Export (0) Print
Expand All

Strengthening Domain Controller Policy Settings

Updated: December 2, 2007

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

In addition to Group Policy settings for domains, Windows Server 2003 Default Domain Controller Group Policy settings also protect domain controllers and Active Directory objects themselves. Domain Controller Security Policy settings apply to the Domain Controllers OU in each domain.

Domain Controller Security Policy Settings

Security Policy settings are applied at the Domain Controllers OU level by default for the following categories:

To increase security for your domain controllers, apply the User Rights Assignment, Security Options, and Event Log settings that are recommended in the following sections. Audit Policy settings do not require change, but they are presented for your information.

Changes to Domain Controller Security Policy

APIs that were developed for earlier versions of the operating system update some security policy settings in the Default Domain Controller Policy GPO, but not others. For this reason, changes to some domain controller security policy settings must be made by editing the default GPO, but others are best implemented by creating a new GPO. For more information about changing the default domain controller security policies as opposed to creating new GPOs for domain controller security policies, see the Applying Selected Domain and Domain Controller Policy Settings section.

Audit Policy

On domain controllers that are running Windows Server 2003, auditing is turned on by default to log the success of key security events. Default auditing on domain controllers represents a change from Windows 2000 Server, which does not enable auditing by default. Although no changes are recommended in the default settings, the settings are presented here because they represent significant changes from the Windows 2000 Server default settings.

ImportantImportant
There are many possible goals that you can have when you audit a domain for security purposes, such as intrusion detection or forensic analysis of security breaches. The primary goal of the security audit settings is to provide accountability for sensitive directory operations, including any administrative or configuration changes. When auditing for other reasons, such as intrusion detection, additional audit settings might need to be enabled.

When auditing is enabled on domain controllers, events are recorded in the Security event log. For the default and recommended settings for the maximum size of the Security event log, see the Strengthening Domain Controller Event Log Policy Settings section.

noteNote
If you make changes to Audit Policy security policy settings, make all changes by editing the Default Domain Controllers Policy GPO. Security policy settings for this GPO are available in Domain Controller Security Policy in Administrative Tools.

Table 16 lists the default and recommended settings for domain controller Audit Policy.

Table 16   Default and Recommended Domain Controller Audit Policy Settings

Policy Default Setting Recommended Setting Comments

Audit account logon events

Success

(No change)

Account logon events are generated when a domain user account is authenticated on a domain controller.

Audit account management

Success

(No change)

Account management events are generated when security principal accounts are created, modified, or deleted.

Audit directory service access

Success

(No change)

Directory services access events are generated when an Active Directory object with a system access control list (SACL) is accessed.

Audit logon events

Success

(No change)

Logon events are generated when a domain user interactively logs on to a domain controller or a network logon to a domain controller is performed to retrieve logon scripts and policies.

Audit object access

No auditing

(No change)

N/A

Audit policy change

Success

(No change)

Policy change events are generated for changes to user rights assignment policies, audit policies, or trust policies.

Audit privilege use

No auditing

(No change)

N/A

Audit process tracking

No auditing

(No change)

N/A

Audit system events

Success

(No change)

System events are generated when a user restarts or shuts down the domain controller or when an event occurs that affects either the system security or the security log.

User Rights Assignment

User rights allow users to log on and perform specific administrative or operations tasks on domain controllers. Ensure that the appropriate user rights are assigned to users in the domain so that users can perform their intended functions without compromising the security of the domain controllers. Establish the policy settings for domain controller user rights assignment to properly limit the users who can log on to the domain controllers and perform the necessary administrative tasks.

Table 17 lists the default and recommended policy settings for domain controller user rights assignment policies. Default Windows Server 2003 settings for all other user rights assignment policies are consistent with security recommendations.

noteNote
If you make changes to user rights assignment security policy settings, make all changes by editing the Default Domain Controllers Policy GPO. The security policy settings for this GPO are available in Domain Controller Security Policy in Administrative Tools.

Table 17   Default and Recommended Domain Controller User Rights Assignment Policy Settings

Policy Default Setting Recommended Setting Comments

Allow log on locally

Account Operators

Administrators

Backup Operators

Print Operators

Server Operators

Administrators

Backup Operators

Server Operators

Account Operators and Print Operators have few (if any) reasons to log on locally to a domain controller.

