When Windows Server 2003 is used to establish an Active Directory based network, there are two default GPOs -- the default domain GPO and the default domain controller GPO. These GPOs are configured to provide a basic minimal level of security for your domain network and its domain controllers. However, there are several ways to improve upon the default settings in these two GPOs.
I usually recommend that you do not make changes directly to either of these two default GPOs. Rather, create new GPOs at the same container level as these and make your changes only to your new GPOs. By keeping the original default GPOs intact, it will be easier to return to a default setting if you make a configuration mistake.
Let's first look at security improvements above and beyond those contained in the default domain GPO. The first area we want to explore is the Account Policies section. This section contains the password policy, account lockout policy, and the Kerberos policy.
Since passwords are the primary and default means by which Windows Server 2003 protects unauthorized use of user accounts, it is important to use and enforce strong passwords. The password policy of a GPO allows network administrators to programmatically force users to comply with a few significant password rules. Here is a table listing the defaults and my recommendations. Notice that the domain GPO defaults for the password policy are already reasonably secure.
PolicyDefaultRecommended
Enforce password history24 passwords remembered(No change)
Maximum password age42 days30 days
Minimum password age1 day(No change)
Minimum password length7 characters8 characters
Password must meet complexity requirementsEnabled(No change)
Store password using revers...
To continue reading for free, register below or login
To read more you must become a member of SearchWinIT.com
ible encryptionDisabled(No change)
The account lockout policy is used to manage the automated lockout feature of Windows Server 2003. After a specified number of failed logon attempts due to incorrect passwords, a user account can be locked out. This prevents brute force attacks against the logon prompt. Here is a table listing the defaults and my recommendations
PolicyDefaultRecommended
Account lockout durationNot defined0 minutes
Account lockout threshold0 invalid logon attempts5 invalid logon attempts
Reset account lockout counter afterNot defined30 minutes
Note that setting the account lockout duration to 0 (zero) will require an administrator to re-enable a locked out account. While this is the most secure setting, it is not the most convenient, especially for an administrator with lots of fumble-fingered users.
The Kerberos policy defines various settings of ticket management. The default settings of this policy are sufficient for most environments. So, I recommend leaving them as they are. Here is a chart showing the default settings of this policy.
PolicyDefault
Enforce user logon restrictionsEnabled
Maximum lifetime for service ticket600 minutes
Maximum lifetime for user ticket10 hours
Maximum lifetime for user ticket renewal7 days
Maximum tolerance for computer clock synchronization5 minutes
The remainder of the settings in the default domain GPO are usually sufficiently secure for most environments. However, there are numerous security improvements that can be made to the default domain controller GPO. I'll dive into that topic in the next tip.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
