Adding and Securing a Computer Running Windows Server 2003 in a Windows Small Business Server 2003 Active Directory Domain

On This Page

Introduction
Before You Begin
Joining a Server Running Windows Server 2003, Standard Edition to a Domain
Securing a Domain Member Server
Related Information

Introduction

Using Microsoft Active Directory directory service domains with Microsoft Windows Server 2003, Standard Edition can help you to enhance security by taking advantage of standards-based identity and authentication features.

When you add a new server to your network, it is not automatically connected to your domain. Because the new server is not yet managed by settings provided by Active Directory, Group Policy settings, or logon scripts, it cannot take advantage of the security benefits of the domain. The server may therefore be more easily compromised and can potentially expose your entire network to security threats. If you use Active Directory, it is a good idea to join a new server to your domain immediately after you have installed its operating system to enable centralized management, specify centralized computer policies, and grant other users access to server resources.

Active Directory helps to give you increased assurance that users who log onto your network have been authenticated. Authentication is the process of validating the credentials of a person, computer process, or device. Authentication requires the person, process, or device that makes the request to provide a credential that proves it is what or who it says it is. Common forms of credentials are digital signatures, smart cards, biometric data, and a combination of user names and passwords.

When you join new servers to your domain, Group Policy settings that are already in place are automatically applied to these new domain members. Therefore, you do not need to configure the new servers locally to bring them up to a domain standard, such as a strong password policy. The member server that is joined to the domain is protected by Group Policy through Active Directory. Only members of the Domain Administrators group and other groups that you specify have rights to modify domain information, including members (such as users and computers) and group policies. Domain member servers also have local administrators who can perform many administrative tasks such as adding and removing programs, but they do not have access to modify Active Directory features.

This document provides step-by-step instructions for the following two tasks:

  • Joining a server running Windows Server 2003, Standard Edition to a domain

  • Securing a domain member server

The time to complete both tasks is approximately one hour, total.

IMPORTANT: The instructions in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

For definitions of security-related terms, see the following:

Before You Begin

If you are using Windows Server 2003, Standard Edition, you must add the Group Policy Management Console (GPMC), which is a free download available on the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?LinkId=31715. The GPMC is already installed on a computer running Microsoft Windows Small Business Server 2003.

To ensure that Windows Server 2003, Standard Edition performs well, it is recommended that you have 1.5 gigabytes (GB) of available disk space for setup, a CPU speed of 550 megahertz (MHz), and 256 megabytes (MB) of RAM. For more information about operating system requirements, see "System Requirements" on the Microsoft Windows Server System Web site at https://go.microsoft.com/fwlink/?LinkId=31716.

To attain acceptable performance for Windows Small Business Server, it is recommended that you have 4 GB of available hard disk space, a CPU speed of 550 MHz, and 512 MB of RAM. For more information, see "System Requirements for Windows Small Business Server 2003" on the Windows Server System Web site at https://go.microsoft.com/fwlink/?LinkId=31717.

Note: Based on your system configuration, requirements might vary.

Joining a Server Running Windows Server 2003, Standard Edition to a Domain

Joining a server running Windows Server 2003, Standard Edition to a domain allows the server to be managed by Active Directory and Group Policy. This helps enhance security because access to the server is controlled by standardized security settings across your network, which limits what can be done on the server and who can do it. This section provides step-by-step instructions on how to join a workgroup server to an existing Windows Server 2003 domain, and then log onto the domain from that server.

Completing the Set Up Server Wizard

This section explains how to configure a domain computer account.

Requirements
  • Credentials: You must be logged onto the Windows Small Business Server domain controller as a member of the Domain Admins group.

    Note: Screen shots in this document reflect a test environment. The information that you see on your screen might differ slightly from the information shown in these screen shots.

Start the Set Up Server Wizard

  1. On the domain controller running Windows Small Business Server, click Server Computers in the tree pane (on the left) of Server Management. (If Server Management is not open, click Start and point to Server Management.)

  2. In the details pane (on the right), click Set Up Server Computers.

Type the information that the Set Up Server Wizard requires

  1. On the Welcome to the Set Up Server Wizard page, click Next.

  2. On the Server Computer Name page, type your member server name in the Server name box, and then click Next (Figure 1).

    Cc875844.win2k301(en-us,TechNet.10).gif

    Figure 1 Typing name of the member server in the Set Up Server Wizard

  3. On the IP Address Confirmation page, do one of the following:

    • If you are using DHCP to assign the member server IP address, accept the default. Then click Next. (Figure 2)

      OR

    • Click Use the following static IP address and type the address that you want to use for the server. Then click Next. (Figure 2)

      Cc875844.win2k302(en-us,TechNet.10).gif

      Figure 2 Specifying how the member server obtains an IP address

  4. On the Completing the Set Up Server Wizard page, verify that the information is correct, and then click Finish.

  5. In the Finishing Your Installation dialog box, note the URL, and then click OK.(Figure 3)

    Figure 3 The URL for the new member server

    Figure 3 The URL for the new member server

Joining the Member Server to the Domain

The person who joins the server to the domain is a local computer Administrator who knows the credentials of a domain user who has permission to perform this task.

