Recommendations: Strengthening Domain and Domain Controller Policy Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

You can create secure domain and domain controller policy settings by following the security recommendations described earlier in this section. Of course, as previously mentioned, your comprehensive Active Directory security plan should also take into consideration the recommendations that are described in the other sections of this guide.

Recommendations for Strengthening Domain Policy Settings

Recommendations for ensuring that your domain and domain controller policies are applied in a secure and consistent manner are:

  • Strengthening Password Policy Settings for Domains

    • Apply the recommended password policy settings (Table 13) at the domain level.
  • Strengthening Account Lockout Policy Settings for Domains

    • Apply the recommended account lockout policy settings (Table 14) at the domain level.
  • Reviewing Kerberos Policy Settings for Domains

    • Review the recommended Kerberos policy settings (Table 15) at the domain level.

Recommendations for Strengthening Domain Controller Policy Settings

Recommendations for ensuring that your domain controller policy settings are applied in a secure and consistent manner are:

  • Reviewing Domain Controller Audit Policy Settings

    • Review default auditing that provides accountability for sensitive operations and intrusion detection.
  • Strengthening Domain Controller User Rights Assignment Policy Settings

    • Apply the recommended domain controller user rights assignment policy settings (Table 17).
  • Strengthening Domain Controller Security Options Policy Settings

    • Apply the recommended domain controller Security Options policy settings (Table 18).

    • Configure all domain controllers and clients to support NTLMv2, and then use Security Options policy settings to disable LM authentication.

    • Configure all domain controllers and clients to support NTLMv2, and then use Security Options policy settings to disable LM authentication.

    • Enable SMB client and server signing so that SMB signing is always required.

  • Strengthening Domain Controller Event Log Policy Settings

    • Apply recommended domain controller event log policy settings (21).

Recommendations for Applying Selected Domain and Domain Controller Policy Settings

Recommendations for ensuring that your domain controller policy settings are applied in a secure and consistent manner are:

  • Modifying the settings in the Default Domain Policy GPO and the Default Domain Controllers Policy GPO

    • Make all changes to Security Settings in the Default Domain Policy GPO.

    • Make all changes to User Rights Assignment and Audit Policy settings in the Default Domain Controllers Policy GPO.

  • Applying a New GPO to the Domain Controllers OU

    • Ensure that all domain controller computer accounts reside in the Domain Controllers OU.

    • Create and link a new GPO above the Default Domain Controllers Policy GPO. This GPO should contain the recommended changes to Security Options and Event Log settings in the security policy.

Recommendations for Reviewing Audit Settings on Important Active Directory Objects

The following table provides a checklist of recommendations for ensuring that important Active Directory objects are audited. If you are upgrading a domain from Windows 2000, the default Windows Server 2003 auditing settings for these objects are not applied. In this case, use the settings in this section to enable auditing on important Active Directory objects.

  • Reviewing Default Audit Settings on Active Directory Database Objects

    • Review or enable auditing on schema directory partition objects.

    • Review or enable auditing on configuration directory partition objects.

    • Review or enable auditing on domain directory partition objects.