Global Security Policy

Our Global security policy is located in the Group Policy Objects folder, and is named Security Policy. All of the configurations made by this are too long to list, but they are all located in Computer Configuration/Policies/Windows Settings/Security Settings within the object.

Default Domain Controllers Policy

This policy controls the administration of the domain controllers. It has some security settings configured to disallow the Service Admins from accessing them.

These configuration items are located in: Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment

The configurations that stop Service Admins from accessing the servers are: Deny access to this computer from the network, deny log on locally, Deny log on through Remote Desktop Services.

Service Admins

This is a group that is within the Users folder in our active directory. It is used to define users that should have admin rights, but should not have access the the servers. Users put in this group also should be in the Domain Admins group.

Install

The install account is the one that we currently use for our service account, and should currently be the only one in the Service Admins group. The install account is located in the Admins folder in CiscoAcademy.

Local Security Policy

Locally on all of the servers, I have edited their settings to require auditing, this is done on the GPO security policy as well, but just in case some settings do not configure properly it will always audit what is happening to the server.