assistance

EnabledHelpers: [domainname]\Domain Admins


Small Business Server Lockout Policy

This policy establishes the lockout policy for the domain. Again, because these settings appear only in the computer configuration settings, the user configuration settings are disabled (see Table 20.7).

Table 20.7. Policy Settings for Small Business Server Remote Assistance Policy

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Account Policies | Account Lockout Policies

 

Account Lockout Duration

10 minutes

Account lockout threshold

50 invalid logon attempts

Reset account lockout counter after

10 minutes


Small Business Server Domain Password Policy

This policy sets the password requirements for the domain. There are two "standard" implementations for this policy. The first settings, listed in Table 20.8, show the settings for the policy before secure password policies are enabled when running the Connect to the Internet Wizard. Table 20.9 shows the policy settings after the secure password policies have been enabled. Again, both tables indicate the defaults. The settings for the domain password policy can be customized in the Configure Password Policies Wizard under the Users node in the Server Management Console.

Table 20.8. Policy Settings for Small Business Server Password Policy (Installation Defaults)

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Account Policies | Password Policy

Enforce password history

24 passwords remembered

Maximum password age

0 days

Minimum password age

0 days

Minimum password length

0 characters

Password must meet complexity requirements

Disabled

Store passwords using reversible encryption

Disabled


Table 20.9. Policy Settings for Small Business Server Password Policy (CEICW Defaults)

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Account Policies | Password Policy

 

Enforce password history

24 passwords remembered

Maximum password age

42 days

Minimum password age

0 days

Minimum password length

7 characters

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled


Default Domain Policy

The Default Domain policy contains all the default Windows Server 2003 settings (see Table 20.10). This policy is processed first in order of the SBS domain-level policies so that the basic security and performance structure is established before the SBS-specific policies are processed.

Table 20.10. Policy Settings for the Default Domain Policy Object

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Account Policies | Password Policy

 

Enforce password history

24 passwords remembered

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

7 characters

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account Policies | Account Lockout Policy

 

Account lockout threshold

0 invalid logon attempts

Account Policies | Kerberos Policy

 

Enforce user logon restrictions

Enabled

Maximum lifetime for service ticket

600 minutes

Maximum lifetime for user ticket

10 hours

Maximum lifetime for user ticket renewal

7 days

Maximum tolerance for computer clock synchronization

5 minutes

Local Policies | Security Options | Network Security

 

Network Security: Force logoff when logon hours expire

Disabled

Public Key Policies | Autoenrollment Settings

 

Enroll certificates automatically

Enabled

Renew expired certificates, update pending certificates, and remove revoked certificates

Disabled

Update certificates that use certificate templates

Disabled

Public Key Policies | Encrypting File System | Properties

 

Allow users to encrypt files using Encrypting File System (EFS)

Enabled

Public Key Policies | Trusted Root Certification Authorities | Properties

 

Allow users to select new root certification authorities

Enabled

(CAs) to trust

 

Client computers can trust the following certificate stores

Third-Party Root Certification

Authorities and Enterprise Root Certification Authorities

 

To perform certificate-based authentication of users and

Registered in Active Directory only

computers, CAs must meet the following criteria

 

Remote Installation Services

 

Client Installation Wizard options

 

Custom Setup

Disabled

Restart Setup

Disabled

Tools

Disabled


Best Practice: Do Not Modify the Default Domain Policy Objects

Although you may be tempted to change the Default Domain policy object or the Default Domain Controllers policy objects, discussed later, do not make any modifications to either of these policy objects. Follow the example of the SBS development team and create a new policy object or modify another policy object if you need to add policy elements to the SBS network. If you make a change to one of the Default objects and find out that something has gone wrong on the network as a result, it is difficult to "undo" the changes made to a policy object.

The "Troubleshooting Group Policy" section later in the chapter discusses a method for defining, testing, and implementing group policy changes. Follow the guidelines there for correctly implementing group policy changes to the network. Just do not make any changes to the Default policy objects.


