Strengthening Domain Controller Policy Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
In addition to Group Policy settings for domains, Windows Server 2003 Default Domain Controller Group Policy settings also protect domain controllers and Active Directory objects themselves. Domain Controller Security Policy settings apply to the Domain Controllers OU in each domain.
Domain Controller Security Policy Settings
Security Policy settings are applied at the Domain Controllers OU level by default for the following categories:
Local Policies, which include:
Audit Policy
User Rights Assignment
Security Options
Event Log Policy
To increase security for your domain controllers, apply the User Rights Assignment, Security Options, and Event Log settings that are recommended in the following sections. Audit Policy settings do not require change, but they are presented for your information.
Changes to Domain Controller Security Policy
APIs that were developed for earlier versions of the operating system update some security policy settings in the Default Domain Controller Policy GPO, but not others. For this reason, changes to some domain controller security policy settings must be made by editing the default GPO, but others are best implemented by creating a new GPO. For more information about changing the default domain controller security policies as opposed to creating new GPOs for domain controller security policies, see the Applying Selected Domain and Domain Controller Policy Settings section.
Audit Policy
On domain controllers that are running Windows Server 2003, auditing is turned on by default to log the success of key security events. Default auditing on domain controllers represents a change from Windows 2000 Server, which does not enable auditing by default. Although no changes are recommended in the default settings, the settings are presented here because they represent significant changes from the Windows 2000 Server default settings.
Important
There are many possible goals that you can have when you audit a domain for security purposes, such as intrusion detection or forensic analysis of security breaches. The primary goal of the security audit settings is to provide accountability for sensitive directory operations, including any administrative or configuration changes. When auditing for other reasons, such as intrusion detection, additional audit settings might need to be enabled.
When auditing is enabled on domain controllers, events are recorded in the Security event log. For the default and recommended settings for the maximum size of the Security event log, see the Strengthening Domain Controller Event Log Policy Settings section.
Note
If you make changes to Audit Policy security policy settings, make all changes by editing the Default Domain Controllers Policy GPO. Security policy settings for this GPO are available in Domain Controller Security Policy in Administrative Tools.
Table 16 lists the default and recommended settings for domain controller Audit Policy.
Table 16 Default and Recommended Domain Controller Audit Policy Settings
| Policy | Default Setting | Recommended Setting | Comments | |
|---|---|---|---|---|
|
Audit account logon events |
Success |
(No change) |
Account logon events are generated when a domain user account is authenticated on a domain controller. |
|
|
Audit account management |
Success |
(No change) |
Account management events are generated when security principal accounts are created, modified, or deleted. |
|
|
Audit directory service access |
Success |
(No change) |
Directory services access events are generated when an Active Directory object with a system access control list (SACL) is accessed. |
|
|
Audit logon events |
Success |
(No change) |
Logon events are generated when a domain user interactively logs on to a domain controller or a network logon to a domain controller is performed to retrieve logon scripts and policies. |
|
|
Audit object access |
No auditing |
(No change) |
N/A |
|
|
Audit policy change |
Success |
(No change) |
Policy change events are generated for changes to user rights assignment policies, audit policies, or trust policies. |
|
|
Audit privilege use |
No auditing |
(No change) |
N/A |
|
|
Audit process tracking |
No auditing |
(No change) |
N/A |
|
|
Audit system events |
Success |
(No change) |
System events are generated when a user restarts or shuts down the domain controller or when an event occurs that affects either the system security or the security log. |
|
User Rights Assignment
User rights allow users to log on and perform specific administrative or operations tasks on domain controllers. Ensure that the appropriate user rights are assigned to users in the domain so that users can perform their intended functions without compromising the security of the domain controllers. Establish the policy settings for domain controller user rights assignment to properly limit the users who can log on to the domain controllers and perform the necessary administrative tasks.
Table 17 lists the default and recommended policy settings for domain controller user rights assignment policies. Default Windows Server 2003 settings for all other user rights assignment policies are consistent with security recommendations.
Note
If you make changes to user rights assignment security policy settings, make all changes by editing the Default Domain Controllers Policy GPO. The security policy settings for this GPO are available in Domain Controller Security Policy in Administrative Tools.
