keatscon
asked on
Exchange Server 2003 Hardening Guide
Am using the Exchange Server 2003 Hardening Guide to tighten down security on my Exchange servers. Under "Exchange Domain Controller Baseline Policy" in the guide, the second paragraph states:
"The Exchange Domain Controller Baseline Policy template (Exchange 2003 DC Incremental.inf) is included with this guide. You shuold import this template into a Group Policy object (GPO) at the Domain Controllers organizational unit in Active Directory Users and Computers and shold precede the Domain Controller Baseline Policy supplied by Windows Server 2003."
Now, if the Incremental policy is applied first and then the DC Baseline policy, the Domain Baseline policy will win out when it comes to conflicts in the policies, yes?
Looking at the Audit Policy for both policies I see that the DC Baseline policy calls for:
Account logon event auditing: Success/Failure
Logon event auditing: Success Failure
The Audit policy for the Exchange Incremental is set to:
Account Logon event auditing: Failure
Logon event auditing: Failure
Should not the Exchange 2003 DC Incremental policy come after the DC Baseline policy so that the Exchange 2003 DCI changes take and are not displaced?
Thank you
"The Exchange Domain Controller Baseline Policy template (Exchange 2003 DC Incremental.inf) is included with this guide. You shuold import this template into a Group Policy object (GPO) at the Domain Controllers organizational unit in Active Directory Users and Computers and shold precede the Domain Controller Baseline Policy supplied by Windows Server 2003."
Now, if the Incremental policy is applied first and then the DC Baseline policy, the Domain Baseline policy will win out when it comes to conflicts in the policies, yes?
Looking at the Audit Policy for both policies I see that the DC Baseline policy calls for:
Account logon event auditing: Success/Failure
Logon event auditing: Success Failure
The Audit policy for the Exchange Incremental is set to:
Account Logon event auditing: Failure
Logon event auditing: Failure
Should not the Exchange 2003 DC Incremental policy come after the DC Baseline policy so that the Exchange 2003 DCI changes take and are not displaced?
Thank you
You can click options on the GPO and check the No Override box to prevent the Domain Controller Baseline Policy from taking over.
ASKER
Thought someone would say this.
See "Windows Server 2003 Security Guide" p. 22:
"Do not enable this option (referring to "No Override") in any other group policies specified in this guide."
I know, we are talking about the Exchange Hardening Guide, right?
See "Exchange Server 2003 Security Hardening Guide" under "Hardening the Windows Infrastructure"
"As previously mentioned, this guide assumes that you applied the configurations recommended in the Windows Server 2003 Security Guide. Before you harden your Exchange environment, you must complete the following two steps:
1. Deploy the Domain, Domain Controller and Member Server Baseline policy templates throughout your forest.
2. Deploy the Exchange Domain Controller Baseline Policy template in all of the domain controllers in your organization."
The two guides contradict each other!
See "Windows Server 2003 Security Guide" p. 22:
"Do not enable this option (referring to "No Override") in any other group policies specified in this guide."
I know, we are talking about the Exchange Hardening Guide, right?
See "Exchange Server 2003 Security Hardening Guide" under "Hardening the Windows Infrastructure"
"As previously mentioned, this guide assumes that you applied the configurations recommended in the Windows Server 2003 Security Guide. Before you harden your Exchange environment, you must complete the following two steps:
1. Deploy the Domain, Domain Controller and Member Server Baseline policy templates throughout your forest.
2. Deploy the Exchange Domain Controller Baseline Policy template in all of the domain controllers in your organization."
The two guides contradict each other!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Chris,
Thank you. This does make sense and I thought that this was the case.
Just wanted to make sure that I did not miss something.
Thank you. This does make sense and I thought that this was the case.
Just wanted to make sure that I did not miss something.