Small Business Server Auditing Policy

This policy sets the basic auditing settings for an SBS installation (see Table 20.11). Because there are no user configuration settings related to auditing, the user configuration portion of the policy object is disabled and not processed during the rest of user configuration processing.

Table 20.11. Policy Settings for the Small Business Server Auditing Policy

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Local Policies | Audit Policy

 

Audit directory service access

No auditing

Audit logon events

Success, Failure


Default Domain Controllers Policy

The Default Domain Controllers policy is similar to the Default Domain policy in that it establishes the default settings for computers used as domain controllers in the SBS network (see Table 20.12). It is the first GPO processed in the Domain Controllers OU so that the SBS-specific settings in other GPOs in the OU can override the default settings as necessary.

Table 20.12. Policy Settings for the Default Domain Controllers Policy

Policy

Setting

Computer Configuration

 

Windows Settings

 

Security Settings

 

Local Policies | Audit Policy

 

Audit account logon events

Success

Audit account management

Success

Audit directory service access

Success

Audit logon events

Success

Audit object access

No auditing

Audit policy change

Success

Audit privilege use

No auditing

Audit process tracking

No auditing

Audit system events

Success

Local Policies | User Rights Assignment

 

Access this computer from the network

Everyone, domain\IUSR_servername, domain\IWAM_servername, BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT Authority\ENTERPRISE DOMAIN CONTROLLERS, BUILTIN\Pre-Windows 2000 Compatible Access

Act as part of the operating system

[defined but empty]

Add workstations to domain

NT AUTHORITY\Authenticated Users

Adjust memory quotas for a process

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, domain\IWAM_servername, BUILTIN\Administrators

Allow log on locally

domain\IUSR_servername, BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Account Operators, BUILTING\Server Operators, BUILTIN\Print Operators

Back up files and directories

BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators

Bypass traverse checking

Everyone, BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, BUILTIN\Pre-Windows 2000 Compatible Access

Change the system time

NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators, BUILTIN\Server Operators

Create a pagefile

BUILTIN\Administrators

Create a token object

[defined but empty]

Create permanent shared objects

[defined but empty]

Debug Programs

BUILTIN\Administrators

Deny access to this computer from the network

domain\SUPPORT_supportID

Deny logon as a batch job

[defined but empty]

Deny logon as a service

[defined but empty]

Deny logon locally

domain\SBS Remote Operators, domain\SUPPORT_supportID, domain\SBS STS Worker

Enable computer and user accounts to be trusted for delegation

BUILTIN\Administrators

Force shutdown from a remote system

BUILTIN\Administrators, BUILTIN\Server Operators

Generate security audits

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE

Increase scheduling priority

BUILTIN\Administrators

Load and unload device drivers

BUILTIN\Administrators, BUILTIN\Print Operators

Lock pages in memory

[defined but empty]

Log on as a batch job

NT AUTHORITY\LOCAL SERVICE, domain\IUSR_servername, domain\IWAM_servername, domain\IIS_WPG, domain\SUPPORT_supportID

Log on as a service

NT AUTHORITY\NETWORK SERVICE

Manage auditing and security log

domain\Exchange Enterprise Servers, BUILTIN\Administrators

Modify firmware environment values

BUILTIN\Administrators

Profile single process

BUILTIN\Administrators

Profile system performance

BUILTIN\Administrators

Remove computer from docking station

BUILTIN\Administrators

Replace a process level token

NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, domain\IWAM_servername

Restore files and directories

BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators

Shut down the system

BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators

Synchronize directory service data

[defined but empty]

Take ownership of files or other objects

BUILTIN\Administrators

Local Policies | Security Options

 

Domain controller: LDAP server signing requirements

None

Domain member: Digitally encrypt or sign secure channel data (always)

Enabled

Microsoft network server: Digitally sign communications (always)

Enabled

Microsoft network server: Digitally sign communications (if client agrees)

Enabled

Network Security: LAN Manager authentication level

Send NTLM response only





Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net