Table 17 Default and Recommended Domain Controller User Rights Assignment Policy Settings
| Policy | Default Setting | Recommended Setting | Comments | |
|---|---|---|---|---|
|
Allow log on locally |
Account Operators Administrators Backup Operators Print Operators Server Operators |
Administrators Backup Operators Server Operators |
Account Operators and Print Operators have few (if any) reasons to log on locally to a domain controller. |
|
|
Shut down the system |
Account Operators Administrators Backup Operators Print Operators Server Operators |
Administrators Backup Operators Server Operators |
Account Operators and Print Operators have few (if any) reasons to shut down domain controllers. |
|
Note
Members of the Backup Operators group can log on locally to domain controllers, archive files to backup media, and overwrite system files through restore operations. The members of this group should be limited to those users who perform domain controller backup and restore operations. To reduce the number of users that have these rights, do not grant Backup Operator group membership to users who are responsible only for application backup and restore operations, such as Microsoft SQL Server operators.
Security Options
Domain controller Security Options policy settings affect the security-related Windows Server 2003 configuration settings. The domain controller Security Options policy settings affect not only the security configuration settings that are related to Active Directory, but other components in Windows Server 2003 as well, such as the network, file system, and user logon security configuration settings.
Note
To implement changes to default Security Options policy, it is recommended that you create a new GPO. This GPO can be added and linked to the Domain Controllers OU above the level of the Default Domain Controllers GPO. In this way, the nondefault settings take precedence over the default settings, and you can also easily revert to default settings by simply deleting this GPO or placing it below the default GPO in the list of linked GPOs. For more information about creating this new GPO, see the Applying Selected Domain and Domain Controller Policy Settings section.
Table 18 lists the default and recommended policy settings for domain controller Security Options. Default settings for all other security options are consistent with security recommendations.
Table 18 Default and Recommended Domain Controller Security Options Policy Settings
| Policy | Default Setting | Recommended Setting | Comments | |
|---|---|---|---|---|
|
Audit: Audit the access of global system objects |
Not defined |
Disabled |
Disables the creation of a default SACL on system objects, such as mutexes (mutually exclusive), events, semaphores, and MSDOS devices because the default setting is “No auditing.” |
|
|
Audit: Audit the use of Backup and Restore privilege |
Not defined |
Disabled |
Disables auditing for the use of user privileges, including Backup and Restore, when the “Audit privilege use” policy is enabled because this policy is configured for “No auditing.” |
|
|
Audit: Shut down system immediately if unable to log security audits |
Not defined |
Disabled |
Stops the domain controller if a security audit cannot be logged. The auditing goals for domain controllers, described in Reviewing Domain Controller Audit Policy Settings, allow overwriting security audit events as required. |
|
|
Devices: Allow undock without having to log on |
Not defined |
Disabled |
Because a domain controller is most likely not a laptop, undocking should never take place. Therefore, the recommendation is to disable this setting. |
|
|
Devices: Allowed to format and eject removable media |
Not defined |
Administrators |
Allows only Administrators to eject removable NTFS media to protect against the theft of sensitive data. |
|
|
Devices: Prevent users from installing printer drivers |
Not defined |
Enabled |
Allows only Administrators and Server Operators to install a printer driver when adding a network printer to ensure that users cannot install a printer driver (add a network printer) and perform disk-space attacks by submitting large print jobs. |
|
|
Devices: Restrict CD-ROM access to locally logged-on user only |
Not defined |
Enabled |
Allows only the interactively logged-on service administrator to access removable CD-ROM media to ensure that when no one is logged on interactively, the CD-ROM cannot be accessed over the network. |
|
|
Devices: Restrict floppy access to locally logged-on user only |
Not defined |
Enabled |
Allows only interactively logged-on service administrators to access removable floppy media to ensure that the floppy disk drive cannot be accessed over the network when no one is logged on. |
|
|
Devices: Unsigned driver installation behavior |
Not defined |
Do not allow installation |
Prevents insecure or untrusted device drivers from being installed on domain controllers. |
|
|
Domain controller: Allow server operators to schedule tasks |
Not defined |
Disabled |
Restricts the individuals who can schedule tasks to Administrators because scheduling usually runs as an elevated service. |
|
|
Domain controller: Refuse machine account password changes |
Not defined |
Disabled |
It is more secure to have machine accounts regularly change their password (default: 30 days). Therefore this setting is disabled. |
|
|
Domain member: Digitally encrypt or sign secure channel data (always) |
Enabled Not defined* |
Enabled |
Requires Windows NT 4.0 with Service Pack 4 (SP4)or later on all domain controllers in local domains and all trusted domains to ensure that all security fixes have been made. |
