118 Part II: Group Policy Implementation and Scenarios domain and use GPO filtering, all GPOs will need to be evaluated by all accounts in the domain This will slow down the processing of GPOs for all accounts in the domain The alternative is to link GPOs to OUs that are as close to the target accounts as possible This reduces the load on all accounts, forcing only the target accounts to evaluate the GPOs for processing Disable Unused Sections of GPOs In most Active Directory implementations, the computer and user accounts are separated into different OUs This is not a requirement of Active Directory design, but it is common practice to separate the different types of computer accounts (domain controllers, file servers, Web servers, SQL servers, and so on) and user accounts (IT staff, executives, developers, service accounts, employees, and others) and place each type of computer or user account in a different OU With computer accounts in their own OUs and user accounts in separate OUs, the GPOs that are linked to each of these OUs will be specific to each type of account For example, if a GPO is linked to the OU that contains only file servers, there is no need to have any of the User Configuration settings configured If the User Configuration settings were configured, they would not affect any users anyway because there are no user accounts in an OU that contain only file servers Because the GPO settings associated with user accounts will not be useful in this scenario, you should disable the User portion of the GPO to reduce the overall processing required by computer accounts in the OU Doing this for a single GPO won’t make much difference, but if you disable the User section of every GPO that computer accounts need to process, it can make a significant difference in the total processing time More Info For more information on how to disable the Computer or User section of a GPO, see Chapter Optimize the Background Refresh Interval You can change the background refresh interval to modify the time it takes to reassess whether new GPO settings have been made The default refresh interval is different for domain controllers, domain members, and user accounts The interval can be set anywhere from seconds to 45 days A longer interval reduces how often a computer or user refreshes new GPO settings; 45 days is a long time to wait between GPO updates If you configure the refresh interval too low, however, network traffic will increase and the user’s work can be adversely affected Chapter 4: Deploying Group Policy 119 The default refresh interval for domain members and user accounts is 90 minutes, which is an efficient interval for most organizations This value should be modified only if a smaller interval is required or the bandwidth is too small to support even the 90-minute default setting Domain controllers update GPO settings every minutes by default The interval for domain controllers is lower to increase security on these computers and to ensure that critical settings are pushed down to these computers as quickly as possible Again, this is a reasonable setting unless your environment warrants a smaller interval For domain controllers, a larger interval is typically not recommended for security reasons More Info For more information on how to configure the refresh interval for domain controllers, domain members, or user accounts, see Chapter Configure a Reasonable Timeout for Scripts Because scripts can configure the user’s environment in important ways, they are often used in enterprise environments It is common to have scripts map drives, configure printer ports, modify services, and more In some cases, the scripts that run against computer or user accounts can become too large or complex, causing the logon time to become too long Sometimes startup or logon scripts can only finish their work when the network and key servers are available In this case, when the network or a server resource is temporarily unavailable, the processing time for the scripts slows down and can make the user wait an unreasonable amount of time to start using her computer In this situation, you should consider configuring a reasonable timeout for scripts, both startup and logon If your scripts typically take to minutes to run, you might want to add to additional minutes to allow for slow response times or network congestion More Info For more information on how to configure the timeout for scripts, see Chapter Configure Asynchronous Processing When GPO settings take too long to apply, the problem might be due to an abundance of security settings, desktop environment settings, Internet Explorer settings, and so on In this case, you might want to consider configuring GPOs to apply asynchronously By default, GPOs apply synchronously (except for Windows XP, which takes advantage of the Fast Logon configuration described above), which means the 120 Part II: Group Policy Implementation and Scenarios user cannot access the desktop and applications until all GPO settings have been successfully applied Asynchronous application of GPOs speeds up the user’s access to his computer but also leaves the computer vulnerable for a brief amount of time between when the user has access to his desktop and when all of the GPO settings have successfully been applied More Info For more information on how to configure synchronous and asynchronous policy processing, see Chapter 13 Limit Use of Loopback Configuring the use of loopback processing for a GPO can hurt performance on the computer it applies to If the computer needs to evaluate the GPO settings within the User Configuration section in the GPOs for both the computer account and the user account, this can take extra time Loopback processing has two modes The first is Replace mode, which takes only the settings for the user account from the User Configuration section of the GPO and applies those settings to the computer account Because this is a simple replacement of the user-based GPO settings, the processing time required is not great However, if you have configured loopback processing for Merge mode, the computer must evaluate the User Configuration sections in multiple GPOs, determining which settings should have precedence This additional processing causes a slower response time for the user’s access to his desktop As a result, you should limit your use of loopback processing to computers that need the additional control that this feature can provide More Info For more information on how to configure loopback processing, see Chapter 12 Filter GPOs Based on Group Membership A new GPO is configured to apply to all computer and user accounts by having the Authenticated Users group configured on the ACL of all GPOs by default In most cases, this is the best configuration because there is no need to administer the ACL on the GPO If you have GPOs linked to OUs that contain both accounts that need to have the GPO settings applied and accounts that should bypass the GPO settings, you should filter the GPOs This filtering reduces the time that it takes to process GPOs because the accounts not evaluate the GPOs for which they are not listed on the ACL Chapter 4: Deploying Group Policy 121 In this case, the best method for filtering your GPOs is to remove the Authenticated Users group and add the specific security groups that contain the accounts for which the GPO settings should apply These entries in the ACL must have both the Read and Apply Group Policy permissions More Info For more information on how to filter GPOs, see Chapter Best Practices for Deploying GPOs Deploying GPOs efficiently and effectively requires careful attention As we have seen in this chapter, you must consider many factors when you design and implement Group Policy in your enterprise How you design your GPOs depends on your Active Directory structure, replication, site design, and more—and that’s a lot of information to evaluate If you not evaluate these factors, troubleshooting Group Policy can be much more difficult, and Group Policy processing can suffer performance degradation as well There is no secret recipe or procedure that you can follow to bypass all possible issues involved in deploying Group Policy, but the following best practices can help you avoid many pitfalls Choosing the Best Level to Link GPOs You can link GPOs to sites, domains, and OUs: which level is best when deploying GPOs? As a general rule, there are more ramifications when linking GPOs to sites and domains due to the scope of the accounts that are affected Also, GPOs that are linked to sites and domains typically contain generic settings, whereas the GPOs that are linked down through the OU structure usually contain specific settings that are based on the type of computer or user Let’s look at some general rules and guidelines for each level GPOs Linked to Sites It is rare to have a lot of GPOs linked to sites in a typical Active Directory implementation When you link a GPO to a site, it affects computers and users based on the IP address of the computer In most cases, Active Directory administration, computer types, and user types don’t follow the network topology, so it is difficult to organize GPO settings in such a way that they can be deployed to sites Here are a few scenarios where you might decide to link a GPO to a site: ■ IPSec settings A branch office or other network segment might need to have IPSec security configurations for all computers on that network 122 Part II: Group Policy Implementation and Scenarios ■ Software Update Services (SUS) When clients and servers receive information from Group Policy about SUS, they are typically directed to a SUS server Since they are targeted to a SUS server to receive their updates, the GPOs containing SUS settings can be linked to sites to automatically affect all computers within a specific range of IP addresses This will lead to computers being directed to the SUS server that is nearest them, increasing performance of applying the updates and reducing network traffic across the slower links ■ Remote Access Services (RAS) If you have your RAS server configured to use a specific range of IP addresses, it is a good design decision to link a GPO to a site to configure the RAS clients You can target computer and user accounts based on whether the computer is coming in over dial-up or VPN You can thus control software installation, profiles, security configurations, and more In most cases, the RAS clients must have increased security configurations and decreased network access privileges GPOs Linked to Domains By default, a GPO named the Default Domain Policy is linked at the domain level and is typically used to configure account policies for all domain users Additional GPOs can be linked to the domain level as well however You might be tempted to link numerous GPOs to the domain level or configure numerous GPO settings at this level, but you will find that only a few GPO settings can be successfully configured at the domain level because these GPO settings affect all computer and user accounts in the domain When you consider linking GPOs at the domain level, evaluate the computer and user settings configured in the GPOs to determine whether they should be applied to every account in the domain For computers, this would include domain controllers, file servers, print servers, application servers, SQL Servers, executive clients, IT staff clients, and developer clients For users, this would include executives, power users, IT staff, developers, and service accounts Here are some best practices for configuration at the domain level: ■ Account policies Although account policies are already configured in the default GPO, they are worth mentioning again The only GPOs that can establish the account policies for domain user accounts are those that are linked to the domain level ■ Legal notice Display a legal notice at logon on all computers of any type in the organization ■ Many companies require that computers be configured to use a standardized company screen saver You should configure each user account to password-protect the screen saver after a set amount of idle time Set a reasonable idle time for your environment, but the shorter the idle time, the better the security In many companies, the idle time is set between 15 to 30 minutes Screen saver Chapter 4: Deploying Group Policy 123 ■ Scripts Some scripts configure drive mappings, printers, and other settings that are required for all computers and users