How to Create the Domain Controller GPO and Import the Exchange Domain Controller Baseline Policy Template

  • Article

 

This topic explains how to create the domain controller group policy object (GPO) and import the Exchange Domain Controller baseline policy template into the GPO. You can download the Exchange Domain Controller Baseline Policy template (Exchange_2003-DC_Incremental_V1_1.inf) in the Microsoft Exchange Server 2003 Security Hardening Guide.

The following table lists the differences between the Windows Server 2003 Domain Controller Baseline Policy and the Exchange 2003 Domain Controller Baseline Policy. The explanation for each difference is explained following the table.

Differences between the Windows Server 2003 and Exchange 2003 Domain Controller Baseline Policies

Option Windows Server 2003 Domain Controller Baseline Exchange 2003 Domain Controller Baseline Policy

Do not allow anonymous enumeration of SAM accounts and shares

Enabled

Disabled. Rely on default permissions, because Outlook versions previous to Outlook 2003 require anonymous connections.

Shut down your system immediately if unable to log security audits

Enabled

Disabled

Account logon event auditing

Success and Failure

Failure

Logon event auditing

Success and Failure

Failure

  • Additional restrictions for anonymous connections

    The anonymous restriction setting in Exchange Server 2003 differs from that of Windows Server 2003 because Outlook 2000 and Outlook 2002 clients contact the global catalog server anonymously for information. With settings defined in the Windows Server 2003 Security Guide, where anonymous queries to the global catalog server are restricted, Outlook 2000 and Outlook 2002 users are unable to send internal mail and must use external addresses. However, because Outlook 2003 authenticates with the global catalog server, it is not necessary to relax this security setting in a pure Outlook 2003 environment.

    Note

    For more information about this issue, see Microsoft Knowledge Base article 309622, "XADM: Clients Cannot Browse the Global Address List After You Apply the Q299687 Windows 2000 Security Hotfix."

  • Shut down your system immediately if unable to log security events

    This setting is disabled because the logs are likely to fill quickly for logon failures, such as mistyped passwords.

  • Account logon event auditing and Logon event auditing

    The Account logon event and Logon event auditing settings are modified because of the large number of success logon events that Exchange Server 2003 generates during normal operations. If success auditing is enabled for logon events, the security log is rapidly filled; therefore, the Exchange Domain Controller Baseline Policy logs only failure events.

Deploying the Exchange Domain Controller Baseline Policy template is most efficient if you import the Exchange 2003 DC Incremental.inf file into the Domain Controller organizational unit by means of the Group Policy property page.

Before You Begin

The sequence of the policies on the Group Policy tab determines the order in which policies are applied; therefore, it is important that you place the Exchange Domain Controller Baseline Policy above the Windows Server 2003 Domain Controller Baseline Policy.

It is highly recommended that you review Security-Hardening Exchange 2003 Servers before implementing the following procedure.

Procedure

To create the domain controller GPO and import the Exchange Domain Controller Baseline Policy template

  1. In Active Directory Users and Computers, right-click Domain Controllers, and then click Properties.

  2. On the Group Policy tab, click New to add a new Group Policy object.

  3. Type Exchange DC Policy, and then press ENTER.

  4. Click Edit. The Group Policy Object Editor opens.

  5. In Group Policy Object Editor, under Computer Configuration, expand Windows Settings, right-click Security Settings, and click Import Policy.

    Note

    If Import Policy does not appear on the menu, close Group Policy Object Editor and repeat Steps 4 and 5.

  6. In Import Policy From, navigate to the directory where you saved the Exchange Group Policy Security Templates, and then double-click Exchange 2003DC Incremental.inf.

  7. Close Group Policy Object Editor, and then click OK.

  8. In Domain Controllers Properties, select Exchange DC Policy, click Up until Exchange DC Policy is at the top of the list, click Apply, and then click OK.

  9. After importing the policy, you must wait for replication to other domain controllers or use the Active Directory Sites and Services MMC snap-in to force replications. Replication ensures that all domain controllers are updated with the policy.

    Note

    Although replication applies the policy, you must reboot the servers for the policies to take effect.

  10. In the Event Log, to verify that the policy was downloaded successfully, search for the following Application Information event: SceCli 1704. Then, verify that the server can communicate with the other domain controllers in the domain.

  11. Restart each domain controller one at a time to ensure that each reboots successfully and that the policies have taken effect.