A relatively small number of security settings are applied to the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, the following setting groups appear in the Windows Settings sub-node:
Password Policy Settings
Account Lockout Policy Settings
This section provides an overview of these two categories of settings, for information about which specific settings are recommended for each role review the Microsoft Excel® workbook Windows Server 2008 Security Baseline Settings that accompanies this guide. For detailed information about how each setting functions, what threats each addresses, and the potential consequences of using each setting read the companion guide, Threats and Countermeasures.
Password Policy Settings
Complex passwords that you change regularly help reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. Generally, you configure password policy settings only by using Group Policy at the domain level.
Note Windows Server 2008 supports a new feature called Fine-Grained Password Policies that provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Windows® 2000 and Windows Server® 2003 Active Directory® domains, only one password policy and account lockout policy could be applied to all users in the domain. This guide does not make recommendations for this feature. For more information about Fine-Grained Password Policies, see the AD DS: Fine-Grained Password Policies page on Microsoft TechNet.
You can configure the password policy settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
The account lockout policy is an Active Directory Domain Services (AD DS) security feature that locks a user account. The lock prevents logon after a specified number of failed logon attempts occur within a specified period. Domain controllers track logon attempts, and the number of allowed attempts based on values that are configured for the account lockout settings. In addition, you can specify the duration of the lock.
These policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. However, an enabled account lockout policy will probably result in more support issues for network users. Before you enable the following settings, ensure that your organization wants to accept this additional management overhead. For many organizations, an improved and less-costly solution is to automatically scan the Security event logs for domain controllers and generate administrative alerts when it appears that someone is attempting to guess passwords for user accounts.
You can configure the account lockout policy settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
The majority of the security settings are applied to domain controllers and member servers in the domain. Many recommendations are the same for both domain controllers and member servers. However, some settings apply only to domain controllers. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, these settings appear in the Windows Settings and Administrative Templates sub-nodes.
If you compare the recommendations for some settings between domain controllers and member servers, you may notice some cases where the recommended value for domain controllers is "Not defined." This is because some settings are configured in the built-in Group Policy called "Default Domain Controller Policy." When the default values for such settings match the recommendations for domain controllers in the Enterprise Client environment, the recommended value is listed as "Not defined" in the Microsoft Excel® workbook Windows Server 2008 Security Baseline Settings that accompanies this guide. However, a specific value for member servers may be recommended for the same setting.
This section provides an overview of the different categories of settings, for information about which specific settings are recommended for each role review the Microsoft Excel® workbook Windows Server 2008 Security Baseline Settings that accompanies this guide. For detailed information about how each setting functions, what threats each addresses, and the potential consequences of using each setting read the companion guide, Threats and Countermeasures.
In conjunction with many of the privileged groups in Windows Server 2008, you can assign a number of user rights to specific users or groups. These rights would typically be assigned to perform a specific administrative task or tasks without giving full administrative control to that user or group. To set the value of a user right to No one, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting. You can configure the user rights assignment settings in Windows Server 2008 at the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Note Many features in IIS require certain accounts such as IIS_WPG, IIS IUSR_<ComputerName>, and IWAM_<ComputerName> to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, see IIS and Built-in Accounts (IIS 6.0).
Security Options Settings
The security option settings that are applied through Group Policy on servers in your environment enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings also configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works. You can configure the security option settings in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
MSS Settings
The following settings include registry value entries that do not display by default through the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. The LPT for the SCM tool modifies the SCE so that it properly displays the MSS settings, as discussed in Chapter 1, "Implementing a Security Baseline."
User Account Control (UAC) reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on with administrative credentials. This limitation helps minimize the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected the computer. When a user attempts to perform an administrative task, the operating system must raise their security level to allow the task to take place. The UAC settings in GPOs configure how the operating system responds to a request to heighten security privileges.
Potential Issues with SMB Signing Policies
When SMB signing policies are enabled and a Server Message Block (SMB) version 1 client establishes a non-guest session or a non-anonymous session with a server, the client enables security signatures for the server. Later sessions then inherit the security signature sequence that is already established.
To improve security, Windows Server 2008 and Windows Vista SP1 prevent server authenticated connections from being maliciously downgraded to a guest session or to an anonymous session. However, this improved security does not work as intended when the domain controller is running Windows Server 2003 and the client computers are running Windows Vista SP1 or Windows Server 2008. Specifically, this applies if the policies in the following locations are enabled on a domain controller that is running Windows Server 2003 in a domain:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)
The following policies are enabled on a member computer that is running Windows Vista SP1 or Windows Server 2008 in the same domain:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (If server agrees)
To download a hotfix to resolve this issue, and learn more about this topic, see "Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled": Microsoft Knowledge Base article 950876.
Event Log Security Settings
The event log records events on the system, and the Security log records audit events. The event log container of Group Policy is used to define attributes that are related to the Application, Security, and System event logs, such as maximum log size, access rights for each log, and retention settings. You can configure the event log settings in the following location in the Group Policy Object Editor:
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\
|