Default Security Policies

At the root of the WolfTech AD tree, there are a number of policies linked in.  In order to better secure the domain, we have developed a model by which we drop in the Microsoft Enterprise Client security policies completely unmolested and then put a paired policy with it to have any changes we want added with both of them using a per-OS WMI filter.  This lets us update the security policies as more are released and/or updated while tactically targeting OS-specific settings.

Guiding Principles:

  • Link Specific settings before Generic Ones – Example: Certificate Settings before OS’s.
  • Filter on Authenticated Users combined with appropriate OS WMI filters – Example: Windows 2008r2 Member Server.
  • Link Server OS’s before Client OS’s.
  • Link Newer OS’s before Older OS’s.
  • Do not edit the Microsoft EC Policies if at all possible.
  • Create a separate “override” policy per OS to unset EC settings that are harmful to our environment.
  • If a new OS comes out and Microsoft hasn’t released an EC Policy, copy the newest applicable and use that.
Applying those Principles gives us a link order like so:
  1. Domain-NCSU Certificates
  2. Domain-Laptop Policy
  3. Default Domain Policy
  4. Windows Server 2022 (21H2) Baseline
  5. Windows Server 2019 Member Server
  6. WolfTech Default Domain Policy – WS2016
  7. Windows Server 2016 SCM RTM
  8. WolfTech Default Domain Policy – WS08R2
  9. WS08R2-EC-Member-Server
  10. WolfTech Default Domain Policy –  WS08
  11. WS08 EC Member Server Baseline Policy
  12. WolfTech Default Domain Policy – Win2003
  13. WS03 EC Member Server Baseline Policy
  14. WolfTech Default Domain Policy – Win10
  15. Windows 10 Computer v* – there are alot of these.
  16. WolfTech Default Domain Policy – Win8.1
  17. Win8.1 EC Desktop Policy
  18. WolfTech Default Domain Policy – Win8
  19. Win8 EC Desktop Policy
  20. WolfTech Default Domain Policy – Win7
  21. Win7 EC Desktop Policy
  22. WolfTech Default Domain Policy – Vista
  23. VSG EC Desktop Policy
  24. WolfTech Default Domain Policy – WinXP
  25. XP EC Desktop Policy

Role Based GPO’s:

Another thing Microsoft has done is release Role-based security GPO’s.  Here is an example list the Windows Server 2008r2 ones that are currently in WolfTech:
  • WS08R2-AD-Certificate-Services-Server
  • WS08R2-EC-Domain-Controller
  • WS08R2-EC-Member-Server
  • WS08R2-File-Server
  • WS08R2-Hyper-V
  • WS08R2-Print-Server
  • WS08R2-Remote-Desktop-Services
  • WS08R2-Web-Server

Note: There is a smaller number of ones for 2008 named “WS08 EC *” that you can find in the “Group Policy Objects” folder in GPMC.

The concept is that while the “WolfTech Default Domain Policy – WS08R2” and “WS08R2-EC-Member-Server” policies are linked at the root of the tree, you would be linking in “WS08R2-Print-Server”  to your NCSU\College\Dept\Servers\Print OU as an example.  The same would go for File or IIS servers.  This also highlights the fact that people shouldn’t be putting multiple types of servers in a single OU, that it is appropriate to have an OU for each type of server you support.


Every once in awhile there is a setting in a Security Baseline that cannot be overwritten. When that occurs we will edit the default Security Baseline and document any changes.

Windows 10 Computer (Beta-1703) and Windows 10 Computer (SCTv1.0, v1709):

There are issues with BitLocker and DMA devices, that causes DMA devices not to function when BitLocker is enabled.

The following setting in both GPO’s were changed from “Enabled” to “Not Configured”

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\ Disable new DMA Devices when this computer is locked

More information:

The Microsoft Security Baseline Guides can be accessed here (as of 2/16/2011):
Windows Server 2008 R2 Security Guide
Windows Server 2008 Security Guide

Microsoft Security Compliance Manager: This is a tool that includes a gui interface for browsing through the baselines and getting information about why MS chose to set the values the way they did, what attack vectors would be used, references specific KB articles, and tells you what registry keys they set, and so on.