This section of the chapter contains the definitions of the default group policy objects created during the setup of SBS 2003 or the installation of SBS 2003 SP1. You can use this section of the chapter as a reference for these objects if you suspect that a default object has been modified. The objects are listed in the default order as well. Small Business Server Windows Firewall This GPO contains elements to configure the Windows Firewall in Windows XP SP2, as shown in Table 20.3. This GPO is created when SBS 2003 SP1 is installed, or when SBS 2003 SP1 is applied to an existing SBS 2003 server. This policy has a WMI filter that allows only Windows XP SP2 workstations to process the policy. Table 20.3. Policy Settings for Small Business Server Windows FirewallPolicy Element | Setting |
---|
Computer Configuration | | Administrative Templates | | Network | Network Connections | | | Windows Firewall | Domain Profiles | | Windows Firewall: Allow file and | EnabledAllow unsolicited incoming | printer sharing exception | messages from: Local Subnet | Windows Firewall: Allow local port exceptions | Enabled | Windows Firewall: Allow local program exceptions | Enabled | Windows Firewall: Allow Remote Desktop exception | EnabledAllow unsolicited incoming messages from: * | Windows Firewall: Protect all network connections | Enabled | Network | Network Connections | Windows Firewall | Standard Profile | | Windows Firewall: Allow local port exceptions | Enabled | Windows Firewall: Allow local program exceptions | Enabled | Windows Firewall: Protect all network connections | Enabled | Windows Components | Security Center | | Turn on Security Center (Domain PCs only) | Enabled | Extra Registry Settings | | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled | 1 | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\ PCHealth\HelpCtr\Binaries\Helpctr.exe:*:Enabled: Remote Assistance nd- Windows Messenger and Voice | %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe:*: Enabled:Remote AssistanceWindows Messenger and Voice | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfiles\AuthorizedApplications\List\%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe: *:Enabled:Offer Remote Assistance | %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*: | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List\%WINDIR%\SYSTEM32\Sessmgr.exe: *: Enabled:Remote Assistance | Enabled:Offer Remote Assistance |
| %WINDIR%\SYSTEM32\Sessmgr.exe:*: Enabled:Remote Assistance | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\Enabled | 1 135:TCP:*:Enabled:Offer Remote | SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List\135:TCP:*: Enabled:Offer Remote Assistance Port | AssistancePort |
Small Business Server Internet Connection Firewall This policy governs the Internet Connection firewall included with Windows XP prior to SP1 (see Table 20.4). This policy has the PreSP2 WMI filter applied so that Windows XP SP2 and Windows 2000 clients do not apply this policy. Table 20.4. Policy Settings for Small Business Server Internet Connection FirewallPolicy | Setting |
---|
Computer Configuration | | Administrative Templates | | Network | Network Connections | | Prohibit use of Internet Connection Firewall on your DNS domain network | Enabled |
Small Business Server Client Computer This policy customizes the workstation environment of a computer that has been joined to the domain. Table 20.5 lists the settings for a server client computer. Table 20.5. Policy Settings for Small Business Server Client ComputerPolicy | Setting |
---|
Computer Configuration | | Administrative Templates | | Network | Network Connections | | Prohibit installation and configuration of Network Bridge on your DNS domain network | Enabled | Prohibit user of Internet Connection Sharing on your DNS domain network | Enabled | System | Logon | | Don't display the Getting Started welcome screen at logon | Enabled | Extra Registry Settings | | SOFTWARE\Microsoft\WindowsNT\CurrentVersions\WinLogon\SyncForegroundPolicy | 1 |
Small Business Server Remote Assistance Policy This policy enables the user of remote assistance through the SBS network. Because these settings exist only in the computer configuration, the user configuration portion of this GPO has been disabled so that it will not get processed with the rest of the User Settings from the other GPOs at logon (see Table 20.6). Table 20.6. Policy Settings for Small Business Server Remote Assistance PolicyPolicy | Setting |
---|
Computer Configuration | | Administrative Templates | | System | Remote Assistance | | Offer Remote Assistance | EnabledHelpers: [domainname]\Domain Admins |