|
|
Domain member: Disable machine account password changes |
Not defined |
Disabled |
It is secure to have machine accounts regularly change their passwords. By default, the local security policy on the domain controller disables this setting. |
|
|
Domain member: Maximum machine account password age |
Not defined |
30 days |
The default local policy value is used by the Default Domain Controller Policy so that it is uniformly applied to all domain controllers. |
|
|
Domain member: Require strong (Windows 2000 or later) session key |
Not defined |
Enabled |
Requires that a secure channel be established with 128-bit encryption to ensure that the key strength is not negotiated but always uses the most secure connection possible with the domain controller. |
|
|
Interactive logon: Do not display last user name |
Not defined |
Enabled |
Removes the name of the last user to successfully log off from the Log On to Windows dialog box to prevent attackers from discovering service account names on domain controllers. |
|
|
Interactive logon: Do not require CTRL+ALT+DEL |
Not defined |
Disabled |
Requires CTRL+ALT+DEL before users log on to ensure that users are communicating by means of a trusted path when entering their passwords. |
|
|
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
Not defined |
0 logons |
The value 0 indicates that the domain controller does not cache previous logons and requires authentication at each logon. |
|
|
Interactive logon: Prompt user to change password before expiration |
Not defined |
14 days |
Notifies users in advance (in days) that their password is about to expire so that the user has time to construct a password that is sufficiently strong. |
|
|
Interactive logon: Require Domain Controller authentication to unlock workstation |
Not defined |
Enabled |
When cached credentials are used to unlock the console, any changes to the account, such as user rights assignment, group membership changes, or disabling of the account, are not enforced. To ensure that any changes to the account are enforced immediately, require domain controller authentication of the account to unlock the console, instead of cached credentials. |
|
|
Interactive logon: Require smart card |
Not defined |
(See comments) |
It is recommended that you use smart cards for logging on to both domain controllers and administrative workstations. If you have a public key infrastructure (PKI) infrastructure set up to deploy smart cards, set this option to Enabled. |
|
|
Interactive logon: Smart card removal behavior |
Not defined |
Force logoff |
Forces service administrators to keep smart cards inserted while they are logged on interactively on domain controllers to ensure that domain controllers are not left unattended with an active logon. |
|
|
Microsoft network client: Digitally sign communications (always) |
Not defined |
(See comments) |
See SMB Signing on Domain Controllers for requirements. |
|
|
Microsoft network client: Digitally sign communications (if server agrees) |
Not defined |
(See comments) |
See SMB Signing on Domain Controllers for requirements. |
|
|
Microsoft network client: Send unencrypted password to third-party SMB servers |
Not defined |
Disabled |
Prohibits the SMB redirector from sending plaintext passwords to non-Microsoft SMB servers that do not support password encryption. Disable this policy unless your domain controller needs to communicate with non-Microsoft SMB servers. |
|
|
Microsoft network server: Amount of idle time required before suspending session |
Not defined |
15 min |
Controls when a domain controller suspends an inactive server message block (SMB) session, which has no security implications but which reduces SMB traffic resource usage. |
|
|
Microsoft network server: Digitally sign communications (always) |
Enabled Not defined* |
(See comments) |
See SMB Signing on Domain Controllers for requirements. |
|
|
Microsoft network server: Digitally sign communications (if client agrees) |
Enabled |
(See comments) |
See SMB Signing on Domain Controllers for requirements. |
|
|
Microsoft network server: Disconnect clients when logon hours expire |
Not defined |
Enabled |
Forcibly disconnects client sessions with the SMB Service when the user’s logon hours expire to ensure that network connections are secured during nonworking hours. |
|
|
Network access: Do not allow storage of credentials or Windows Live ID for network authentication |
Not defined |
Enabled |
A usability feature that is typically not required on domain controllers. |
|
|
Network access: Restrict anonymous access to Named Pipes and Shares |
Not defined |
Enabled |
Restricts anonymous access to network shared folders and named pipes to those that are enumerated in the following settings: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously |
|
|
Network security: Do not store LAN Manager hash value on next password change |
Not defined |
(See comments) |
See Disabling LAN Manager Authentication for other requirements. |
|
|
Network security: LAN Manager authentication level |
Send NTLM response only Not defined* |
(See comments) |
See Disabling LAN Manager Authentication for other requirements. |
|
|
Network security: LDAP client signing requirements |
Not defined |
(See comments) |
Set to “Require signing” only if you have domain controllers that are running Windows 2000 SP3 or Windows Server 2003. Otherwise, set to “Negotiate signing.” |
|
|
Recovery console: Allow automatic administrative logon |
Not defined |
Disabled |
Requires that an Administrator account password be provided before access is granted to a domain controller to ensure that anyone logging on requires administrator credentials. |
