Default Domain Policies Windows Server 2003 SP2 / Windows server 2008 R2

Posted on February 3, 2010. Filed under: Server Tangents |

By: Brenton Blawat

What would seem like a quick reference item to find on Google, seems to have been lost in the billions of web pages. This article is intended as a quick reference to what the Default Domain Policies are for Windows Server 2003 SP2 and Windows Server 2008 R2. Please note that while some of the policies appear to be identical, the hierarchical structure behind the policies are different.

Default Domain Policies: Windows Server 2003 SP2

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Enroll Certificates Automatically

 

Default Domain Policies: Windows Server 2008 R2 64-bit

+ Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy

- Enforce Password History = 24 Passwords

- Maximum Password Age = 42 Days

- Minimum Password Age = 1 Days

- Minimum Password Length = 7 Characters

- Password must meet complexity requirements = Enabled

- Store Passwords using reversible encryption = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

- Account lockout threshold = 0 invalid logon attempts

+ Computer Configuration > Policy > Windows Settings > Security Settings > Account Policies > Kerberos Policy

- Enforce user logon restrictions = Enabled

- Maximum lifetime for service ticket = 600 minutes

- Maximum lifetime for user ticket = 10 hours

- Maximum lifetime for user ticket renewal = 7 days

- Maximum tolerance for computer clock synchronization = 5 minutes

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

- Network Security: Force Logoff when logon hours expire = Disabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Encrypting File System

- Administrator Issued File Recovery Certificate

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

 

Default Domain Policy Differences: Windows Server 2003 / Windows Server 2008

Default Domain Policies added to Windows Server 2008

+ Computer Configuration > Policy > Windows Settings > Security Settings > Local Policies > Security Options

- Network access: Allow anonymous SID/Name translation = Disabled

- Network security: Do not store LAN Manager hash value on next password change = Enabled

+ Computer Configuration > Policy > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

- Allow users to select new root certification authorities (CAs) to trust = Enable

- Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

- To perform certificate-based authentication of users and computers, CAs must meet the criteria = Registered in Active Directory only

Removed from Windows Server 2008

+ User Settings > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings

- Autoenrollment Settings: Enroll Certificates Automatically

** NOTE: All re-productions / digital copies of this content must be approved in writing by an authorized representative of BIT Tangents.**


Read Full Post | Make a Comment ( None so far )

Recently on Business and Information Technology Tangents...

2008 BMW 335XI – Fuel Delivery Lemon Story (Part 2)

Posted on February 1, 2010. Filed under: Car Tangents |

Basic How to Guide for the Symbol (Motorola) PPT-8846

Posted on February 3, 2009. Filed under: Hardware Tangents |

2008 BMW 335XI – Fuel Delivery Lemon Story

Posted on January 24, 2009. Filed under: Car Tangents |

Wavelink Enabler Issues – A story of the Subpar Enablers

Posted on January 23, 2009. Filed under: Software Tangents |

Blackberry Touch / Storm Review: Still no iPhone

Posted on November 20, 2008. Filed under: Product Review Tangents |

Building the Bad Ass Development Rig

Posted on October 30, 2008. Filed under: Hardware Tangents |

10 Things to know about staying in hotels: thoughts from a seasoned traveler.

Posted on October 28, 2008. Filed under: Traveling Tangents |

Removing Welcome Message / Doctors Appointment on Pocket PC 2003

Posted on October 28, 2008. Filed under: Handheld Tangents |

Installing Wavelink Avalanche Mobility Center 4.2.x

Posted on October 28, 2008. Filed under: Software Tangents |

Wavelink Application Known Bug Listing

Posted on October 24, 2008. Filed under: Software Tangents |

    About

    Business and Information Technology Tangents is dedicated to providing quality content while informing the world about technology.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...