Requirements
  • Credentials: You must be logged onto the server as a member of the local Administrators group. Typically, the primary user of a workgroup server is a member of the local Administrator's group.

Connect to the Network Configuration Web page

  1. On the new member server, log on as a member of the local Administrator security group.

  2. Click Start, point to All Programs, and select Internet Explorer.

  3. In the Address box, type the URL that you noted earlier when you reviewed the Finishing Your Installation Dialogue.

  4. Click Connect to the network now (Figure 4).

    Figure 4 Connecting to the Network Configuration Web page

    Figure 4 Connecting to the Network Configuration Web page

  5. In the Security Warning dialog box, click Yes to install the ActiveX control (Figure 5).

    Figure 5 Installing the ActiveX control

    Figure 5 Installing the ActiveX control

  6. On the User Account and Password Information page of the Small Business Server Network Configuration Wizard, type the user name of an account that has permission to join computers to the domain in the User name box, and the matching password in the Password box. Then click Next (Figure 6).

    Cc875844.win2k306(en-us,TechNet.10).gif

    Figure 6 Entering user account and password information

  7. On the Computer Name page, select the member server name from the Available Computer Names box, and then click Next.

  8. Review the information, and then click Finish.

  9. Click Continue to restart the new member server.

Logging on to the Domain

To log on to the domain from the member server

  1. On the server that you added to the domain, press CTRL+ALT+DELETE.

  2. Next to User name, type the user name of a Domain Administrator (Figure 7).

  3. Next to Password, type the password that is associated with the Domain Administrator account.

  4. Click Options.

  5. Type or select the domain name in the Log on to list, and then click OK.

    Figure 7 Logging on to the domain from the member server

    Figure 7 Logging on to the domain from the member server

Verifying New Settings

You can verify whether or not you successfully joined the server to your domain by completing the following steps.

To verify the domain user user name and computer

  1. Click Start, and then click Command Prompt.

  2. At the command prompt (Figure 8), type:

    whoami

  3. Press Enter, and then verify the accuracy of the information that appears.

    Figure 8 An example of an accurate domain name

    Figure 8 An example of an accurate domain name

  4. At the command prompt, type:

    exit

  5. Press Enter.

  6. Click Start, right-click My Computer, and then click Properties.

  7. Click the Computer Name tab, and verify that the Full computer name and Domain information is correct.

  8. Click Cancel to exit the System Properties dialog box.

Securing a Domain Member Server

After you have joined a server to your domain, there are a few additional tasks that you complete to secure the server in your network. Completing the following tasks also helps to simplify day-to-day server and user management:

  • Disable the local Administrator account.

  • Create an organizational unit (OU) for member servers.

  • Create a Group Policy object based on a Microsoft security template.

Disabling the Local Administrator Account

This section provides step-by-step instructions on how to disable the local Administrator account on the domain member server, and then remove any non-domain administrators from the local Administrators group. Removing the local Administrator account enhances security by reducing the number of users who can possibly access the server. Remember to enable the local administrator account before removing the member server from the domain or you will not have administrative access to the computer.

Requirements
  • Credentials: You must be logged onto the domain member server as a member of the local Administrators group.

To disable the local Administrator on the domain member server

  1. Click Start, right-click My Computer, and then click Manage.

  2. In the tree pane (on the left) of the Computer Management console, expand Local Users and Groups, and then click Users.

  3. In the details pane (on the right), double-click the Administrator account.

  4. Select Account is disabled, and then click OK.

  5. Close the Computer Management console.

  6. Log off of the domain member server.

    Note: It is recommended that you log off of a server when you are not performing tasks on them.

Creating an Organizational Unit (OU) to Manage Member Servers

Servers and client computers have different security requirements. Using the features of Active Directory, you can build a management structure that helps you to securely manage both types of computers.

The following steps are created for Windows Small Business Server 2003, although you can perform the same steps on Windows Server 2003, Standard Edition by going to the Start menu and clicking Administrative Tools.

Requirements
  • Credentials: You must be logged onto the domain member server as a member of the local Administrators group.

To create a new OU to manage member servers

Note: Your organization may have an existing an OU structure to manage server and client computers. The steps below are intended to be used if no OU structure exists in your organization. The Windows Server 2003 Security Guide at https://go.microsoft.com/fwlink/?LinkId=31741 has additional information on best practices for creating an OU structure to manage users and computers.

  1. Log onto a server running Windows Small Business Server 2003 as a member of the Domain Administrators group.

  2. On the Start menu, click Server Management.

  3. In the tree pane (on the left), expand Advanced Management, click Active Directory Users and Computers, and select the node for your domain name (Figure 9).

  4. On the Action menu, point to New, and then click Organizational Unit.

    Cc875844.win2k309(en-us,TechNet.10).gif

    Figure 9 Adding an OU

  5. Next to Name, type Member Servers OU and then click OK.

    The view refreshes and the new OU appears selected.

