Windows Server 2003 Security Guide - The Domain Policy

An overview of all options and settings available in the domain policy.

Copyright notice: All information on this page are based on the recommendations made in the "Microsoft Windows Server 2003 Security Guide" at http://go.microsoft.com/fwlink/?LinkId=14845

Password Policy Settings

The following table includes the password policy setting recommendations for all three environments that are defined in this guide. You can configure the password policy settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

Additional information for each setting is provided in the subsections that follow the table.

SettingLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality
Enforce password history24 passwords remembered24 passwords remembered24 passwords remembered
Maximum password age42 days42 days42 days
Minimum password age1 day1 day1 day
Minimum password length8 characters8 characters12 characters
Password must meet complexity requirementsEnabledEnabledEnabled
Store password using reversible encryptionDisabledDisabledDisabled

Account Lockout Policy Settings

The following table summarizes the recommended account lockout policy settings. You can use the Group Policy Object Editor to configure these settings in the Domain Group Policy at the following location:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

Additional information for each setting is provided in the subsections that follow the table.

SettingLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality
Account lockout duration30 minutes30 minutes15 minutes
Account lockout threshold50 invalid login attempts50 invalid login attempts10 invalid login attempts
Reset account lockout counter after30 minutes30 minutes15 minutes

Kerberos Policies

Kerberos policies are used for domain user accounts. These policies determine settings that relate to the Kerberos version 5 authentication protocol, such as ticket lifetimes and enforcement. Kerberos policies do not exist in the local computer policy. If you reduce the lifetime of Kerberos tickets, the risk of an attacker who attempts to steal passwords to impersonate legitimate user accounts is decreased. However, the need to maintain these policies increases the authorization overhead.

In most environments, the default values for these policies should not be changed.

Security Options Settings

The three different types of account policies that are discussed earlier in this chapter are defined at the domain level and are enforced by all of the domain controllers in the domain. A domain controller always obtains the account policy from the Default Domain Policy GPO, even if there is a different account policy applied to the OU that contains the domain controller.

There are three security options settings that are similar to account policies. You should apply these settings at the level of the entire domain and not within individual OUs. You can configure these settings in the Group Policy Object Editor at the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table summarizes the recommended security options settings.

SettingLegacy ClientEnterprise ClientSpecialized Security – Limited Functionality
Microsoft network server: Disconnect clients when logon hours expireEnabledEnabledEnabled
Network Access: Allow anonymous SID/NAME translationDisabledDisabledDisabled
Network Security: Force Logoff when Logon Hours expireEnabledEnabledEnabled

Tags: 

You might also be interested in...