Shut down the system

Account Operators

Administrators

Backup Operators

Print Operators

Server Operators

Administrators

Backup Operators

Server Operators

Account Operators and Print Operators have few (if any) reasons to shut down domain controllers.

noteNote
Members of the Backup Operators group can log on locally to domain controllers, archive files to backup media, and overwrite system files through restore operations. The members of this group should be limited to those users who perform domain controller backup and restore operations. To reduce the number of users that have these rights, do not grant Backup Operator group membership to users who are responsible only for application backup and restore operations, such as Microsoft SQL Server operators.

Security Options

Domain controller Security Options policy settings affect the security-related Windows Server 2003 configuration settings. The domain controller Security Options policy settings affect not only the security configuration settings that are related to Active Directory, but other components in Windows Server 2003 as well, such as the network, file system, and user logon security configuration settings.

noteNote
To implement changes to default Security Options policy, it is recommended that you create a new GPO. This GPO can be added and linked to the Domain Controllers OU above the level of the Default Domain Controllers GPO. In this way, the nondefault settings take precedence over the default settings, and you can also easily revert to default settings by simply deleting this GPO or placing it below the default GPO in the list of linked GPOs. For more information about creating this new GPO, see the Applying Selected Domain and Domain Controller Policy Settings section.

Table 18 lists the default and recommended policy settings for domain controller Security Options. Default settings for all other security options are consistent with security recommendations.

Table 18  Default and Recommended Domain Controller Security Options Policy Settings

Policy Default Setting Recommended Setting Comments

Audit: Audit the access of global system objects

Not defined

Disabled

Disables the creation of a default SACL on system objects, such as mutexes (mutually exclusive), events, semaphores, and MSDOS devices because the default setting is “No auditing.”

Audit: Audit the use of Backup and Restore privilege

Not defined

Disabled

Disables auditing for the use of user privileges, including Backup and Restore, when the “Audit privilege use” policy is enabled because this policy is configured for “No auditing.”

Audit: Shut down system immediately if unable to log security audits

Not defined

Disabled

Stops the domain controller if a security audit cannot be logged. The auditing goals for domain controllers, described in Reviewing Domain Controller Audit Policy Settings, allow overwriting security audit events as required.

Devices: Allow undock without having to log on

Not defined

Disabled

Because a domain controller is most likely not a laptop, undocking should never take place. Therefore, the recommendation is to disable this setting.

Devices: Allowed to format and eject removable media

Not defined

Administrators

Allows only Administrators to eject removable NTFS media to protect against the theft of sensitive data.

Devices: Prevent users from installing printer drivers

Not defined

Enabled

Allows only Administrators and Server Operators to install a printer driver when adding a network printer to ensure that users cannot install a printer driver (add a network printer) and perform disk-space attacks by submitting large print jobs.

Devices: Restrict CD-ROM access to locally logged-on user only

Not defined

Enabled

Allows only the interactively logged-on service administrator to access removable CD-ROM media to ensure that when no one is logged on interactively, the CD-ROM cannot be accessed over the network.

Devices: Restrict floppy access to locally logged-on user only

Not defined

Enabled

Allows only interactively logged-on service administrators to access removable floppy media to ensure that the floppy disk drive cannot be accessed over the network when no one is logged on.

Devices: Unsigned driver installation behavior

Not defined

Do not allow installation

Prevents insecure or untrusted device drivers from being installed on domain controllers.

Domain controller: Allow server operators to schedule tasks

Not defined

Disabled

Restricts the individuals who can schedule tasks to Administrators because scheduling usually runs as an elevated service.

Domain controller: Refuse machine account password changes

Not defined

Disabled

It is more secure to have machine accounts regularly change their password (default: 30 days). Therefore this setting is disabled.

Domain member: Digitally encrypt or sign secure channel data (always)

Enabled

Not defined*

Enabled

Requires Windows NT 4.0 with Service Pack 4 (SP4)or later on all domain controllers in local domains and all trusted domains to ensure that all security fixes have been made.

Domain member: Disable machine account password changes

Not defined

Disabled

It is secure to have machine accounts regularly change their passwords. By default, the local security policy on the domain controller disables this setting.

Domain member: Maximum machine account password age

Not defined

30 days

The default local policy value is used by the Default Domain Controller Policy so that it is uniformly applied to all domain controllers.

