活动目录设计(12)
A.7.9 Group policies
This section describes the properties of Default Domain Policy and Default Domain Controllers Policy.
A.7.9.1 Default Domain Policy
Default Domain Policy defines the password policy and the account lockout policy for the whole user population in a Domain. There is no possibility to support different password and account policies within the same domain.
Password complexity
Bests Practices recommend to enable “Password must meet complexity requirements” setting. When "Password must meet complexity requirements" is enabled, the password must comply with the following rules:
![*]()
It must not contain any part of the user account name.
![*]()
It must be at least 6 characters long.
![*]()
It must contain characters from three of the four categories below:
o English uppercase characters (A through Z)
o English lowercase characters (a through z)
o Base 10 digits (0 through 9)
o Non alphanumeric characters (` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \: " ; ' < > ? , . /)
Account lockout
The Account lockout duration and threshold must be adjusted to protect the enterprise from password guessing attack and to reduce the password lockout management burden. The lockout duration must be set to a level that both protects from brute force attack and allows the user to wait the lockout duration instead of calling the helpdesk.
Domain Administrator and Guest accounts
A recommendation is to disable and rename the Domain Administrator and Guest accounts.
Accounts must be renamed manually. If you change them via the Default Domain Policy, change will be applied on every computer on the domain: DC, Servers and Workstations.
Based on this recommendation, the built-in Administrator and Guest accounts are disabled in Default Domain Controllers Policy. Therefore, Domain Admins accounts must be created before to apply the Default Domain Controllers Policy template.
Proposed Default Domain Policy settings
|
Policy |
Default Setting |
Setting |
|
Password Policy |
|
Enforce password history |
0 |
13 |
|
Maximum password age |
42 |
90 days |
|
Minimum password age |
0 |
1 day |
|
Minimum Password Length |
0 |
7 |
|
Password must meet complexity requirements |
Disabled |
Disabled |
|
Account Lockout Policy |
|
Account lockout duration |
Not set |
5 minutes |
|
Account lockout threshold |
0 |
5 |
|
Reset account lockout counter after |
Not set |
5 minutes |
The configured settings should appear as follows in the Group Policy Management Console.
Computer Configuration (Enabled)
Windows Settings
Security Settings
Account Policies/Password Policy
|
Policy |
Setting |
|
Enforce password history |
13 passwords remembered |
|
Maximum password age |
90 days |
|
Minimum password age |
1 days |
|
Minimum password length |
7 characters |
|
Password must meet complexity requirements |
Enabled |
|
Store passwords using reversible encryption |
Disabled |
Account Policies/Account Lockout Policy
|
Policy |
Setting |
|
Account lockout duration |
5 minutes |
|
Account lockout threshold |
5 invalid logon attempts |
|
Reset account lockout counter after |
5 minutes |
Account Policies/Kerberos Policy
|
Policy |
Setting |
|
Enforce user logon restrictions |
Enabled |
|
Maximum lifetime for service ticket |
600 minutes |
|
Maximum lifetime for user ticket |
10 hours |
|
Maximum lifetime for user ticket renewal |
7 days |
|
Maximum tolerance for computer clock synchronization |
5 minutes |
Local Policies/Security Options
Network Security
|
Policy |
Setting |
|
Network security: Force logoff when logon hours expire |
Disabled |
|
Network security: LAN Manager authentication level |
Send NTLMv2 response only\refuse LM |
A.7.9.2 Default Domain Controllers Policy
Default Domain Controllers Policy disables of the Domain Administrator and Guest accounts and implements recommended settings for Domain Controllers.
The configured settings should appear as follows in the Group Policy Management Console.
Computer Configuration (Enabled)
Windows Settings
Security Settings
Local Policies/Audit Policy
|
Policy |
Setting |
|
Audit account logon events |
Success, Failure |
|
Audit account management |
Success, Failure |
|
Audit directory service access |
Success, Failure |
|
Audit logon events |
Success, Failure |
|
Audit object access |
Success, Failure |
|
Audit policy change |
Success |
|
Audit privilege use |
Success, Failure |
|
Audit process tracking |
No auditing |
|
Audit system events |
Success |
Local Policies/User Rights Assignment
Default settings apply
Local Policies/Security Options
Accounts
|
Policy |
Setting |
|
Accounts: Administrator account status |
Disabled |
|
Accounts: Guest account status |
Disabled |
|
Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
Audit
|
Policy |
Setting |
|
Audit: Audit the access of global system objects |
Disabled |
|
Audit: Audit the use of Backup and Restore privilege |
Disabled |
|
Audit: Shut down system immediately if unable to log security audits |
Disabled |
Devices
|
Policy |
Setting |
|
Devices: Prevent users from installing printer drivers |
Enabled |
Domain Member
|
Policy |
Setting |
|
Domain member: Digitally encrypt or sign secure channel data (always) |
Enabled |
Interactive Logon
|
Policy |
Setting |
|
Interactive logon: Do not display last user name |
Enabled |
|
Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
|
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
0 logons |
|
Interactive logon: Prompt user to change password before expiration |
14 days |
|
Interactive logon: Require Domain Controller authentication to unlock workstation |
Enabled |
Microsoft Network Server
|
Policy |
Setting |
|
Microsoft network server: Digitally sign communications (always) |
Enabled |
|
Microsoft network server: Digitally sign communications (if client agrees) |
Enabled |
Network Access
|
Policy |
Setting |
|
Network access: Allow anonymous SID/Name translation |
Disabled |
|
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
|
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Enabled |
|
Network access: Do not allow storage of credentials or .NET Passports for network authentication |
Enabled |
Network Security
|
Policy |
Setting |
|
Network security: Do not store LAN Manager hash value on next password change |
Enabled |
|
Network security: LAN Manager authentication level |
Send NTLMv2 response only\refuse LM |
Recovery Console
|
Policy |
Setting |
|
Recovery console: Allow floppy copy and access to all drives and all folders |
Enabled |
Shutdown
|
Policy |
Setting |
|
Shutdown: Clear virtual memory pagefile |
Enabled |
Event Log
|
Policy |
Setting |
|
Maximum application log size |
20480 kilobytes |
|
Maximum security log size |
102400 kilobytes |
|
Maximum system log size |
20480 kilobytes |
|
Prevent local guests group from accessing application log |
Enabled |
|
Prevent local guests group from accessing security log |
Enabled |
|
Prevent local guests group from accessing system log |
Enabled |
|
Retention method for application log |
As needed |
|
Retention method for security log |
As needed |
|
Retention method for system log |
As needed |