Re: Security templates

• Previous message: Steven L Umbach: "Re: Folder Ownership"
• Next in thread: dt123: "Re: Security templates"
• Reply: dt123: "Re: Security templates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Oct 2005 16:55:31 -0500

What template did you apply?? There are some security templates included
with Windows 2003 that will disable critical services on a domain
controller. You should always create a rollback template with the secedit
command of the template you intent do apply before you apply it. From your
description I would check the security options for digitally sign
communications and disable the two settings for "always" and check your user
rights for logon locally and deny logon locally to see if they are what you
expect though no template should prevent a domain administrator from logging
onto the console of a domain controller due to a lack of user rights. The
list below from the Windows 2003 Server Security Guide, is the
recommendations of services for a Windows 2003 domain controller
[baseline+domain controller] which you may want to review to make sure you
have necessary services running. Also check Event Viewer to see if anything
pertinent is reported there and run the support tools netdiag and dcdiag on
your domain controller to check for proper configuration.

Windows 2003 services.

Baseline server ---------------------------

Automatic Updates - automatic
Background Intelligent Transfer Service - manual
Com+ Event System - manual
Computer Browser - automatic
Cryptographic Services - automatic
DHCP Client - automatic
DNS Client - automatic
Event Log - automatic
Ipsec Policy Agent - automatic
MS Software Shadow Copy - manual
Netlogon - automatic
Network Connections - manual
Network Location Awareness - manual
NTLM Security Support Provider - automatic
Performance Logs - manual
Plug and Play - automatic
Protected Storage - automatic
Remote Administration Service - manual
Remote Procedure Call RPC - automatic
Remote Registry Service - automatic
Security Accounts Manager - automatic
Server - automatic
System Event Notification - automatic
TCP/IP Netbios Helper Service - automatic
Terminal Services - automatic
Volume Shadow Copy - manual
Windows Installer - automatic
Windows Management Instrumentation - automatic
Windows Management Instrumentation Driver Ext - automatic
Windows Time - automatic
WMI Performance Adapter - manual
Workstation - automatic

**********************************************
Added services for Domain Controllers
**********************************************

Distributed File System - automatic
DNS Server - automatic
File Replication - automatic
Intersite Messaging - automatic
Kerberos Key Distribution Center - automatic
Remote Procedure Call RPC Locator - automatic

"dt123" <dt123@discussions.microsoft.com> wrote in message
news:A7779270-4B30-45F1-8C8E-162C5AC1E712@microsoft.com...
> Hi all,
> I recently applied a stronger security template to a 2003 server (DC)
> after
> restarting I now have the problem that when i try to access other member
> servers i reieve the message "\\SERVER is not accesable, you may not have
> permissions to access this network resource contact the admin of this
> server
> to see if you have access permissions - the account is not authorised to
> log
> in from this station" and i now can't modify the profile path's for users
> as
> "the account is not authorised to log in from this station" I don't want
> to
> weaken the rest of the template but need to get this access back. Any
> assistance gratefully recieved?

• Previous message: Steven L Umbach: "Re: Folder Ownership"
• Next in thread: dt123: "Re: Security templates"
• Reply: dt123: "Re: Security templates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]