Domain member: Require strong (Windows 2000 or later) session key

Not defined

Enabled

Requires that a secure channel be established with 128-bit encryption to ensure that the key strength is not negotiated but always uses the most secure connection possible with the domain controller.

Interactive logon: Do not display last user name

Not defined

Enabled

Removes the name of the last user to successfully log off from the Log On to Windows dialog box to prevent attackers from discovering service account names on domain controllers.

Interactive logon: Do not require CTRL+ALT+DEL

Not defined

Disabled

Requires CTRL+ALT+DEL before users log on to ensure that users are communicating by means of a trusted path when entering their passwords.

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Not defined

0 logons

The value 0 indicates that the domain controller does not cache previous logons and requires authentication at each logon.

Interactive logon: Prompt user to change password before expiration

Not defined

14 days

Notifies users in advance (in days) that their password is about to expire so that the user has time to construct a password that is sufficiently strong.

Interactive logon: Require Domain Controller authentication to unlock workstation

Not defined

Enabled

When cached credentials are used to unlock the console, any changes to the account, such as user rights assignment, group membership changes, or disabling of the account, are not enforced. To ensure that any changes to the account are enforced immediately, require domain controller authentication of the account to unlock the console, instead of cached credentials.

Interactive logon: Require smart card

Not defined

(See comments)

It is recommended that you use smart cards for logging on to both domain controllers and administrative workstations. If you have a public key infrastructure (PKI) infrastructure set up to deploy smart cards, set this option to Enabled.

Interactive logon: Smart card removal behavior

Not defined

Force logoff

Forces service administrators to keep smart cards inserted while they are logged on interactively on domain controllers to ensure that domain controllers are not left unattended with an active logon.

Microsoft network client: Digitally sign communications (always)

Not defined

(See comments)

See SMB Signing on Domain Controllers for requirements.

Microsoft network client: Digitally sign communications (if server agrees)

Not defined

(See comments)

See SMB Signing on Domain Controllers for requirements.

Microsoft network client: Send unencrypted password to third-party SMB servers

Not defined

Disabled

Prohibits the SMB redirector from sending plaintext passwords to non-Microsoft SMB servers that do not support password encryption. Disable this policy unless your domain controller needs to communicate with non-Microsoft SMB servers.

Microsoft network server: Amount of idle time required before suspending session

Not defined

15 min

Controls when a domain controller suspends an inactive server message block (SMB) session, which has no security implications but which reduces SMB traffic resource usage.

Microsoft network server: Digitally sign communications (always)

Enabled

Not defined*

(See comments)

See SMB Signing on Domain Controllers for requirements.

Microsoft network server: Digitally sign communications (if client agrees)

Enabled

(See comments)

See SMB Signing on Domain Controllers for requirements.

Microsoft network server: Disconnect clients when logon hours expire

Not defined

Enabled

Forcibly disconnects client sessions with the SMB Service when the user’s logon hours expire to ensure that network connections are secured during nonworking hours.

Network access: Do not allow storage of credentials or Windows Live ID for network authentication

Not defined

Enabled

A usability feature that is typically not required on domain controllers.

Network access: Restrict anonymous access to Named Pipes and Shares

Not defined

Enabled

Restricts anonymous access to network shared folders and named pipes to those that are enumerated in the following settings:

Network access: Named pipes that can be accessed anonymously

Network access: Shares that can be accessed anonymously

Network security: Do not store LAN Manager hash value on next password change

Not defined

(See comments)

See Disabling LAN Manager Authentication for other requirements.

Network security: LAN Manager authentication level

Send NTLM response only

Not defined*

(See comments)

See Disabling LAN Manager Authentication for other requirements.

Network security: LDAP client signing requirements

Not defined

(See comments)

Set to “Require signing” only if you have domain controllers that are running Windows 2000 SP3 or Windows Server 2003. Otherwise, set to “Negotiate signing.”

Recovery console: Allow automatic administrative logon

Not defined

Disabled

Requires that an Administrator account password be provided before access is granted to a domain controller to ensure that anyone logging on requires administrator credentials.

Recovery console: Allow floppy copy and access to all drives and all folders

Not defined

Disabled

Prevents unauthorized users from gaining access to, copying, and removing the Active Directory database and other secure files from the domain controller.

