Windows 2003 Security Guide Hardening domain Controller One

Overview

For Microsoft Active Directory services that are running Microsoft? Windows Server? 2003 computers, domain controller servers are important roles to ensure security in any environment. For clients, servers, and applications that rely on domain controllers to complete authentication, Group Policy, and a central LDAP (Lightweight Directory Access Protocol) directory, any loss of domain controllers or information leaks in an IT environment can be catastrophic.

Because of its importance, domain controllers should always be placed in a physically secure location, allowing only qualified administrators to access them. When a domain controller must be placed in a less secure location, such as a branch office, the relevant security settings should be adjusted to limit potential damage from the physical access threat.

Domain Controller Baseline Policy

Unlike the other server role policies that will be described later in this guide, the domain controller server's Group Policy is a baseline policy that belongs to the same class as the Member Server Baseline Policy (MSBP) defined by chapter "Creating a member Server Baseline". The Domain Controller Baseline Policy (DCBP) is closely connected to the domain Controller organizational unit (OU) and takes precedence over the default Domain controller policy. The settings included in DCBP will enhance the overall security of domain controllers in any environment.

Most dcbp are direct copies of the MSBP. Since DCBP is based on the MSBP, readers should review chapter three "Creating a member Server Baseline" to fully understand many of the settings that are also included in DCBP. This chapter discusses only those DCBP settings that are not included in the MSBP.

Domain controller templates are specifically designed to meet the security needs of the three environments defined in this guidance. The following table shows the domain controller. inf files included in this guide and the relationships between these environments. For example, the file Enterprise Client–domain Controller.inf is a security template in the Enterprise Client environment.

Table 4.1: Domain Controller Baseline Security Templates

Note: Linking an incorrectly configured Group Policy object to the domain controllers OU (the Domains Controller organizational unit) can severely impede the normal operation of the domain. You should be careful when importing these security templates, and before you link GPOs to the Domain Controllers OU, you should verify that all the settings for the import are correct.

Audit Policy settings

The audit policy settings for the domain controller are the same as specified in the MSBP. See Chapter 3rd "Creating a member Server Baseline" for more information. The baseline policy in DCBP ensures that all relevant security audit information is recorded in the domain controller.

User Rights Assignment

DCBP specifies a number of user rights allocation methods for domain controllers. In addition to the default settings, in the three environments defined in this guidance, you can modify the other 7 user rights to harden the security of your domain controllers.

This section details the user rights settings specified in DCBP, which are different from the corresponding settings in the MSBP. For summary information about the settings in this section, see the "Windows Server 2003 Security Guide Settings" Excel workbook included in this guide.

Access your computer from the network

Table 4.2: Setting