Best practices for designing policies on Domain controller

Dear Experts, can you please give us some ideas about the best policies for Domain controller? Do you have any reference link for that? Many thanks!
LVL 4
TjnoNetwork AdministratorAsked:
Who is Participating?
 
masnrockConnect With a Mentor Commented:
Block YouTube, Facebook on working hours
I would do this at the proxy/firewall level, depending on how your network is setup.

IT Team will have local admin right on domain's PCs
Are you allowing users to have local admin rights? Ideally not. I would recommend creating a group that while intended to have rights to the PCs, are not administrators of the entire AD domain. (idea of lease privilege)

Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
Not necessarily a bad idea, but I'd also check to see how that impacts the business.

Limit download/upload speed to 3 MB/s
How does this impact business? Not sure you might want to do this one.

Auto map users' shared folders based on their departments
Makes sense. And I assume that you have groups which reflect departments.

Not allow user from editing PC's registries
Great one.

You might have to use the File Server Management Console to prevent uploading of executable files, which is outside of the realm of GPO. Most of the others can easily be done with GPO, but bear in mind what I mentioned with the website blocking.

What type of firewall do you have?
1
 
masnrockCommented:
What you implement on your domain policies should be a reflection of many of your security policies. I'd start from there. Do you have any security policies currently?
1
 
RobertSystem AdminCommented:
Are you referring to Group policies that apply to the domain controllers them selves or configuration of policies that apply to your users etc.

There are a lot of settings etc that can be configured in policies on the servers everything from firewall settings and password polices to what color the background is. So if your referring to polices that affect security or policies for things like event log sizes the answer could be significantly different.
A lot depends on what your company needs/uses as to what policies should be created and applied.
1
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
TjnoNetwork AdministratorAuthor Commented:
Hi, Yes we have only few policies and would like to have more. These are several ideas:
- Password policy
- IT Team will have local admin right on domain's PCs
- Not allow user from editing PC's registries
- Limit download/upload speed to 3 MB/s
- Not allow users from using USB on their own PCs, only allow USB access on dedicated PCs (with strong AntiVirus)
- Block YouTube, Facebook on working hours
- Not allow users to upload execute files (.exe, .bat,...) to SharedFile server (different server from DC)
- Auto map users' shared folders based on their departments

Are they possible? Is there any good, simple policy which you can contribute?
0
 
TjnoNetwork AdministratorAuthor Commented:
Which policies should we add more? Can you pls advise?
0
 
RobertConnect With a Mentor System AdminCommented:
I usually at minimum do the following.

Password policy (but I usually use fine grained password policy as we require more strict passwords on some accounts)

Windows Firewall settings (either disabling or configuring needed ports)

configure IE settings such as trusted sites list and security related settings such as allowing scripting etc.

set screensaver lock setting and timeout (this basically is for security reasons as users will never lock their PC when they walk away if you don't enforce it.

Set who can RDP to the PC.

Set local admins on PC's (using restricted groups)

Rename or disable the Local PC admin account.

Redirection of my documents to a file server.

That said we set a LOT via GPO especially for windows 10 computers as the new start menu requires a lot to clean up. (such as turning off live tiles and suggestions)
1
 
masnrockConnect With a Mentor Commented:
At my job, we implemented many things that are similar to what Robert has mentioned with GPO:
Password policy (complexity and length requirements)
Set local admins. (Bear in mind what I mentioned regarding IT staff, as I doubt you want all of them to be Domain Admins)
Rename and disable default admin account. Create own local admin account.
Redirection of My Documents, Downloads, and Desktop (we happen to use OneDrive rather than the file server for this)
Screen saver lock settings and timeout.
Trusted sites list.
Block access to registry editor and some other built in tools that users wouldn't have a reason to utilize.

We attempted to test USB blocking. However, we ran into a number of issues where it hampered business, plus interfered with some other items. One suggestion would be maybe go about blocking flash drives that aren't encrypted instead. Initial pain, but allows for more control over the situation.

There are a number of other things that deal with data transmissions, i.e. Telemetry, that you may want to look into disabling as well.
1
 
TjnoNetwork AdministratorAuthor Commented:
Hi, no I mean that only IT Team have local admin rights on users' PCs, they include Helpdesk + SysAdmin + Dev, but only SysAdmin and IT manager have domain admin right

We have not deployed Firewall, we only have Cisco router; so is there any policy that related to network restriction we can do? And do you know any Antivirus free that we can deploy via GPO?

An other thing is, with domain-joined PC, other people can login to any PC, so there is a security flaw here when they can see others' D drive's data. So how can we avoid it by policy?
0
 
arnoldCommented:
The default domain controller policy is very restrictive allowing only members of domain, enterprise admin local login rights.

The nature of your environment will dictate if any changes, less restrictive hve to be put in place, I.e. Single DC SBS/server essential system setup.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.