Strengthening Domain Policy Settings

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Domain security policy settings provide Active Directory with domain-wide security options for handling authentication and authorization of Active Directory security principals. These policy settings are implemented as security settings within the Default Domain Policy GPO. Domain policy is applied to all security principal accounts in the domain, unless inheritance is specifically blocked or overridden by another policy.

Security Policy settings are applied at the domain level by default for the following categories:

  • Account Policies, which include:

    • Password Policy

    • Account Lockout Policy

    • Kerberos Policy

Modifying Domain Security Policy

You can make changes to Group Policy by modifying the default GPO or by creating a new GPO. The recommendation for making changes to domain security policy is to always modify the default GPO. The primary reason for this recommendation is that APIs that were developed for earlier versions of the operating system update policy settings in the Default Domain Policy GPO. For this reason, make all changes to domain security policy settings by editing this GPO.

To increase comprehensive security for your domain, apply the Password Policy, Account Lockout Policy, and Kerberos Policy settings that are recommended in this guide.

Password Policy

In Windows Server 2003, the most common means of authenticating a user’s identity is the use of secret user passwords. After a user has been identified and authenticated, the user can perform any tasks or access any resource for which the user’s account is authorized. Strong passwords generally enhance security for Active Directory users. Using strong passwords helps avoid the threat of an unauthorized user guessing (cracking) a weak password and acquiring the credentials of the compromised user account. This benefit applies especially to administrative accounts, because an unauthorized user could obtain administrative credentials and thereby gain elevated privileges.

A complex password that changes regularly reduces the likelihood of a successful spoofing attack. Password Policy settings control the complexity and lifetime for passwords. Table 13 includes the default and recommended Password Policy settings for a domain.

Policy Default Recommended Comments

Enforce password history

24 passwords remembered

(No change)

Prevents users from reusing passwords.

Maximum password age

42 days

(No change)

N/A

Minimum password age

1 day

(No change)

Prevents users from cycling through their password history to reuse passwords.

Minimum password length

7 characters

(No change)

Sets minimum password length.

Password must meet complexity requirements

Enabled

(No change)

For the definition of a complex password, see “Creating a Strong Administrator Password” in the Establishing Secure Domain Controller Build Practices section.

Store password using reversible encryption

Disabled

(No change)

N/A

Note

If possible, use smart cards throughout your organization to ensure that the strongest possible passwords are used on user accounts. Using smart cards causes the system to automatically generate cryptographically strong random passwords for accounts. If you are unable to provide smart cards for all users, require service administrator accounts to use smart cards. For more information about smart cards, see Chapter 5: Establishing Secure Administrative Practices later in this guide.

Account Lockout Policy

More than a few unsuccessful password tries during the logon process can represent an attempt by an attacker to determine an account password by trial and error. Windows Server 2003 keeps track of logon attempts, and it can be configured to respond to this type of attack by disabling the account for a preset period of time. This response is referred to as account lockout.

Account Lockout Policy settings control the threshold for this response and the actions to be taken when the threshold is reached. Table 14 includes the default and recommended Account Lockout Policy settings.

Policy Default Recommended Reason

Account lockout duration

Not defined

0 minutes

The value 0 means that after account lockout an Administrator is required to reenable the account before account lockout reset has expired.

Account lockout threshold

0 invalid logon attempts

20 invalid logon attempts

The value 0 means that failed password tries never cause account lockout.

Because an account lockout duration of 0 minutes (administrator reset) is recommended, a small number for this setting can result in frequent administrator interventions.

Reset account lockout counter after

Not defined

30 minutes

This setting protects against a sustained dictionary attack by imposing a nontrivial delay after 20 unsuccessful attempts.

Kerberos Policy

In Windows Server 2003, Kerberos provides the default mechanism for authentication services, as well as the authorization data that is necessary for a user to access a resource and perform a task with that resource. If the lifetimes of Kerberos tickets are reduced, the risk of having a legitimate user’s credentials stolen and used by an attacker diminishes. However, authorization overhead increases. Table 15 includes the default Kerberos policy settings. No changes to these default settings are recommended.

Policy Default Recommended Comments

Enforce user logon restrictions

Enabled

(No change)

N/A

Maximum lifetime for service ticket

600 minutes

(No change)

N/A

Maximum lifetime for user ticket

10 hours

(No change)

N/A

Maximum lifetime for user ticket renewal

7 days

(No change)

N/A

Maximum tolerance for computer clock synchronization

5 minutes

(No change)

Maximum tolerance between the client’s and server’s clocks.