Shutdown: Allow system to be shut down without having to log on

Not defined

Disabled

Requires an authenticated, authorized service account to shut down or restart the domain controller.

Shutdown: Clear virtual memory pagefile

Not defined

Enabled

Eliminates process memory data from going into the page file on shutdown in case an unauthorized user manages to directly access the page file.

System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links)

Not defined

Enabled

Allows users who are not administrators to read shared objects but not modify them. Strengthens the default DACL of objects in the global list of shared resources, such as MSDOS device names, mutexes, and semaphores.

System settings: Optional subsystems

Not defined

(See comments)

By default, Posix is the only subsystem that is enabled. If you do not need Posix, you can define this policy and remove it from the list (so you that you have a blank list).

System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

Not defined

(See comments)

If you have PKI set up, you can enable this setting to check (CRLs to make sure that the software certificate and signature are valid.

* Default settings that are present when you upgrade a domain controller that is running Windows 2000 to Windows Server 2003 but that are not present when you perform a new installation of Windows Server 2003.

Disabling LAN Manager Authentication

By default, Windows operating systems earlier than Windows 2000 support only the LAN Manager (LM) authentication protocol. To provide compatibility with these earlier versions of Windows, Active Directory stores the account passwords in an LM hash format. Active Directory stores the password for the Windows NT authentication protocol (NTLM) and NTLM version 2 (NTLMv2) protocols in NTLM hash format. In the event that an attacker removes a domain controller or a domain controller hard disk, it is easier for that attacker to decrypt the passwords in LM hash format. Because the NTLM hash is cryptographically stronger than the LM hash, disable the storage of passwords in LM hash format to provide a higher level of security.

When you use a SYSKEY password or floppy disk, you encrypt the entire Active Directory database and protect any passwords. When you use one of these SYSKEY methods, there is no benefit to disabling the storing of passwords in LM hash format, aside from reducing the size of the Active Directory database.

For more information about allowing only the NTLMv2 authentication protocol, see the following articles in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=4441:

  • 285901, “Remote Access and VPN Clients Cannot Connect to a Server with NtlmcompatabilityLevel Set to 5”

  • 281648, “Error Message: The Account Is Not Authorized to Login from This Station”

  • 239869, “How to Enable NTLM 2 Authentication”

You can disable the storing of passwords in LM hash format by performing the following tasks:

  1. Upgrade all domain controllers, member servers, and workstations to support the NTLMv2 authentication protocol.

    Table 19 lists the operating systems and the software requirements to support the NTLMv2 authentication protocol.

    Table 19   Operating System and Software Requirements to Support NTLMv2

    Operating System Requires

    Windows 95, Windows 98, Windows Millennium Edition (Windows Me)

    Directory Services Client (Dsclient.exe) in the Clients\Win9x folder on the Windows 2000 Server CD-ROM

    Windows NT Workstation 4.0 and Windows NT Server 4.0

    Service Pack 4 or later

    Windows 2000 Professional and
    Windows 2000 Server

    Included as part of the operating system

    Windows XP Professional

    Included as part of the operating system

    Windows Server 2003

    Included as part of the operating system

  2. Enable the following Security Option in Domain Controller Security Policy:

    Network security: LAN Manager authentication level to Send NTLMv2 responses/reject LM

  3. Enable the following Security Option in Domain Controller Security Policy:

    Network security: Do not store LAN Manager hash value on next password change

    Enabling this setting disables the creation of passwords in LM hash format.

  4. Require all users to change their passwords immediately.

    The passwords that are already created in LM hash format are retained until the users change their passwords. Forcing password changes eliminates any passwords that are stored in LM hash format

    noteNote
    For the sake of backward compatibility, if you cannot disable storage of your passwords in the LM hash format, you might recommend that your administrators use passwords with more than 14 characters. In the event that the password hashes are stolen, the administrator accounts are protected because accounts with a password of more than 14 characters do not have an LM hash.

SMB Signing on Domain Controllers

On domain controllers that are running Windows Server 2003, default Group Policy settings allow the SMB Service and client to negotiate SMB packet signing. Domain controllers, member servers, and workstations access file shares during the user logon process to access logon scripts and profiles in the Netlogon share. In addition, domain policies are accessed through the SYSVOL share. For these reasons, all domain controllers should take advantage of SMB signing to improve security.