|
|
Recovery console: Allow floppy copy and access to all drives and all folders |
Not defined |
Disabled |
Prevents unauthorized users from gaining access to, copying, and removing the Active Directory database and other secure files from the domain controller. |
|
|
Shutdown: Allow system to be shut down without having to log on |
Not defined |
Disabled |
Requires an authenticated, authorized service account to shut down or restart the domain controller. |
|
|
Shutdown: Clear virtual memory pagefile |
Not defined |
Enabled |
Eliminates process memory data from going into the page file on shutdown in case an unauthorized user manages to directly access the page file. |
|
|
System objects; Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
Not defined |
Enabled |
Allows users who are not administrators to read shared objects but not modify them. Strengthens the default DACL of objects in the global list of shared resources, such as MSDOS device names, mutexes, and semaphores. |
|
|
System settings: Optional subsystems |
Not defined |
(See comments) |
By default, Posix is the only subsystem that is enabled. If you do not need Posix, you can define this policy and remove it from the list (so you that you have a blank list). |
|
|
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
Not defined |
(See comments) |
If you have PKI set up, you can enable this setting to check (CRLs to make sure that the software certificate and signature are valid. |
|
* Default settings that are present when you upgrade a domain controller that is running Windows 2000 to Windows Server 2003 but that are not present when you perform a new installation of Windows Server 2003.
Disabling LAN Manager Authentication
By default, Windows operating systems earlier than Windows 2000 support only the LAN Manager (LM) authentication protocol. To provide compatibility with these earlier versions of Windows, Active Directory stores the account passwords in an LM hash format. Active Directory stores the password for the Windows NT authentication protocol (NTLM) and NTLM version 2 (NTLMv2) protocols in NTLM hash format. In the event that an attacker removes a domain controller or a domain controller hard disk, it is easier for that attacker to decrypt the passwords in LM hash format. Because the NTLM hash is cryptographically stronger than the LM hash, disable the storage of passwords in LM hash format to provide a higher level of security.
When you use a SYSKEY password or floppy disk, you encrypt the entire Active Directory database and protect any passwords. When you use one of these SYSKEY methods, there is no benefit to disabling the storing of passwords in LM hash format, aside from reducing the size of the Active Directory database.
For more information about allowing only the NTLMv2 authentication protocol, see the following articles in the Microsoft Knowledge Base at https://go.microsoft.com/fwlink/?LinkId=4441:
285901, “Remote Access and VPN Clients Cannot Connect to a Server with NtlmcompatabilityLevel Set to 5”
281648, “Error Message: The Account Is Not Authorized to Login from This Station”
239869, “How to Enable NTLM 2 Authentication”
You can disable the storing of passwords in LM hash format by performing the following tasks:
Upgrade all domain controllers, member servers, and workstations to support the NTLMv2 authentication protocol.
Table 19 lists the operating systems and the software requirements to support the NTLMv2 authentication protocol.
Table 19 Operating System and Software Requirements to Support NTLMv2
Operating System Requires Windows 95, Windows 98, Windows Millennium Edition (Windows Me)
Directory Services Client (Dsclient.exe) in the Clients\Win9x folder on the Windows 2000 Server CD-ROM
Windows NT Workstation 4.0 and Windows NT Server 4.0
Service Pack 4 or later
Windows 2000 Professional and
Windows 2000 ServerIncluded as part of the operating system
Windows XP Professional
Included as part of the operating system
Windows Server 2003
Included as part of the operating system
Enable the following Security Option in Domain Controller Security Policy:
Network security: LAN Manager authentication level to Send NTLMv2 responses/reject LM
Enable the following Security Option in Domain Controller Security Policy:
Network security: Do not store LAN Manager hash value on next password change
Enabling this setting disables the creation of passwords in LM hash format.
Require all users to change their passwords immediately.
The passwords that are already created in LM hash format are retained until the users change their passwords. Forcing password changes eliminates any passwords that are stored in LM hash format
Note
For the sake of backward compatibility, if you cannot disable storage of your passwords in the LM hash format, you might recommend that your administrators use passwords with more than 14 characters. In the event that the password hashes are stolen, the administrator accounts are protected because accounts with a password of more than 14 characters do not have an LM hash.
SMB Signing on Domain Controllers
On domain controllers that are running Windows Server 2003, default Group Policy settings allow the SMB Service and client to negotiate SMB packet signing. Domain controllers, member servers, and workstations access file shares during the user logon process to access logon scripts and profiles in the Netlogon share. In addition, domain policies are accessed through the SYSVOL share. For these reasons, all domain controllers should take advantage of SMB signing to improve security.
