System Services -- What are recommended settings

[aknair]

Hello Everyone,

We recently made some changes on our Default DC Policy, mainly on the System Services section and that broke 2 of our DCs and rendered our LCS server useless (not sure if the LCS broke becoz of the policy settings).

I was just wondering what would be the recommended settings on the Services Section of our GPO, keeping in mind that we want to lock down the dc to an extent.

I know MS gives out security templates for varying levels of security, is there any doc that explains the risks involved with different settings.

Are there any recommnedations on the security permissions on the services. We noticed that the permissions were different on the templates and the GPOs we had in the production environment.
On most of the services we noticed that the authenticated users had read permission where as the inf templates did not have authenticated users in them at all.

I'm not sure if i'm making any sense. Please let me know if i need to explain things in more detail.

thanks,
anand.

[romath]

Anand,

What OS version are you using on the DC?

I'm wondering because if it is Windows Server 2003 SP1, you could use the Security Configuration Wizard to lock down the server.

[AdamV]

See this review of Hardening Windows Systems by Roberta Bragg. It has lots of good info on what services are required as a minimum if you are trying to lock down a server.
However, it does not cover the services needed for a DC, although rather oddly the author does cover this topic in a Redmond Mag article on Domain Controller Lockdown.


The MS Windows Server 2003 security guide is also a good starting point:
http://www.microsoft.com/downloads/details.aspx?familyid=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en