Table 20 lists the Security Options policy settings for SMB signing, and it explains how each setting affects client and server communications.

Table 20   Security Options Policy Settings for SMB Packet Signing

SMB Setting Explanation

Microsoft network client: Digitally sign communications (always)

The domain controller requires SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations. The domain controller refuses to communicate with other systems that do not support SMB signing. For enhanced security, enable this Group Policy setting.

Microsoft network client: Digitally sign communications (if server agrees)

The domain controller negotiates SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations. The domain controller requests SMB signing, but it will communicate with other systems that do not support SMB signing. For compatibility with Windows 95 and earlier operating systems, enable this Group Policy setting.

Microsoft network server: Digitally sign communications (always)

The domain controller requires SMB signing when receiving SMB requests from other domain controllers, member servers, or workstations. The domain controller refuses to communicate with other systems that do not support SMB signing. For enhanced security, enable this Group Policy setting.

Microsoft network server: Digitally sign communications (if client agrees)

The domain controller negotiates SMB signing when receiving SMB requests with other domain controllers, member servers, or workstations. The domain controller requests SMB signing, but it will communicate with other systems that do not support SMB signing. For compatibility with Windows 95 and earlier operating systems, enable this Group Policy setting.

Enable the Security Option setting Microsoft network client: Digitally sign communications (if server agrees) in addition to Microsoft network server: Digitally sign communications (always) unless:

  • Your network has computers that are running Windows for Workgroups; Windows 95 without the DS Client Pack; Windows NT 4.0 earlier than Service Pack 3.0; or devices, including Microsoft® Windows® Powered Pocket PC 2002 and previous versions, that are based on Microsoft® Windows® CE .NET Version 4.1 or earlier. It is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, which is necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x subdirectory on the Windows 2000 Server operating system CD.

  • Your domain controllers, member servers, and workstations have insufficient available processor resources to support SMB signing. SMB signing generates higher processor utilization on the client side and the server side — an increase of up to 15 percent.

Event Log Policy

Because of the default domain controller Audit Policy settings, the maximum size of the security log must be increased to accommodate the increased number of audited events that might be generated.

The recommended Event Log policy settings reflect changes that are necessary for the Security log to support the default Audit Policy. In your environment, you may need to adjust the policy settings for the application or system event logs to support other operational goals.

noteNote
To implement changes to default Event Log policy, it is recommended that you create a new GPO. This GPO can be added and linked to the Domain Controllers OU above the level of the Default Domain Controllers GPO. In this way, the nondefault settings take precedence over the default settings, and you can also easily revert to default settings by simply deleting this GPO or placing it below the default GPO in the list of linked GPOs. For more information about creating this new GPO, see the Applying Selected Domain and Domain Controller Policy Settings section.

As a part of your normal operations tasks, archive the security and system event logs regularly and frequently before they fill up, which can cause events to be missed. The recommended Event Log policy settings allow the events in the security and system event logs to be overwritten as needed. Back up the logs for future reference before any events can be overwritten.

Table 21 lists the default and recommended policy settings for domain controller Event Log policy settings.

Table 21   Recommended Domain Controller Event Log Policy Settings

Policy Default Setting Recommended Setting Comments

Maximum application log size

Not defined

(No change)

N/A

Maximum security log size

Not defined

131,072 KB

Increased to accommodate security auditing that is enabled in the default domain controller Audit Policy.

Maximum system log size

Not defined

(No change)

N/A

Prevent local guests group from accessing application log

Not defined

Enabled

Prevents members of the built-in group Guests from reading the application log events.

Prevent local guests group from accessing security log

Not defined

Enabled

Prevents members of the built-i group Guests from reading the security log events.

Prevent local guests group from accessing system log

Not defined

Enabled

Prevents members of the built-in group Guests from reading the system log events.

Retain application log

Not defined

(No change)

N/A

Retain security log

Not defined

(No change)

N/A

Retain system log

Not defined

(No change)

N/A

Retention method for application log

Not defined

(No change)

N/A

Retention method for security log

Not defined

Overwrite events as needed

Overwrites the security log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues.

Retention method for system log

Not defined

Overwrite events as needed

Overwrites the system log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft