1
00:00:07,700 --> 00:00:14,960
An Active Directory Domain usually includes multiple domain controllers to ensure that all security

2
00:00:14,990 --> 00:00:20,270
settings apply consistently to all domain controllers.

3
00:00:20,270 --> 00:00:28,220
You should configure a security assistance for Active Directory Domain Controllers centrally to do this.

4
00:00:28,220 --> 00:00:39,020
Use the default domain controller as group policy object or GPO or create a new custom GPO that is linked

5
00:00:39,110 --> 00:00:42,560
to the domain controller or organizational unit.

6
00:00:42,680 --> 00:00:46,970
You create all domain controller computer accounts in this.

7
00:00:47,000 --> 00:00:54,440
Oh you aren't you should not move them out of this oh you because they will fall out of the default

8
00:00:54,440 --> 00:00:57,170
domain controller as policies go.

9
00:00:57,200 --> 00:01:05,390
Some organizations prefer to use a different GPO than the default domain controllers policy when configuring

10
00:01:05,390 --> 00:01:07,320
sir security settings.

11
00:01:07,400 --> 00:01:12,050
It is possible to apply a sentence that might be too secure.

12
00:01:12,050 --> 00:01:19,850
For example you could configure policies that lock out some administrative groups or policies that prevent

13
00:01:19,940 --> 00:01:22,400
anyone from accessing the domain.

14
00:01:22,520 --> 00:01:31,250
While it is simple to unlink or disable a custom GPL you should not disable or unlink the default domain

15
00:01:31,250 --> 00:01:32,960
controller as policy.

16
00:01:32,960 --> 00:01:41,000
For this reason it is recommended that you create a custom GPO and link it to the domain controllers

17
00:01:41,060 --> 00:01:47,020
or you instead of modifying the default domain controllers policy.

18
00:01:47,030 --> 00:01:54,800
Now some words about default domain policy versus default domain controllers policy.

19
00:01:54,800 --> 00:02:03,530
There are two default GP O's the default domain policy and the default domain controller is policy and

20
00:02:03,650 --> 00:02:12,770
it is essential to understand the differences between the two default domain policy GPO links to the

21
00:02:12,770 --> 00:02:22,610
domain and it applies to all users and computers including client computers domain controllers and servers

22
00:02:22,610 --> 00:02:31,610
in the domain you should use this policy and others that link to a domain very carefully default domain

23
00:02:31,610 --> 00:02:39,890
controllers Jabil links to the domain controllers or you and it applies to all domain controllers in

24
00:02:39,890 --> 00:02:40,850
the domain.

25
00:02:40,850 --> 00:02:48,620
This is the GPO in which you configure most securities Saturns that pertain to demand controllers.

26
00:02:48,620 --> 00:02:53,060
Now let's switch to securities servants in the GPO.

27
00:02:53,060 --> 00:03:00,020
The following are some of the most important security assertions that you can configure in a GPO.

28
00:03:00,050 --> 00:03:09,000
You can find the security servants in any GPO under computer configuration policies windows settings.

29
00:03:09,020 --> 00:03:15,760
Let's take a look at each of these settings closer account policies under this note.

30
00:03:15,770 --> 00:03:22,680
You can configure the password policy account lock out policy and Cobra's policy.

31
00:03:22,700 --> 00:03:29,480
This sentence only applied to the local user accounts and the computers to which the policy applies

32
00:03:29,690 --> 00:03:34,050
unless you configure the settings and the default domain policy.

33
00:03:34,160 --> 00:03:38,390
Only the account policies that you can figure in the default domain.

34
00:03:38,480 --> 00:03:41,950
Policy applied to all domain accounts.

35
00:03:41,960 --> 00:03:44,360
Next one is local policies.

36
00:03:44,360 --> 00:03:53,410
This note contains three of the most important nodes for a security configuration namely audit policy

37
00:03:53,570 --> 00:03:57,430
user rights assignment and security options.

38
00:03:57,470 --> 00:04:05,910
As for audit policy these settings configure legacy audit and policies that apply to all Windows operating

39
00:04:05,930 --> 00:04:07,600
systems versions.

40
00:04:07,610 --> 00:04:17,270
However if you have Windows Server 2008 our two and Windows 7 or newer deployed in your network it is

41
00:04:17,270 --> 00:04:25,840
recommended that you use advanced audit policy configuration instead of this audit and policies.

