Five security settings that require listening in Windows

In this article, we will carefully study five important security settings in windows. Listening to these settings ensures that your system is at the highest security level.

The security of the Windows system environment is constantly changing. Whether your computer is newly assembled or has been running for several years, it may not meet the security standards required by your organization. You need to monitor the computer internally or externally to find the incorrect security settings. If the time is too short, you can monitor the most critical security settings for the Windows Active Directory Server. We will introduce these five important security settings in detail in the following article.

Security of Windows Active Directory

I can explain several reasons for choosing these security settings. First, correctly set these security settings to help windows defend against some common attacks on the system. Second, some default security settings in the Windows system are always insecure. If you have not set up or regularly checked them from the very beginning, you may have been operating one computer after another with these insecure default settings. Finally, based on my experience, these settings are usually ignored by users and are not correctly configured. Even the so-called secure and sophisticated networks.

#1 Password Policy

The initial password policy for the Active Directory domain is configured in the default Domain Policy Group Policy object (GPO. There are multiple settings under this topic. These settings should be set at least at the standard security level. You need to compare your server security policies to determine which values to set. If your own security policy does not contain these values, you can refer to the recommended values in the following table:

Keep password policy | recommended value: Keep Enforce password history | 12 to 24-bit Maximum password age | 30 to 90 days Minimum password age | 1 to 3 days Minimum password length | 7 to 14 letters password must meet complexity requirements | EnabledStore password using reversible encryption | Disabled -------------------------------------------------------------------- ccidnet

By default, these settings are stored in the default domain policy GPO, but should not be listened to from there. You should analyze local security policies such as DUMPSEC or domain controller (run GPEDIT on the domain controller. MSC. DUMPSEC will not collect the complex requirements of passwords. It collects the information through other channels. The Local Security Policy can provide all the information for listening to these settings.

#2 account logon denied policy

This policy takes effect when the user forgets the password. Of course, to prevent intruders from guessing passwords or forcing attacks on these passwords, it is best to make sure this setting is used with other security policies. If these settings are not defined in your security policy, the following table provides the most practical values for these settings.

Deny Account rejection policy setting | recommended value ------------------------------------------------------------------- Account lockout duration | 9999 (a smaller number can be set, for example, 5, but not 0) account lockout threshold | 3 to 5 Reset account lockout counter after | 9999 ------------------------------------------------------------------- ccidnet

Table 2

By default, these settings are stored in the default domain policy GPO, but are not monitored there. You should analyze local security policies such as DUMPSEC or domain controller (run GPEDIT on the domain controller. MSC.

#3 server administrator group member Permissions

The server administrator group is an important group of Active Directory servers. This group of members can change the functional types of the "server", including modifying the Active Directory site and server DFS configuration. They can also manage the accounts, group accounts, and computer accounts of all users in the entire domain.

This group only exists in the root domain (the first domain in Active ctor forest ). Therefore, you only need to check a domain in Active Directory forest to listen to this group. The number of members of this group should be limited to a limited number. Since members in the Domain Management Group can add or delete members of this group, we recommend that you do not have any Members in this group.

DUMPSEC is ideal for listening to this group. You can also use the Active Directory Users and Computers item to browse groups and Users with the permissions of this group member.

#4 scheduler Management Group member Permissions

The permissions of this group are almost the same as those of the server management group, but they are different from those of Active Directory. The members of this group can modify the Active Directory plan, which affects all fields in the Forest. Modifications to this plan will paralyze and crash the entire server.

This group also exists only in the root domain. Similarly, given that the Plan requires few changes and is very limited, the Group may not have any Members in routine situations. Limit the number of members of the group or simply delete them so that you can better manage and control planned changes.

DUMPSEC is ideal for listening to this group. You can also use Active Directory Users and Computers to browse groups and Users with permissions of this group member.

#5 Domain Management Group member Permissions

This group can manage all users, groups, and computers in a single domain. This group has a large number of permissions and is used every day. The number of members of this group must be controlled, but do not leave this group empty. If you need some domain functions, you should use Active Directory appointment instead of adding users to this group. The appointment roughly manages all Active directories and does not assign too many permissions as the domain management group does. This group exists in all Active Directory domains, so you need to listen to all these domains.

DUMPSEC is ideal for listening to this group. You can also use Active Directory Users and Computers to browse groups and Users with permissions of this group member.

Summary

Basic management of Active Directory is critical. If the user's account password is too simple and can be easily cracked, not frequently changed or no password is set at all, the network and server will be easily attacked. Be sure to correctly set these password values and account rejection policies. The most practical values can help you block various password attacks. Similarly, the user permissions of the preceding three groups of Active Directory servers should be properly managed and monitored frequently. If a common user has such permissions on the server, plan, or domain management group, it may cause major losses or serious problems.

About Derek Melber

Derek is the director of the Desktop Standard flexible solution. He has compiled all books on listening to windows security in the library www.theiia.org. He also compiled a "Group Policy Guide" for MSPress, the only book published by Microsoft for group policies. If you have any questions to ask Derek, please send an email to the derekm@desktopstandard.com.