Small Business Server Lockout Policy This policy establishes the lockout policy for the domain. Again, because these settings appear only in the computer configuration settings, the user configuration settings are disabled (see Table 20.7). Table 20.7. Policy Settings for Small Business Server Remote Assistance PolicyPolicy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Account Policies | Account Lockout Policies | | Account Lockout Duration | 10 minutes | Account lockout threshold | 50 invalid logon attempts | Reset account lockout counter after | 10 minutes |
Small Business Server Domain Password Policy This policy sets the password requirements for the domain. There are two "standard" implementations for this policy. The first settings, listed in Table 20.8, show the settings for the policy before secure password policies are enabled when running the Connect to the Internet Wizard. Table 20.9 shows the policy settings after the secure password policies have been enabled. Again, both tables indicate the defaults. The settings for the domain password policy can be customized in the Configure Password Policies Wizard under the Users node in the Server Management Console. Table 20.8. Policy Settings for Small Business Server Password Policy (Installation Defaults)Policy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Account Policies | Password Policy | Enforce password history | 24 passwords remembered | Maximum password age | 0 days | Minimum password age | 0 days | Minimum password length | 0 characters | Password must meet complexity requirements | Disabled | Store passwords using reversible encryption | Disabled |
Table 20.9. Policy Settings for Small Business Server Password Policy (CEICW Defaults)Policy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Account Policies | Password Policy | | Enforce password history | 24 passwords remembered | Maximum password age | 42 days | Minimum password age | 0 days | Minimum password length | 7 characters | Password must meet complexity requirements | Enabled | Store passwords using reversible encryption | Disabled |
Default Domain Policy The Default Domain policy contains all the default Windows Server 2003 settings (see Table 20.10). This policy is processed first in order of the SBS domain-level policies so that the basic security and performance structure is established before the SBS-specific policies are processed. Table 20.10. Policy Settings for the Default Domain Policy ObjectPolicy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Account Policies | Password Policy | | Enforce password history | 24 passwords remembered | Maximum password age | 42 days | Minimum password age | 1 day | Minimum password length | 7 characters | Password must meet complexity requirements | Enabled | Store passwords using reversible encryption | Disabled | Account Policies | Account Lockout Policy | | Account lockout threshold | 0 invalid logon attempts | Account Policies | Kerberos Policy | | Enforce user logon restrictions | Enabled | Maximum lifetime for service ticket | 600 minutes | Maximum lifetime for user ticket | 10 hours | Maximum lifetime for user ticket renewal | 7 days | Maximum tolerance for computer clock synchronization | 5 minutes | Local Policies | Security Options | Network Security | | Network Security: Force logoff when logon hours expire | Disabled | Public Key Policies | Autoenrollment Settings | | Enroll certificates automatically | Enabled | Renew expired certificates, update pending certificates, and remove revoked certificates | Disabled | Update certificates that use certificate templates | Disabled | Public Key Policies | Encrypting File System | Properties | | Allow users to encrypt files using Encrypting File System (EFS) | Enabled | Public Key Policies | Trusted Root Certification Authorities | Properties | | Allow users to select new root certification authorities | Enabled | (CAs) to trust | | Client computers can trust the following certificate stores | Third-Party Root Certification | Authorities and Enterprise Root Certification Authorities | | To perform certificate-based authentication of users and | Registered in Active Directory only | computers, CAs must meet the following criteria | | Remote Installation Services | | Client Installation Wizard options | | Custom Setup | Disabled | Restart Setup | Disabled | Tools | Disabled |
Best Practice: Do Not Modify the Default Domain Policy Objects Although you may be tempted to change the Default Domain policy object or the Default Domain Controllers policy objects, discussed later, do not make any modifications to either of these policy objects. Follow the example of the SBS development team and create a new policy object or modify another policy object if you need to add policy elements to the SBS network. If you make a change to one of the Default objects and find out that something has gone wrong on the network as a result, it is difficult to "undo" the changes made to a policy object. The "Troubleshooting Group Policy" section later in the chapter discusses a method for defining, testing, and implementing group policy changes. Follow the guidelines there for correctly implementing group policy changes to the network. Just do not make any changes to the Default policy objects. |