throughout the domain ■ Security settings ■ Software installation Your organization might have anti-virus or patch agent software that runs on all computers in the domain and can be deployed from the domain level It is common to also deploy administrative tools to all computers for when administrators need to troubleshoot problems directly from a client or a server ■ Internet Explorer Because Internet Explorer is the main tool for Internet and intranet resource access, these settings are typically required for all computers in the domain These settings might include proxy, caching, or security settings ■ GPO processing Ensure that all computers and users process GPOs in the same way, to eliminate working with different GPO implementation designs during the troubleshooting process Configuring settings for GPO processing at the domain level ensures that all computer and user accounts are configured consistently across the forest Settings such as synchronous/asynchronous, refresh intervals, and script timeouts are all usually appropriate to configure at the domain level Many security settings such as SMB signing, authentication protocols, and anonymous access, can be configured for all computers in the domain GPOs Linked to OUs Besides configuring the recommended GPO settings above at the site and domain levels, all other GPO settings should generally be applied at the OU level This includes most GPO settings, which proves how important it is to design the OU structure of each domain with GPO deployment in mind You will typically have multiple levels of OUs within a domain, with some OUs toward the top of the structure and some OUs lower down It is common to have fewer computer and user accounts in the higher-level OUs, while most of these accounts will reside in the lower-level OUs The same can be said of the GPOs linked to your OUs Try to have fewer GPOs linked to higher-level OUs because too many accounts would be affected at this level If any GPOs are linked at the higher-level OUs, their settings are typically generic enough to span multiple computer or user types Most GPOs are linked to lower-level OUs These OUs typically contain accounts based on type, department, security needs, software requirements, or delegation of administration requirements 124 Part II: Group Policy Implementation and Scenarios Resources Used by GPOs When you have software that is being deployed using GPOs, organize your source files on servers that are on the same network as the target machines The shares that contain application source files are specified within the software packages created in a GPO You should specify shares that reside on file servers with fast network connections to the target accounts The same goes for SUS servers that are configured through GPOs You should have multiple SUS servers provide updates for clients throughout the enterprise The GPOs should be designed to lead target computers to SUS servers that have fast network connections to them Finally, you can combine domain-based DFS links with the specific shares that you need to specify for software and SUS server configurations in your GPOs Domainbased DFS links allow multiple servers to respond to a single shared folder Clients are directed to the share on the server that is within their site, providing fast, reliable access to software and SUS update resources More Info For more information on DFS, go to http://www.microsoft.com/ windowsserver2003/techinfo/overview/dfs.mspx Software Installation When you deploy software based on a computer and user accounts, you have a choice of when you install the software and how the user will access the software for use or installation The options are different for deploying software based on computer accounts versus user accounts For computer accounts, your options are limited because a computer can’t interact with itself to install or initialize some behavior to start the installation Therefore, if you deploy software based on a computer account, your only option is to have the software install automatically when the computer starts For user accounts, you have three options: ■ When you publish software, it shows up only in the Add/Remove Programs list The user is not even aware that the software is available unless she checks this list This option is appropriate if you want to provide software to users but not have the software available to them until they need it You can also choose to install the software when the user attempts to open a file associated with the software—for example, if Microsoft Excel has been published and the user opens a file with an xls file extension In this case, Excel is installed when the user attempts to open the file Publish Chapter 4: Deploying Group Policy 125 ■ Assign, But Don’t Automatically Install At Logon Assigning software to users makes the software available on the Start menu as a shortcut This means the software is available for installation but is only installed when the user clicks the shortcut on the Start menu for the application or attempts to open a file associated with that software This is a good approach if you plan to deploy software to a large group of people because it spreads the installation load across the network and source servers and across multiple hours and days rather than concentrating it at a time like early morning when all of users typically log on ■ This option is identical to the previous one except that the software is installed when the user logs on This is a good option when the software is being deployed to only a few people or when the software (such as HR applications or security applications) need to be installed when the user accesses the desktop after logon Assign And Install When User Logs On More Info For more information on deploying software using Group Policy, see Chapter Designing GPOs Based on GPO Categories When you organize your GPOs based on the kinds of settings they contain, they become easier to manage Depending on the overall requirements of your organization, you could typically use security, software deployment, desktop control, Internet Explorer, scripts, Windows components, system configurations, and network settings as initial categories Using such categories