To move the new domain member server into the OU

  1. In the tree pane under your domain name expand MyBusiness | Computers and select the SBSServers node.

  2. Drag and drop the computer object for the new domain member server from the details pane onto the Member Servers OU in the console tree.

  3. In the tree pane, select Member Servers OU, and then confirm the success of the move.

  4. Collapse the Active Directory Users and Computers node.

Creating and Linking a New Group Policy Object for the New Organizational Unit (OU)

Now that the domain member server is in an Active Directory OU, you can manage it by using Group Policy. The advantage of managing security (and other settings) by using this feature is that you perform certain management one time only, and they apply to all objects in the container. If you were to add another server or rebuild this one by placing it in the OU, all your configured settings would apply to the new server.

Requirements

To create a new Group Policy object in the Group Policy Management Console

  1. In the tree pane (on the left), expand Advanced Management, and then select Group Policy Management.

  2. Expand Forest : < DomainName > (Contoso.local in the example in Figure 10), Domains, < DomainName >, and then select the Group Policy objects node.

    Cc875844.win2k310(en-us,TechNet.10).gif

    Figure 10 Adding a Group Policy object in the Group Policy Management Console

  3. On the Action menu, click New.

  4. In the New GPO dialog box, next to Name, type High Security - Member Server Baseline and then click OK.

  5. In the details pane, right-click High Security - Member Server Baseline, and then click Edit (Figure 11).

    Cc875844.win2k311(en-us,TechNet.10).gif

    Figure 11 Editing the Group Policy objects on the server

  6. In the console tree of the Group Policy object Editor, under Computer Configuration, expand Windows Settings.

  7. Under Windows Settings, right-click Security Settings, and then click Import Policy (Figure 12).

    Cc875844.win2k312(en-us,TechNet.10).gif

    Figure 12 The Group Policy object Editor

  8. In the Import Policy From window, select High Security - Member Server Baseline.inf (located in the %windir%\security\templates subfolder), and then click Open (Figure 13).

    This template, other templates and other security guidance are available as part of the Windows Server 2003 Security Guide on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=31741. After you extract it by running the executable, you can either copy the templates to the %windir%\security\templates folder or browse to the extraction directory in the Import Policy From dialog (Figure 14). In addition to these templates, the Windows Server 2003 Security Guide\Tools and Templates\Security Guide\Security Templates directory also includes an Excel spreadsheet detailing the settings of each template.

    Figure 13 Importing a Group Policy

    Figure 13 Importing a Group Policy

    Figure 14 Defining security settings by using the file High Security - Member Server Baseline.inf

    Figure 14 Defining security settings by using the file High Security - Member Server Baseline.inf

  9. Close the Group Policy object Editor.

  10. In the tree pane, expand Group Policy objects, and then select High Security - Member Server Baseline.

  11. If you see a Microsoft Internet Explorer security dialog box displayed at any time, click Add.

    The default installation of Internet Explorer on any Windows Server 2003 operating system displays this type of dialog box as a security precaution.

  12. At the Trusted Sites dialog box, click Add, and then click Close.

  13. Click the Settings tab.

  14. In the details pane, you can now click the Show All link next to the settings to see which security settings were imported into the Group Policy object.

To link the High Security - Member Server Baseline to the Member Servers OU

  1. In the tree pane, drag and drop the High Security - Member Server Baseline onto the Member Servers OU.

  2. To link the policy, click OK.

  3. In the tree pane, expand the Member Servers OU.

    Note the link to the High Security - Member Server Baseline Group Policy object.

  4. Close all open windows and log off.

Verifying New Settings

Check the domain member server to be sure that the changes you made to its settings have taken effect.

To verify the Group Policy settings of the domain member server

  1. Log onto your domain member server as a member of the Domain Administrators group.

  2. On the Start menu, click Run.

  3. In the Open field, type gpupdate, and then click OK.

    Note: Group Policy regularly refreshes members of the domain. However, the gpupdate command ensures that all active policies are refreshed immediately.

  4. When the command completes, click Start, and then click Run again.

  5. In the Open field, type rsop.msc and then click OK.

    This command opens the Resultant Set of Policy management console and automatically retrieves Group Policy information for the server.

  6. In the details pane under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Audit Policy.

  7. In the details pane, notice the Computer Setting for the Audit account management (this is the "winning" policy setting) and double-click Audit account management.

  8. In the Audit account management Properties dialog box (Figure 15), click the Precedence tab.

    The Group Policy settings are listed in order, with the last applied setting at the top of the list.

    Figure 15 Account lockout threshold properties

    Figure 15 Account lockout threshold properties

  9. Verify the Group Policy settings, and then close all windows and log off.

For more information about securing a domain member server, see the following:

For more information about securing a computer running Windows Server 2003, see the following:

For more information about Windows Server 2003 Domain Name System (DNS), see the following:

For definitions of security-related terms, see the following: