Best practices for designing policies on Domain controller

Dear Experts, can you please give us some ideas about the best policies for Domain controller? Do you have any reference link for that? Many thanks!
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What you implement on your domain policies should be a reflection of many of your security policies. I'd start from there. Do you have any security policies currently?
RobertSystem AdminCommented:
Are you referring to Group policies that apply to the domain controllers them selves or configuration of policies that apply to your users etc.

There are a lot of settings etc that can be configured in policies on the servers everything from firewall settings and password polices to what color the background is. So if your referring to polices that affect security or policies for things like event log sizes the answer could be significantly different.
A lot depends on what your company needs/uses as to what policies should be created and applied.
DP230Network AdministratorAuthor Commented:
Hi, Yes we have only few policies and would like to have more. These are several ideas:
- Password policy
- IT Team will have local admin right on domain's PCs
- Not allow user from editing PC's registries
- Limit download/upload speed to 3 MB/s
- Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
- Block YouTube, Facebook on working hours
- Not allow users to upload execute files (.exe, .bat,...) to SharedFile server (different server from DC)
- Auto map users' shared folders based on their departments

Are they possible? Is there any good, simple policy which you can contribute?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Block YouTube, Facebook on working hours
I would do this at the proxy/firewall level, depending on how your network is setup.

IT Team will have local admin right on domain's PCs
Are you allowing users to have local admin rights? Ideally not. I would recommend creating a group that while intended to have rights to the PCs, are not administrators of the entire AD domain. (idea of lease privilege)

Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
Not necessarily a bad idea, but I'd also check to see how that impacts the business.

Limit download/upload speed to 3 MB/s
How does this impact business? Not sure you might want to do this one.

Auto map users' shared folders based on their departments
Makes sense. And I assume that you have groups which reflect departments.

Not allow user from editing PC's registries
Great one.

You might have to use the File Server Management Console to prevent uploading of executable files, which is outside of the realm of GPO. Most of the others can easily be done with GPO, but bear in mind what I mentioned with the website blocking.

What type of firewall do you have?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DP230Network AdministratorAuthor Commented:
Which policies should we add more? Can you pls advise?
RobertSystem AdminCommented:
I usually at minimum do the following.

Password policy (but I usually use fine grained password policy as we require more strict passwords on some accounts)

Windows Firewall settings (either disabling or configuring needed ports)

configure IE settings such as trusted sites list and security related settings such as allowing scripting etc.

set screensaver lock setting and timeout (this basically is for security reasons as users will never lock their PC when they walk away if you don't enforce it.

Set who can RDP to the PC.

Set local admins on PC's (using restricted groups)

Rename or disable the Local PC admin account.

Redirection of my documents to a file server.

That said we set a LOT via GPO especially for windows 10 computers as the new start menu requires a lot to clean up. (such as turning off live tiles and suggestions)
At my job, we implemented many things that are similar to what Robert has mentioned with GPO:
Password policy (complexity and length requirements)
Set local admins. (Bear in mind what I mentioned regarding IT staff, as I doubt you want all of them to be Domain Admins)
Rename and disable default admin account. Create own local admin account.
Redirection of My Documents, Downloads, and Desktop (we happen to use OneDrive rather than the file server for this)
Screen saver lock settings and timeout.
Trusted sites list.
Block access to registry editor and some other built in tools that users wouldn't have a reason to utilize.

We attempted to test USB blocking. However, we ran into a number of issues where it hampered business, plus interfered with some other items. One suggestion would be maybe go about blocking flash drives that aren't encrypted instead. Initial pain, but allows for more control over the situation.

There are a number of other things that deal with data transmissions, i.e. Telemetry, that you may want to look into disabling as well.
DP230Network AdministratorAuthor Commented:
Hi, no I mean that only IT Team have local admin rights on users' PCs, they include Helpdesk + SysAdmin + Dev, but only SysAdmin and IT manager have domain admin right

We have not deployed Firewall, we only have Cisco router; so is there any policy that related to network restriction we can do? And do you know any Antivirus free that we can deploy via GPO?

An other thing is, with domain-joined PC, other people can login to any PC, so there is a security flaw here when they can see others' D drive's data. So how can we avoid it by policy?
The default domain controller policy is very restrictive allowing only members of domain, enterprise admin local login rights.

The nature of your environment will dictate if any changes, less restrictive hve to be put in place, I.e. Single DC SBS/server essential system setup.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.