makes the following management tasks much easier: ■ Documentation of GPO settings ■ Troubleshooting of GPO processing ■ Multi-user administration of GPOs ■ Delegation of administration within Active Directory Limit Enforced and Block Policy Inheritance Options You should allow GPOs to be processed according to their default inheritance behavior as much as possible This means that when you link a GPO to the domain level, it should affect all accounts in the domain Likewise, when you link a GPO to an OU of Sales employees, all Sales employee user accounts will be affected The Enforced option can push the settings in a GPO down through the Active Directory structure even if another GPO with higher precedence attempts to override the settings in the Enforced GPO The Block Policy Inheritance option allows you to stop 126 Part II: Group Policy Implementation and Scenarios all lower-precedence GPO settings from applying to accounts at a certain level in the Active Directory structure Both the Enforce setting and the Block Policy Inheritance setting should be used only when other recommended design options are not available Here are some best practices for using these options: ■ Enforced This is a good configuration option for the Default Domain Policy It ensures that all settings related to the account policies and other miscellaneous security settings always override weaker settings farther down in the Active Directory structure ■ The Domain Controllers OU contains all domain controllers for the specified domain It is a good idea to use the Block Policy Inheritance option here so no surprises are configured on domain controllers if an errant GPO is configured at the site or domain level Block Policy Inheritance Tip If you configure account policy settings in a GPO linked to an OU, these settings will affect local user accounts for computers in that OU To prevent this from happening, set the Default Domain Policy GPO link to Enforced When to Use Security Filtering By default a GPO has an ACL that allows it to affect all accounts in the container to which the GPO is linked This should not be changed unless security filtering of the GPO’s ACL becomes necessary The reason you should avoid modifying a GPO’s ACL is because it is hard to document and troubleshoot such detailed configurations However, in some situations using security filtering on a GPO’s ACL is preferred: ■ As you design your Active Directory structure, you might find areas where you need to place two types of user accounts in the same OU even though the user accounts need to have different GPO settings In this case, you can use security filtering to control which user accounts receive the proper GPO settings ■ GPOs are linked higher in the OU structure When you link GPOs high in the OU structure, you will find that the GPO settings can affect too many accounts You are forced to configure the GPO ACL to indicate which accounts should apply these settings When Active Directory delegation is more important When to Use WMI Filters WMI filters are very useful, but they can cause more harm than good if they are overused or configured improperly The main problem with WMI filters is that they are expensive to process and therefore lead to slow response times and poor logon performance for users It is best to design your OU structure to eliminate the need for WMI Chapter 4: Deploying Group Policy 127 filters wherever possible However, in some situations WMI filters are the only way to control which accounts receive the settings configured in the GPOs where the WMI filter is linked You might want to limit the use of WMI filters the following situations: ■ When software installation takes a large amount of hard disk space but not all target computers have sufficient disk space ■ When a setting or application depends on the current service pack or update level ■ When you are installing software or updates that rely on a certain operating system or operating system version ■ When you need to verify memory installed on a computer Network Topology Considerations Whether you are rolling GPO settings out to accounts or are updating a critical security setting, you must consider network topology, replication, and convergence when you make these changes You should make sure that your Group Policy infrastructure is well documented so you know how to get updates from one domain controller to all domain controllers Here are some guidelines on updating GPOs with consideration for network topology: ■ GPO updates By default, all GPO updates occur on the domain controller that houses that PDC emulator role You can modify which domain controller updates Group Policy, but you still need to know where these changes occur More Info For more information about how to control which domain controller updates Group Policy changes, see Chapter ■ Convergence of GPO changes When a change is made to a GPO, that change must be replicated to all domain controllers in the domain When a computer or user attempts to apply GPO updates, the domain controller that authenticates the account must have the GPO changes or else the account will not be updated Knowing how to force replication and check for convergence of GPO changes on all domain controllers is essential More Info For more information about how to control replication of GPOs and verify convergence of GPO changes on all domain controllers, see Chapter 13 178 Part II: Group Policy Implementation and Scenarios Table 5-7 Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Network access: Remotely accessible registry paths System\Current ControlSet\Control\ ProductOptions; System\Current ControlSet\Control\ Server Applications; Software\Microsoft\ Windows NT\ CurrentVersion System\Current ControlSet\ Control\ ProductOptions; System\Current ControlSet\ Control\Server Applications; Software\ Microsoft\ Windows NT\ CurrentVersion System\Current ControlSet Control\ProductOptions; System\Current ControlSet\ Control\Server Applications; Software\ Microsoft\ Windows NT\ CurrentVersion Network access: Remotely accessible registry paths and sub-paths System\Current ControlSet\Control\ Print\Printers System\Current ControlSet\ Control\ Print\Printers System\ Current ControlSet\ Control\Print\ Printers Security Setting Security Options System\Current ControlSet\ Services\Eventlog System\Current ControlSet\Services\ Eventlog Software\Microsoft\ OLAP Server Software\Microsoft\ Windows NT\ CurrentVersion\Print Software\Microsoft\ Windows NT\ CurrentVersion\ Windows System\Current ControlSet\ Services\Eventlog System\Current ControlSet\ Services\Eventlog Software\ Microsoft\ OLAP Server Software\ Microsoft\ Windows NT\ CurrentVersion\ Print System\Current ControlSet\Control\ ContentIndex Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows System\Current ControlSet\ Services\Eventlog System\Current ControlSet\ Services\Eventlog Software\ Microsoft\ OLAP Server Software\ Microsoft\ Windows NT\ CurrentVersion\ Print Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows Chapter 5: Table 5-7 Hardening Clients and Servers Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration System\Current ControlSet\Control\ Terminal Server System\Current ControlSet\ Control\ ContentIndex System\Current ControlSet\ Control\ ContentIndex System\Current ControlSet\ Control\Terminal Server System\Current ControlSet\ Control\ Terminal Server System\Current ControlSet\Control\ Terminal Server\ DefaultUser Configuration System\Current ControlSet\ Control\Terminal Server\UserConfig System\Current ControlSet\ Control\ Terminal Server\ UserConfig Software\ Microsoft\ Windows NT\ CurrentVersion\ Perflib System\Current ControlSet\ Control\Terminal Server\DefaultUser Configuration System\Current ControlSet\Services\ SysmonLog Security Setting Software\ Microsoft\ Windows NT\ CurrentVersion\ Perflib Security Options Network access: Remotely accessible registry paths and sub-paths System\Current ControlSet\Control\ Terminal Server\ UserConfig System\Current ControlSet\ Services\ SysmonLog System\Current ControlSet\ Control\Terminal Server\Default User Configuration Software\ Microsoft\ Windows NT\ CurrentVersion\ Perflib System\Current ControlSet\ Services\ SysmonLog Network access: Restrict anonymous access to Named Pipes and Shares Enabled Enabled Enabled Network access: Shares that can be accessed anonymously None None None 179 180 Part II: Group Policy Implementation and Scenarios Table 5-7 Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Network access: Sharing and security model for local accounts Classic—local users authenticate as themselves Classic—local users authenticate as themselves Classic—local users authenticate as themselves Network security: Do not store LAN Manager hash value on next password change Enabled Enabled Enabled Network security: LAN Manager authentication level Send NTLMv2 responses only Send NTLMv2 response only/ refuse LM Send NTLMv2 response only/ refuse LM and NTLM Network security: LDAP client signing requirements Negotiate signing Negotiate signing Negotiate signing Network security: Minimum session security for NTLM SSP based (including secure RPC) clients No minimum Enabled all settings Enabled all settings Network security: Minimum session security for NTLM SSP based (including secure RPC) servers No minimums Enabled all settings Enabled all settings Recovery console: Allow automatic administrative logon Disabled Disabled Disabled Recovery console: Allow floppy copy and access to all drives and all folders Enabled Enabled Disabled Shutdown: Allow system Disabled to be shut down without having to log on Disabled Disabled Shutdown: Clear virtual Disabled memory page file Disabled Enabled User is prompted System cryptography: when the key is Force strong key protection for user keys first used stored on the computer User is prompted when the key is first used User must enter a password each time they use a key Security Setting Security Options Chapter 5: Table 5-7 Hardening Clients and Servers Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled Disabled Disabled System objects: Default owner for objects created by members of the Administrators group Object creator Object creator Object creator System objects: Require case insensitivity for nonWindows subsystems Enabled Enabled Enabled System objects: Strengthen default permissions of internal system objects (such as Symbolic Links) Enabled Enabled Enabled System settings: Optional subsystem None None None Maximum application log size 16,384 KB 16,384 KB 16,384 KB Maximum security log size 81,920 KB 81,920 KB 81,920 KB Maximum system log size 16,384 KB 16,384 KB 16,384 KB Prevent local guests group from accessing application log Enabled Enabled Enabled Prevent local guests group from accessing security log Enabled Enabled Enabled Prevent local guests group from accessing system log Enabled Enabled Enabled Retention method for application log As needed As needed As needed Retention method for security log As needed As needed As needed Retention method for system log As needed As needed As needed Security Setting Security Options Event Log 181 182 Part II: Group Policy Implementation and Scenarios Table 5-7 Security Settings for Member Servers Security Setting Legacy Client Configuration Enterprise Client Configuration High Security Configuration System Services Alerter Disabled Disabled Disabled Application Layer Gateway Service Disabled Disabled Disabled Application Management Disabled Disabled Disabled ASP.NET State Service Disabled Disabled Disabled Automatic Updates Automatic Automatic Automatic Background Intelligent Transfer Service Manual Manual Manual Certificate Services Disabled Disabled Disabled MS Software Shadow Copy Provider Manual Manual Manual Client Service for Netware Disabled Disabled Disabled ClipBook Disabled Disabled Disabled Cluster Service Disabled Disabled Disabled COM+ Event System Manual Manual Manual COM+ System Application Disabled Disabled Disabled Computer Browser Automatic Automatic Automatic Cryptographic Services Automatic Automatic Automatic DHCP Client Automatic Automatic Automatic DHCP Server Disabled Disabled Disabled Distributed Link Tracking Client Disabled Disabled Disabled Distributed Link Tracking Server Disabled Disabled Disabled Distribution Transaction Coordinator Disabled Disabled Disabled DNS Client Automatic Automatic Automatic DNS Server Disabled Disabled Disabled Error Reporting Service Disabled Disabled Disabled Event Log Automatic