Default Security Policies

At the root of the WolfTech AD tree, there are a number of policies linked in.  In order to better secure the domain, we have developed a model by which we drop in the Microsoft Enterprise Client security policies completely unmolested and then put a paired policy with it to have any changes we want added with both of them using a per-OS WMI filter.  This lets us update the security policies as more are released and/or updated while tactically targeting OS-specific settings.

Guiding Principles:

  • Link Specific settings before Generic Ones – Example: Certificate Settings before OS’s.
  • Filter on Authenticated Users combined with appropriate OS WMI filters – Example: Windows 2008r2 Member Server.
  • Link Server OS’s before Client OS’s.
  • Link Newer OS’s before Older OS’s.
  • Do not edit the Microsoft EC Policies if at all possible.
  • Create a separate “override” policy per OS to unset EC settings that are harmful to our environment.
  • If a new OS comes out and Microsoft hasn’t released an EC Policy, copy the newest applicable and use that.
Applying those Principles gives us a link order like so:
  1. Domain-NCSU Certificates
  2. Domain-Laptop Policy
  3. Default Domain Policy
  4. WolfTech Default Domain Policy – WS08R2
  5. WS08R2-EC-Member-Server
  6. WolfTech Default Domain Policy –  WS08
  7. WS08 EC Member Server Baseline Policy
  8. WolfTech Default Domain Policy – Win2003
  9. WS03 EC Member Server Baseline Policy
  10. WolfTech Default Domain Policy – Win7
  11. Win7 EC Desktop Policy
  12. WolfTech Default Domain Policy – Vista
  13. VSG EC Desktop Policy
  14. WolfTech Default Domain Policy – WinXP
  15. XP EC Desktop Policy

Role Based GPO’s:

Another thing Microsoft has done is release Role-based security GPO’s.  Here is a list the Windows Server 2008r2 ones that are currently in WolfTech:
  • WS08R2-AD-Certificate-Services-Server
  • WS08R2-EC-Domain-Controller
  • WS08R2-EC-Member-Server
  • WS08R2-File-Server
  • WS08R2-Hyper-V
  • WS08R2-Print-Server
  • WS08R2-Remote-Desktop-Services
  • WS08R2-Web-Server

Note: There is a smaller number of ones for 2008 named “WS08 EC *” that you can find in the “Group Policy Objects” folder in GPMC.

The concept is that while the “WolfTech Default Domain Policy – WS08R2” and “WS08R2-EC-Member-Server” policies are linked at the root of the tree, you would be linking in “WS08R2-Print-Server”  to your NCSU\College\Dept\Servers\Print OU as an example.  The same would go for File or IIS servers.  This also highlights the fact that people shouldn’t be putting multiple types of servers in a single OU, that it is appropriate to have an OU for each type of server you support.

More information:

The Microsoft Security Baseline Guides can be accessed here (as of 2/16/2011):
Windows Server 2008 R2 Security Guide
Windows Server 2008 Security Guide

Microsoft Security Compliance Manager: This is a tool that includes a gui interface for browsing through the baselines and getting information about why MS chose to set the values the way they did, what attack vectors would be used, references specific KB articles, and tells you what registry keys they set, and so on.