42
00:04:25,850 --> 00:04:34,010
As for user rights assignment these settings configure manage security sets that apply to users rights.

43
00:04:34,010 --> 00:04:41,870
For example you can specify who can access the computer from the network who can sign in locally or

44
00:04:42,020 --> 00:04:50,330
through remote desktop services and who is able to change the time or shut down the computer for domain

45
00:04:50,330 --> 00:04:51,460
controllers.

46
00:04:51,470 --> 00:05:00,170
You also can specify who is able to synchronize directories services data and the sort note of local

47
00:05:00,260 --> 00:05:03,140
all it this is security options.

48
00:05:03,140 --> 00:05:11,000
This sentence contain important security Saddam's gluten options for managing default accounts such

49
00:05:11,000 --> 00:05:20,270
as the guest and administrator accounts and lease options also pertain to manage under Wise's domain

50
00:05:20,270 --> 00:05:21,290
controller.

51
00:05:21,290 --> 00:05:29,680
Domain member security protocols log on security asset and network access and security sadness.

52
00:05:29,720 --> 00:05:38,720
Now some words about Event Log node under this node you can configure settings such as event log size

53
00:05:38,780 --> 00:05:47,780
retention method and retention duration for the default application security and system event logs.

54
00:05:47,840 --> 00:05:56,300
It is important to have all security locks on domain controllers configured identically if you configure

55
00:05:56,540 --> 00:06:05,570
the security lock on one domain controller to keep logs for six days and another retains logs for only

56
00:06:05,570 --> 00:06:13,250
three days you'll receive inconsistent results depending on the domain controller on which you perform

57
00:06:13,250 --> 00:06:14,340
the search.

58
00:06:14,420 --> 00:06:23,240
The next note is restricted groups under this node you can define two properties for security sensitive

59
00:06:23,240 --> 00:06:28,480
groups or restricted groups for each group that you add here.

60
00:06:28,610 --> 00:06:35,900
You can define member of sound member of attributes for groups that you configure as a restricted.

61
00:06:35,900 --> 00:06:43,670
You can not change membership by using other tools such as active directory users or some computers.

62
00:06:43,670 --> 00:06:47,660
Next up is systems services under this node.

63
00:06:47,660 --> 00:06:55,570
You can define start up behave around security permissions for system services by using GP.

64
00:06:55,580 --> 00:07:04,190
This enables you to disable all services that are not required for a specific server role such as a

65
00:07:04,190 --> 00:07:05,630
domain controller.

66
00:07:05,630 --> 00:07:10,750
The next node is Windows firewall with advanced security.

67
00:07:10,770 --> 00:07:19,670
This setting allows you to administer windows firewall with advanced security centrally by using a GPO

68
00:07:19,670 --> 00:07:22,460
to configure windows firewall settings.

69
00:07:22,460 --> 00:07:30,860
You can ensure that all servers that provide the same services such as domain controllers have a consistent

70
00:07:30,920 --> 00:07:33,380
windows firewall configuration.

71
00:07:33,380 --> 00:07:36,070
Next up is public key policies.

72
00:07:36,170 --> 00:07:44,510
Under this node you configure a sentence that rely on a public key infrastructure or TKI such as the

73
00:07:44,720 --> 00:07:54,980
encrypted file system and its recovery key bit local drive and groups an automatic cert request sentence

74
00:07:55,340 --> 00:07:59,780
and trusted route certification authorities.

75
00:07:59,780 --> 00:08:10,600
Next up is advanced audit policy configuration settings under this node enable more X dance of policy

76
00:08:10,610 --> 00:08:19,730
configuration than the audit policy under their local policies no one target in Windows Server 2000

77
00:08:20,060 --> 00:08:26,180
eight are two or newer or Windows 7 computers or newer.

78
00:08:26,240 --> 00:08:33,350
It is recommended that you use the new advanced audit policy configuration settings.

79
00:08:33,530 --> 00:08:33,820
Okay.

80
00:08:33,830 --> 00:08:34,640
That's it.

81
00:08:34,730 --> 00:08:38,540
About modifying the security sets of domain controllers.

82
00:08:38,540 --> 00:08:43,460
Next up we'll be talking about implementing Secure authentication.