Automatic Automatic Fax Service Disabled Disabled Disabled File Replication Disabled Disabled Disabled Chapter 5: Table 5-7 Hardening Clients and Servers Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration File Server for Macintosh Disabled Disabled Disabled FTP Publishing Disabled Disabled Disabled Help and Support Disabled Disabled Disabled HTTP SSL Disabled Disabled Disabled Human Interface Device Access Disabled Disabled Disabled IAS Jet Database Access Disabled Disabled Disabled IIS Admin Service Disabled Disabled Disabled IMAPI CD–Burning COM Service Disabled Disabled Disabled Security Setting System Services Indexing Service Disabled Disabled Disabled Infrared Monitor Disabled Disabled Disabled Internet Authentication Disabled Service Disabled Disabled Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) Disabled Disabled Disabled Intersite Messaging Disabled Disabled Disabled IP Version Helper Service Disabled Disabled Disabled IPSec Policy Agent (IPSec Service) Automatic Automatic Automatic Kerberos Key Distribution Center Disabled Disabled Disabled License Logging Service Disabled Disabled Disabled Logical Disk Manager Manual Manual Manual Logical Disk Manager Administrative Service Manual Manual Manual Message Queuing Disabled Disabled Disabled Message Queuing Down Level Clients Disabled Disabled Disabled Message Queuing Triggers Disabled Disabled Disabled Messenger Disabled Disabled Disabled Microsoft POP3 Service Disabled Disabled Disabled 183 184 Part II: Group Policy Implementation and Scenarios Table 5-7 Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration MSSQL$UDDI Disabled Disabled Disabled MSSQLServerADHelper Disabled Disabled Disabled NET Framework Support Service Disabled Disabled Disabled Netlogon Automatic Automatic Automatic NetMeeting Remote Desktop Sharing Disabled Disabled Disabled Network Connections Manual Manual Manual Network DDE Disabled Disabled Disabled Network DDE DSDM Disabled Disabled Disabled Network Location Awareness (NLA) Manual Manual Manual Nework News Transport Disabled Protocol (NNTP) Disabled Disabled NTLM Support Provider Automatic Automatic Automatic Performance Logs and Alerts Manual Manual Manual Plug and Play Automatic Automatic Automatic Portable Media Serial Number Disabled Disabled Disabled Printer Server for Macintosh Disabled Disabled Disabled Print Spooler Disabled Disabled Disabled Protected Storage Automatic Automatic Automatic Remote Access Auto Connection Manager Disabled Disabled Disabled Remote Access Connection Manager Disabled Disabled Disabled Remote Administration Service Manual Manual Manual Disabled Disabled Security Setting System Services Remote Desktop Helper Disabled Session Manager Remote Installation Disabled Disabled Disabled Remote Procedure Call (RPC) Automatic Automatic Automatic Remote Procedure Call (RPC) Locator Disabled Disabled Disabled Automatic Automatic Remote Registry Service Automatic Chapter 5: Table 5-7 Hardening Clients and Servers Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Remote Server Manager Disabled Disabled Disabled Remote Server Monitor Disabled Disabled Disabled Remote Storage Notification Disabled Disabled Disabled Security Setting System Services Remote Storage Server Disabled Disabled Disabled Removable Storage Manual Manual Manual Resultant Set of Policy Provider Disabled Disabled Disabled Routing and Remote Access Disabled Disabled Disabled SAP Agent Disabled Disabled Disabled Secondary Logon Disabled Disabled Disabled Security Accounts Manager Automatic Automatic Automatic Server Automatic Automatic Automatic Shell Hardware Detection Disabled Disabled Disabled Simple Mail Transport Protocol (SMTP) Disabled Disabled Disabled Simple TCP/IP Services Disabled Disabled Disabled Single Instance Storage Groveler Disabled Disabled Disabled Smart Card Disabled Disabled Disabled SNMP Service Disabled Disabled Disabled SNMP Trap Service Disabled Disabled Disabled Special Administration Console Helper Disabled Disabled Disabled System Event Notification Automatic Automatic Automatic Task Scheduler Disabled Disabled Disabled TCP/IP NetBIOS Helper Service Automatic Automatic Automatic TCP/IP Print Server Disabled Disabled Disabled Telephony Disabled Disabled Disabled Telnet Disabled Disabled Disabled Terminal Services Automatic Automatic Automatic 185 186 Part II: Group Policy Implementation and Scenarios Table 5-7 Security Settings for Member Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Terminal Services Licensing Disabled Disabled Disabled Terminal Services Session Directory Disabled Disabled Disabled Themes Disabled Disabled Disabled Trival FTP Daemon Disabled Disabled Disabled Uninterruptible Power Supply Disabled Disabled Disabled Security Setting System Services Upload Manager Disabled Disabled Disabled Virtual Disk Service Disabled Disabled Disabled Volume Shadow Copy Manual Manual Manual WebClent Disabled Disabled Disabled Web Element Manager Disabled Disabled Disabled Windows Audio Disabled Disabled Disabled Windows Image Acquisition (WIA) Disabled Disabled Disabled Windows Installer Automatic Automatic Automatic Windows Internet Name Service (WINS) Disabled Disabled Disabled Windows Management Automatic Instrumentation Automatic Automatic Windows Management Manual Instrumentation Driver Extensions Manual Manual Windows Media Services Disabled Disabled Disabled Windows System Resource Manager Disabled Disabled Disabled Windows Time Automatic Automatic Automatic WinHTTP Web Proxy Auto—Discovery Service Disabled Disabled Disabled Wireless Configuration Disabled Disabled Disabled WMI Performance Adapter Manual Manual Manual Workstation Automatic Automatic Automatic World Wide Publishing Service Disabled Disabled Disabled Chapter 5: Hardening Clients and Servers 187 Ports Required for Member Servers For a member server to function on the network with other computers, specific ports must be opened Table 5-8 presents a list of those critical ports As we investigate specific server roles, additional ports will need to be added to ensure the server functions properly Table 5-8 Ports for Member Servers Port Description 137 (NetBIOS name service) Used by the browse master service This must be open for WINS and browse master servers 138 (NetBIOS datagram service) Must be open to accept inbound datagrams from NetBIOS applications such as the Messenger service or the Computer Browser service 139 (NetBIOS session service) Must be closed unless you run applications or operating systems that need to support Windows networking (SMB) connections If you run Windows NT 4.0, Windows Millennium Edition, Windows 98, or Windows 95, this port must be open on your servers 445 (CIFS/SMB server) Used by basic Windows networking, including file sharing, printer sharing, and remote administration 3389 (Remote Desktop Protocol) Must be open if you are using Terminal Services for application sharing, remote desktop, or remote assistance Domain Controllers Domain controllers are the heart of any environment that runs Active Directory These computers must be stable, protected, and available to provide the key services for the directory service, user authentication, resource access, and more If there is any loss or compromise of a domain controller in the environment, the result can be disastrous for clients, servers, and applications that rely on domain controllers for authentication, Group Policy, and the LDAP directory Not only should these domain controllers be hardened with security configurations, they must also be physically secured in locations that are accessible only to qualified administrative staff If domain controllers are stored in unsecured locations due to limitations of the facility (such as in a branch office), you should apply additional security configurations to limit the potential damage from physical threats against the computer Domain Controller Security Environment Levels Along the same lines as the Member Server hardening guidelines, domain controllers also have different levels of security based on the environment in which they are 188 Part II: Group Policy Implementation and Scenarios deployed These levels are the same as those defined in the “Member Servers” section in this chapter: Legacy Client, Enterprise Client, and High Security Security Settings for Domain Controllers Security settings that apply specifically to domain controllers are best created in a GPO that is then linked to the Domain Controllers OU The settings for domain controllers should be based on those we reviewed in the earlier “Member Servers” section Of course, a domain controller also has additional functions or features compared to a member server, and this requires additional open ports and security configuration You must review the security settings list to ensure that you are not restricting a key feature for your domain controller Table 5-9 lists the settings that differ from those specified in Table 5-7 In other words, the baseline security settings for domain controllers as outlined below should be incrementally added to the baseline security settings for member servers described previously More Info For more information on hardening domain controllers in different enterprise environments, see the Windows Server 2003 Security Guide found at http:// www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655521ea6c7b4db&displaylang=en Table 5-9 Security Settings for Domain Controllers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Access this computer from the network Not Defined Not Defined (Use defaults) (Use defaults) Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS Add workstations to domain Administrators Administrators Administrators Allow log on locally Administrators Administrators Administrators Allow log on through Terminal Services Administrators Administrators Administrators Change the system time Administrators Administrators Administrators Enable computer and user accounts to be trusted for delegation Not Defined Not Defined Administrators (Use defaults) (Use defaults) Security Setting User Rights Chapter 5: Table 5-9 Hardening Clients and Servers 189 Security Settings for Domain Controllers Legacy Client Configuration Enterprise Client Configuration High Security Configuration Load and unload device drivers Administrators Administrators Administrators Restore files and directories Administrators Administrators Administrators Shutdown the system Administrators Administrators Administrators Disabled Enabled Enabled Distributed File System Automatic Automatic Automatic DNS Server Automatic Automatic Automatic File Replication Automatic Automatic Automatic Intersite Messaging Automatic Automatic Automatic Kerberos Key Distribution Center Automatic Automatic Automatic Remote Procedure Call (RPC) Locator Automatic Automatic Automatic Security Setting User Rights Security Options Network security: Do not store LAN Manager hash value on next password change System Services Ports Required for Domain Controllers Domain controllers are responsible for specific functions, as seen in the different settings listed in Table 5-9 Many of these different security template settings are due to required services to authenticate users and maintain consistency of the Active Directory database between other domain controllers Table 5-10 lists additional ports that you must open for domain controllers Table 5-10 Ports for Domain Controllers Ports Description 88 (Kerberos) The Kerberos protocol is used by Windows 2000 and later operating systems to log on and retrieve tickets for accessing other servers 123 (NTP) This port provides time synchronization for network clients using the Network Time Protocol (NTP) 190 Part II: Group Policy Implementation and Scenarios Ports for Domain Controllers Table 5-10 Ports Description 135 (RPC endpoint mapper/DCOM) This port allows RPC clients to discover the ports that the RPC server is listening on 389 (LDAP) This port the primary way that clients access Active Directory to obtain user information, e-mail addresses, services, and other directory service information 464 (Kerberos Password Changes) This port provides secure methods for users to change passwords using Kerberos 636 (LDAP over SSL) This port is needed if LDAP will use SSL to provide encryption and mutual authentication for LDAP traffic 3268 (Global Catalog) This port provides the means for clients to search Active Directory information that spans multiple domains 3269 (Global Catalog over SSL) This port