Table 20 lists the Security Options policy settings for SMB signing, and it explains how each setting affects client and server communications.
Table 20 Security Options Policy Settings for SMB Packet Signing
SMB Setting Explanation Microsoft network client: Digitally sign communications (always)
The domain controller requires SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations. The domain controller refuses to communicate with other systems that do not support SMB signing. For enhanced security, enable this Group Policy setting.
Microsoft network client: Digitally sign communications (if server agrees)
The domain controller negotiates SMB signing when initiating SMB requests with other domain controllers, member servers, or workstations. The domain controller requests SMB signing, but it will communicate with other systems that do not support SMB signing. For compatibility with Windows 95 and earlier operating systems, enable this Group Policy setting.
Microsoft network server: Digitally sign communications (always)
The domain controller requires SMB signing when receiving SMB requests from other domain controllers, member servers, or workstations. The domain controller refuses to communicate with other systems that do not support SMB signing. For enhanced security, enable this Group Policy setting.
Microsoft network server: Digitally sign communications (if client agrees)
The domain controller negotiates SMB signing when receiving SMB requests with other domain controllers, member servers, or workstations. The domain controller requests SMB signing, but it will communicate with other systems that do not support SMB signing. For compatibility with Windows 95 and earlier operating systems, enable this Group Policy setting.
Enable the Security Option setting Microsoft network client: Digitally sign communications (if server agrees) in addition to Microsoft network server: Digitally sign communications (always) unless:
Your network has computers that are running Windows for Workgroups; Windows 95 without the DS Client Pack; Windows NT 4.0 earlier than Service Pack 3.0; or devices, including Microsoft® Windows® Powered Pocket PC 2002 and previous versions, that are based on Microsoft® Windows® CE .NET Version 4.1 or earlier. It is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, which is necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x subdirectory on the Windows 2000 Server operating system CD.
Your domain controllers, member servers, and workstations have insufficient available processor resources to support SMB signing. SMB signing generates higher processor utilization on the client side and the server side — an increase of up to 15 percent.
Event Log Policy
Because of the default domain controller Audit Policy settings, the maximum size of the security log must be increased to accommodate the increased number of audited events that might be generated.
The recommended Event Log policy settings reflect changes that are necessary for the Security log to support the default Audit Policy. In your environment, you may need to adjust the policy settings for the application or system event logs to support other operational goals.
Note
To implement changes to default Event Log policy, it is recommended that you create a new GPO. This GPO can be added and linked to the Domain Controllers OU above the level of the Default Domain Controllers GPO. In this way, the nondefault settings take precedence over the default settings, and you can also easily revert to default settings by simply deleting this GPO or placing it below the default GPO in the list of linked GPOs. For more information about creating this new GPO, see the Applying Selected Domain and Domain Controller Policy Settings section.
As a part of your normal operations tasks, archive the security and system event logs regularly and frequently before they fill up, which can cause events to be missed. The recommended Event Log policy settings allow the events in the security and system event logs to be overwritten as needed. Back up the logs for future reference before any events can be overwritten.
Table 21 lists the default and recommended policy settings for domain controller Event Log policy settings.
Table 21 Recommended Domain Controller Event Log Policy Settings
Policy Default Setting Recommended Setting Comments Maximum application log size
Not defined
(No change)
N/A
Maximum security log size
Not defined
131,072 KB
Increased to accommodate security auditing that is enabled in the default domain controller Audit Policy.
Maximum system log size
Not defined
(No change)
N/A
Prevent local guests group from accessing application log
Not defined
Enabled
Prevents members of the built-in group Guests from reading the application log events.
Prevent local guests group from accessing security log
Not defined
Enabled
Prevents members of the built-i group Guests from reading the security log events.
Prevent local guests group from accessing system log
Not defined
Enabled
Prevents members of the built-in group Guests from reading the system log events.
Retain application log
Not defined
(No change)
N/A
Retain security log
Not defined
(No change)
N/A
Retain system log
Not defined
(No change)
N/A
Retention method for application log
Not defined
(No change)
N/A
Retention method for security log
Not defined
Overwrite events as needed
Overwrites the security log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues.
Retention method for system log
Not defined
Overwrite events as needed
Overwrites the system log when the maximum log size is reached to ensure that the log contains the most recent security events and to ensure that logging continues.