Best practices for designing policies on Domain controller
Dear Experts, can you please give us some ideas about the best policies for Domain controller? Do you have any reference link for that? Many thanks!
masnrock
What you implement on your domain policies should be a reflection of many of your security policies. I'd start from there. Do you have any security policies currently?
Are you referring to Group policies that apply to the domain controllers them selves or configuration of policies that apply to your users etc.
There are a lot of settings etc that can be configured in policies on the servers everything from firewall settings and password polices to what color the background is. So if your referring to polices that affect security or policies for things like event log sizes the answer could be significantly different.
A lot depends on what your company needs/uses as to what policies should be created and applied.
There are a lot of settings etc that can be configured in policies on the servers everything from firewall settings and password polices to what color the background is. So if your referring to polices that affect security or policies for things like event log sizes the answer could be significantly different.
A lot depends on what your company needs/uses as to what policies should be created and applied.
ASKER
Hi, Yes we have only few policies and would like to have more. These are several ideas:
- Password policy
- IT Team will have local admin right on domain's PCs
- Not allow user from editing PC's registries
- Limit download/upload speed to 3 MB/s
- Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
- Block YouTube, Facebook on working hours
- Not allow users to upload execute files (.exe, .bat,...) to SharedFile server (different server from DC)
- Auto map users' shared folders based on their departments
Are they possible? Is there any good, simple policy which you can contribute?
- Password policy
- IT Team will have local admin right on domain's PCs
- Not allow user from editing PC's registries
- Limit download/upload speed to 3 MB/s
- Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
- Block YouTube, Facebook on working hours
- Not allow users to upload execute files (.exe, .bat,...) to SharedFile server (different server from DC)
- Auto map users' shared folders based on their departments
Are they possible? Is there any good, simple policy which you can contribute?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Which policies should we add more? Can you pls advise?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi, no I mean that only IT Team have local admin rights on users' PCs, they include Helpdesk + SysAdmin + Dev, but only SysAdmin and IT manager have domain admin right
We have not deployed Firewall, we only have Cisco router; so is there any policy that related to network restriction we can do? And do you know any Antivirus free that we can deploy via GPO?
An other thing is, with domain-joined PC, other people can login to any PC, so there is a security flaw here when they can see others' D drive's data. So how can we avoid it by policy?
We have not deployed Firewall, we only have Cisco router; so is there any policy that related to network restriction we can do? And do you know any Antivirus free that we can deploy via GPO?
An other thing is, with domain-joined PC, other people can login to any PC, so there is a security flaw here when they can see others' D drive's data. So how can we avoid it by policy?
The default domain controller policy is very restrictive allowing only members of domain, enterprise admin local login rights.
The nature of your environment will dictate if any changes, less restrictive hve to be put in place, I.e. Single DC SBS/server essential system setup.
The nature of your environment will dictate if any changes, less restrictive hve to be put in place, I.e. Single DC SBS/server essential system setup.