10 Default Domain Policy Best Practices

The Default Domain Policy is a Group Policy object that is linked to the domain and controls the default settings for all users and computers in the domain. The Default Domain Policy is a good starting point for creating and managing Group Policy objects in a domain.

In this article, we will discuss 10 best practices for managing the Default Domain Policy.

1. Use a separate domain controller for DNS

When you use a separate domain controller for DNS, it ensures that your DNS server is not overloaded with requests from other services. This can help improve the performance of your DNS server and make sure that it is always available when needed.

It also helps to improve security by isolating your DNS server from other parts of your network. This way, if there is ever a security breach on another part of your network, your DNS server will not be affected.

Overall, using a separate domain controller for DNS is a good best practice to follow to ensure the stability and security of your DNS server.

2. Disable the Guest account

The Guest account is a user account that’s built into Windows that anyone can use to log into a computer. By default, the Guest account is disabled, but if it’s enabled, anyone can use it to gain access to your network.

If the Guest account is enabled, an attacker can easily gain access to your network by simply logging in as the Guest user. Once they’re in, they can then attempt to brute force their way into other accounts, or even just wreak havoc on your network.

Therefore, it’s important to make sure that the Guest account is always disabled. You can do this by opening up the Default Domain Policy and setting the “Accounts:Guest account status” setting to “Disabled”.

3. Enable auditing of logon events

By default, the built-in Administrator account is not audited. This means that if an attacker were to compromise the account and use it to log in, there would be no record of this activity in the security logs.

Enabling auditing of logon events ensures that all attempts to log on to the domain are recorded, regardless of whether they are successful or not. This information can be invaluable in tracking down attackers and determining what they did once they gained access to the network.

To enable auditing of logon events, open the Default Domain Policy and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy. In the right-hand pane, double-click the “Audit logon events” policy and set it to “Success and Failure”.

4. Set the password policy to require complex passwords

If an attacker were to gain access to a user’s password, they would then have access to the entire domain. To prevent this, it’s important to set a strong password policy that requires complex passwords. This will make it much more difficult for an attacker to guess a user’s password and gain access to the domain.

To set a strong password policy, go to the Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. From here, you can set the minimum password length, password complexity, and password history. It’s important to set all of these to high values to ensure a strong password policy.

5. Configure the screen saver timeout

When a user leaves their computer unattended, it’s an open invitation for someone with malicious intent to access sensitive data or install malware. To help prevent this, you can configure the screen saver timeout setting in Group Policy. This will cause the screen saver to activate after a specified period of time, and will require the user to enter their credentials before they can continue using the computer.

Configuring the screen saver timeout is a simple way to help improve security in your environment, and it only takes a few minutes to do.

6. Require CTRL+ALT+DEL at logon

The CTRL+ALT+DEL keystroke is hardwired into Windows for security purposes. It’s the only way to ensure that a user is logging on with their own credentials and not someone else’s.

If you don’t require CTRL+ALT+DEL at logon, then it’s possible for someone to shoulder surf and see another user’s password. They could also use a tool like AutoHotkey to remap the keys and bypass the requirement altogether.

Enforcing CTRL+ALT+DEL at logon is a simple change that can have a big impact on your security posture.

7. Remove unnecessary accounts from local administrators group

The local administrators group is a powerful group that has full control over the system. By default, the Domain Admins group and the Enterprise Admins group are members of the local administrators group. This means that any member of those groups can perform any action on the system, including installing malicious software or changing critical system settings.

If you have accounts in the local administrators group that don’t need to be there, it increases the risk that someone with malicious intent could gain access to those systems and wreak havoc. Therefore, it’s important to remove any unnecessary accounts from the local administrators group, and only add accounts to the group when absolutely necessary.

8. Rename the Administrator account

The Administrator account is a well-known account name that attackers will target. By renaming the Administrator account, you make it more difficult for attackers to guess the name of the account. Additionally, by using a strong password for the Administrator account, you further increase the security of the account.

To rename the Administrator account, open the Group Policy Management Console and edit the Default Domain Policy. Under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, find the “Accounts: Rename administrator account” policy and enable it. Enter the new name for the Administrator account in the “Value” field.

9. Disable autorun on all drives

When autorun is enabled, Windows will automatically launch a program on any removable drive that is inserted into the computer. This includes USB drives, CDs, and DVDs.

The problem with autorun is that it can be used by malware to spread itself. All a malicious actor needs to do is create a file called “autorun.inf” on a USB drive and insert it into a computer. If autorun is enabled, the malware will be executed automatically.

Disabling autorun prevents this type of attack and is therefore an essential security measure.

10. Restrict anonymous access to network shares

When you allow anonymous access to network shares, anyone on the internet can potentially access them. This could lead to sensitive data being leaked, or your systems being compromised.

To mitigate this risk, you should restrict anonymous access to network shares. This can be done using Group Policy Objects (GPOs).

1. Open the Group Policy Management Console.
2. Create a new GPO, and give it a name such as “Restrict Anonymous Access to Network Shares”.
3. Edit the GPO, and go to Computer Configuration -> Policies -> Security Settings -> Local Policies -> Security Options.
4. In the right-hand pane, double-click on “Network security: Restrict anonymous access to named pipes and shares”.
5. Select “Enabled”, and click “OK”.
6. Close the Group Policy Management Console.