UW Forest Group Policies
The need for these group policies arose in response to the threat presented by Microsoft bulletin MS02-001. As discussed at the quarterly forest meeting, establishing a baseline of security at the domain controllers is the best way to help mitigate this threat. Notable other changes include physically securing the location of domain controllers and removing all other user services from domain controllers. Other implications and changes are listed in the meeting notes of the October 4, 2002 UW Forest Administrators meeting.
Please follow best practices when applying these changes to minimize the impact of potential problems. In other words, minimize the number of modifications at one time, test client functionality after changes, and ask about settings that you don't understand.
Items in Green are suggested, not required.
DC OU, GPOs
"DC OU Mandatory Policy" No Override
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access=Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access=Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events=Success,Failure
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Maximum application log size=25600 KB
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Maximum security log size=51200 KB
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Maximum system log size=25600 KB
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Restrict guest access to application log=Enabled
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Restrict guest access to security log=Enabled
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Restrict guest access to system log=Enabled
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Retention method for application log= As needed
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Retention method for security log= As needed
Computer Configuration/Windows Settings/Security Settings/Event Log/Settings for Event Logs/Retention method for system log=As needed
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Allow server operators to schedule tasks=Disabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Allow system to be shut down without having logon=Disabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit use of Backup and Restore privilege=Enabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Disable CTRL+ALT+DEL requirement for logon=Disabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Restrict CD-ROM access to locally logged-on user only=Enabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Restrict floppy access to locally logged-on user only=Enabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the system time=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Debug programs=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Force shutdown from a remote system=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a batch job=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on locally=Administrators,Backup Operators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Manage Auditing and Security Log=Administrators, LOCAL DOMAIN\Exchange Enterprise Servers
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify firmware environment values=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile single process=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile system performance=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Remove computer from docking station=Administrators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Restore files and directories=Administrators,Backup Operators
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut down the system=Administrators
Local domain\Exchange Enterprise Servers is a domain group installed by Microsoft Exchange 2000 with membership that includes the Exchange 2000 Servers in that domain. The Manage Auditing and Security Log domain user right must be given to this group to ensure proper Exchange functionality. It's included as a recommendation here in case your domain has Exchange 2000 servers.
Domain Level GPOs:
"Mandatory Domain Policy" No Override
Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Enforce password history=1 Password remembered
Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Minimum password length=8 Characters
Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Minimum password age=0 days (changes are immediate)
Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy/Maximum password age=0 (never expire)
Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Enforce user logon restrictions=Enabled
Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum lifetime for service ticket=600 minutes
Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum lifetime for user ticket=10 hours
Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum lifetime for user ticket renewal=7 days
Computer Configuration/Windows Settings/Security Settings/Account Policies/Kerberos Policy/Maximum tolerance for computer clock synchronization=5 minutes
Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy/Account lockout threshold=150 invalid attempts
Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy /Reset account lockout counter after=5 minutes
Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy /Account lockout duration=5 minutes
Computer Configuration/Windows Settings/Security Settings/Restricted Groups=Domain Admins
Restrict membership of any other domain groups that has been given administrative rights or permissions
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/LAN Manager Authentication Level=Send LM & NTLM - use NTLMv2 session security if negotiated
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/LAN Manager Authentication Level=Send NTLMv2 response only\refuse LM & NTLM
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Additional restrictions for anonymous connections=Do not allow enumeration of SAM accounts or shares
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Send unencrypted password to connect to third-party SMB servers=Disabled
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Enable user and computer accounts to be trusted for delegation= Administrators
Note that we require Lan Manager Authentication Level=Send LM & NTLM - use NTLMv2 session security if negotiated (known as level 3) but recommend that you set it at Send NTLMv2 response only\refuse LM & NTLM (level 5) if you are capable. Both LM and NTLMv1 have known vulnerabilities. However, several clients and services aren't capable of NTLMv2 and may break at the higher Lan Manager authentication level, so you should carefully research whether you can go to the recommended value. http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q239869 is a good introduction to this issue. There is a MacUAM that supports NTLMv2.
