S 4.314 Secure policy settings for domains and domain controllers

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

A Windows Server with Active Directory contains default security policy settings for the domain and for the domain controllers. However, it is recommended to change the default policy settings to increase security in the domain and on the domain controllers. The following changes are recommended:

• Secure password policy settings
  
  Access to the domain controllers must be secured using strong mechanisms. More detailed information on the password policy settings needed for this purpose can be found in the modules for the corresponding Microsoft servers.
• Account locking policies
  
  The login attempts (see also S 4.316 Monitoring the Active Directory infrastructure for more information) should be logged so that attacks can be detected. For example, a large number of unsuccessful attempts to enter a password when attempting to log in can indicate a brute force attack. How the account will actually be locked is defined using the Account Lockout Duration and Account Lockout Threshold options and by resetting the account lockout counter according to the description provided in safeguard S 2.231 Planning of group policy under Windows.
• Kerberos policy settings
  
  The authentication service provided by Kerberos provides the corresponding client the authorisation data needed to access the network resources. In this case, access to the network resources is granted based on session tickets. For this purpose, the domain controller issues the client a "ticket granting ticket" (TGT) in advance. When the client attempts to access a resource, the client transmits the TGT to the domain controller so it can examine the ticket. After passing the examination, the domain controller generates a session ticket for the client that it can use to access the resource for a limited time.
  
  By changing the Kerberos policy settings, it is possible to modify the Kerberos tickets, e.g. its validity period, for domain user accounts. Information on adapting the Kerberos policies can be found in the Resources for IT-Grundschutz (see Kerberos policy settings for domains in the Resources for Active Directory).

The following safeguards are also recommended to ensure secure policy settings for domain controllers:

User rights should be assigned restrictively so that the users in the domain or on the domain controllers are able to perform the operational or administrative tasks. The access capabilities of users should be restricted in this case so that they do not endanger the security of the domain controllers (see also safeguard S 2.229 Planning Active Directory).

The configuration of policy settings for monitoring the domain controllers makes it possible to verify who is responsible for sensitive administrative operations such as administration or configuration changes. Monitors should be set up to monitor login attempts, account management operations, Active Directory accesses, attempts to access objects, changes to policies, the use of rights, process tracking, and system events.

Important Active Directory objects, such as the directory partitions, for example, must be monitored using suitable policy settings. To accomplish this, monitoring must be enabled for the directory partitions (logical areas of the Active Directory database). The directory partitions affected by these settings are called "schema", "configuration", and "domain".

Implementing the recommendations provided above for the configuration of policy settings will require the default setting for the maximum size of the security log to be increased so that a greater number of events can be monitored and logged. The logs must be evaluated promptly. In addition, there must be a clearly defined procedure for regular and prompt archiving, and the security and system event logs must be backed up regularly so that no events are lost or are overwritten.

If it is also necessary to support co-operation between the domains in different overall structures, for example so they can share the use of applications or for limited co-operation between different overall structures in an organisation, then external trust relationships should be set up. External trust relationships pose a potential security risk, though, because security boundaries are crossed in this case. For this reason, the domain controllers in the trusted domain should filter out the authorisation data of the users and remove security IDs (SIDs) that do not refer to the domain of the user account. A detailed description of how comprehensive rights can be obtained without authorisation using forged SIDs and the corresponding countermeasures using SID filtering is described in articles 289243 and 289246 of the Microsoft Knowledge Base.

The policy settings for the security options for domain controllers have an impact on the security-related configuration settings of the Windows Server operating systems and should therefore be selected with care. This not only applies to the configuration relevant to the Active Directory, but also to other components of the Windows Server operating systems (e.g. to the security configuration settings for the network, file system, and user logins).

Review questions:

• Do the policies for domains and domain controllers include secure settings for passwords, account lockout, Kerberos authentication, user rights, and monitoring?
• Is a sufficient size set for the security log of the domain controller?
• In case of external trust relationships with other domains: Are authorisation data of the users filtered and anonymised?