Small Business Server Auditing Policy This policy sets the basic auditing settings for an SBS installation (see Table 20.11). Because there are no user configuration settings related to auditing, the user configuration portion of the policy object is disabled and not processed during the rest of user configuration processing. Table 20.11. Policy Settings for the Small Business Server Auditing PolicyPolicy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Local Policies | Audit Policy | | Audit directory service access | No auditing | Audit logon events | Success, Failure |
Default Domain Controllers Policy The Default Domain Controllers policy is similar to the Default Domain policy in that it establishes the default settings for computers used as domain controllers in the SBS network (see Table 20.12). It is the first GPO processed in the Domain Controllers OU so that the SBS-specific settings in other GPOs in the OU can override the default settings as necessary. Table 20.12. Policy Settings for the Default Domain Controllers PolicyPolicy | Setting |
---|
Computer Configuration | | Windows Settings | | Security Settings | | Local Policies | Audit Policy | | Audit account logon events | Success | Audit account management | Success | Audit directory service access | Success | Audit logon events | Success | Audit object access | No auditing | Audit policy change | Success | Audit privilege use | No auditing | Audit process tracking | No auditing | Audit system events | Success | Local Policies | User Rights Assignment | | Access this computer from the network | Everyone, domain\IUSR_servername, domain\IWAM_servername, BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT Authority\ENTERPRISE DOMAIN CONTROLLERS, BUILTIN\Pre-Windows 2000 Compatible Access | Act as part of the operating system | [defined but empty] | Add workstations to domain | NT AUTHORITY\Authenticated Users | Adjust memory quotas for a process | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, domain\IWAM_servername, BUILTIN\Administrators | Allow log on locally | domain\IUSR_servername, BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Account Operators, BUILTING\Server Operators, BUILTIN\Print Operators | Back up files and directories | BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators | Bypass traverse checking | Everyone, BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, BUILTIN\Pre-Windows 2000 Compatible Access | Change the system time | NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators, BUILTIN\Server Operators | Create a pagefile | BUILTIN\Administrators | Create a token object | [defined but empty] | Create permanent shared objects | [defined but empty] | Debug Programs | BUILTIN\Administrators | Deny access to this computer from the network | domain\SUPPORT_supportID | Deny logon as a batch job | [defined but empty] | Deny logon as a service | [defined but empty] | Deny logon locally | domain\SBS Remote Operators, domain\SUPPORT_supportID, domain\SBS STS Worker | Enable computer and user accounts to be trusted for delegation | BUILTIN\Administrators | Force shutdown from a remote system | BUILTIN\Administrators, BUILTIN\Server Operators | Generate security audits | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE | Increase scheduling priority | BUILTIN\Administrators | Load and unload device drivers | BUILTIN\Administrators, BUILTIN\Print Operators | Lock pages in memory | [defined but empty] | Log on as a batch job | NT AUTHORITY\LOCAL SERVICE, domain\IUSR_servername, domain\IWAM_servername, domain\IIS_WPG, domain\SUPPORT_supportID | Log on as a service | NT AUTHORITY\NETWORK SERVICE | Manage auditing and security log | domain\Exchange Enterprise Servers, BUILTIN\Administrators | Modify firmware environment values | BUILTIN\Administrators | Profile single process | BUILTIN\Administrators | Profile system performance | BUILTIN\Administrators | Remove computer from docking station | BUILTIN\Administrators | Replace a process level token | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, domain\IWAM_servername | Restore files and directories | BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators | Shut down the system | BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators | Synchronize directory service data | [defined but empty] | Take ownership of files or other objects | BUILTIN\Administrators | Local Policies | Security Options | | Domain controller: LDAP server signing requirements | None | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | Microsoft network server: Digitally sign communications (always) | Enabled | Microsoft network server: Digitally sign communications (if client agrees) | Enabled | Network Security: LAN Manager authentication level | Send NTLM response only |
|