is needed because the Global Catalog uses SSL to provide encryption and mutual authentication for Global Catalog traffic Note If your domain controller is running DNS, you will need to also open port 53 File and Print Servers File and print servers are responsible for resource storage and controlling access to these resources throughout the enterprise These servers house the company’s documents, trade secrets, financial data, and much more If these computers are not protected, the entire company might be in jeopardy These computers must be stable, protected, and available to provide users and applications access to resources stored on these computers Like the domain controllers, these servers must be physically protected If someone were to get hold of a file server, they could potentially use other tools to gain access to the resources on the server You should take action to protect against this Table 5-11 lists security settings for file and print servers that differ from the settings in the Member Servers section earlier in the chapter In other words, the baseline security settings for file and print servers as outlined here should be incrementally added to the baseline security settings for member servers described previously These settings are best created in a GPO that is then linked to the OU that contains the file servers More Info For more information on hardening file and print servers in different enterprise environments, see the Windows Server 2003 Security Guide found at http:// www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655521ea6c7b4db&displaylang=en Chapter 5: Table 5-11 Hardening Clients and Servers 191 Security Settings for File and Print Servers Security Setting Legacy Client Configuration Enterprise Client Configuration High Security Configuration Disabled (Print Servers only) Disabled (Print Servers only) Security Options Microsoft network server: Disabled (Print Digitally sign communi- Servers only) cations (always) System Services Distributed File System Disabled Disabled Disabled File Replication Disabled Disabled Disabled Print Spooler Automatic (Print Servers only) Automatic (Print Servers only) Automatic (Print Servers only) Web Servers Microsoft Internet Information Services (IIS) is the service that provides Web services on a Windows server Web servers must be properly secured from malicious attackers, while still allowing legitimate clients to access intranet or public Web sites hosted on the server IIS is not installed by default on the Windows Server 2003 family of servers, and when you install IIS, it installs in “locked” mode—a highly secure mode that protects IIS against threats Beyond the best-practice security settings presented in this section for IIS, be sure to protect your Web servers by monitoring security using some form of intrusion detection system, and by implementing proper incident response procedures Security Settings for Web Servers Security settings for Web servers are best created in a GPO that is then linked to the OU that contains the Web servers Table 5-12 lists only the settings that differ from those in the Table 5-7 In other words, the baseline security settings for Web servers as outlined here should be incrementally added to the baseline security settings for member servers described previously More Info For more information on hardening Web servers in different enterprise environments, see the Windows Server 2003 Security Guide found at http:// www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655521ea6c7b4db&displaylang=en 192 Part II: Group Policy Implementation and Scenarios Table 5-12 Security Settings for Web Servers Legacy Client Configuration Enterprise Client Configuration High Security Configuration ANONYMOUS LOGON; Built— in Administrator; Support_ 388945a0; Guest; all NON— Operating System service accounts ANONYMOUS LOGON; Built— in Administrator; Support_ 388945a0; Guest; all NON— Operating System service accounts ANONYMOUS LOGON; Built— in Administrator; Support_ 388945a0; Guest; all NON— Operating System service accounts Automatic Security Setting Automatic Automatic User Rights Deny access to this computer from the network System Services HTTP SSL IIS Admin Service Automatic Automatic Automatic World Wide Web Publishing Service Automatic Automatic Automatic Ports Required for Web Servers Web servers should have limited ports available, to reduce their exposure to attacks from the local network and the Internet The fewer the ports that are open, the better Table 5-13 is a list of additional ports that you will need to open for Web servers Table 5-13 Ports for Web Servers Ports Description 80 (HTTP) The standard HTTP port for providing Web services to users This can be easily changed and is not required If you change the port for HTTP, be sure to add that new port to this list and configure that setting within IIS 443 (HTTPS) Allows HTTP to have a higher level of security that provides integrity, encryption, and authentication for Web traffic Client Hardening Not only should servers be hardened to protect against outside intruders, but clients need the same attention Clients also need to have services, ports, applications, groups, and so on locked down to reduce security risks as much as possible This reduction in security risk should not compromise functionality in most cases If the security on a client is too tight, users might not be able to use applications and network communications as needed To show a wide range of client configuration best practices, we will look at four common environments The best practices focus on creating and maintaining a secure ... settings, see the Windows Server 20 03 Security Guide at http://www .microsoft. com/technet/security/ prodtech/windowsserver20 03/ w2003hg/sgch00.mspx 135 136 Part II: Group Policy Implementation and Scenarios... Policy 30 minutes Account Lockout Threshold Account Lockout Policy 50 invalid logon attempts Reset account lockout counter after Account Lockout Policy 30 minutes Any policy settings Kerberos Policy. .. restricted group The Member Of list specifies which other groups the restricted group belongs to When Restricted Groups are configured, the existing members of that group are removed After the policy