Secure Windows 2003 DC

By locking down access to the DC and its files, there are a number of Group Policy settings you should apply. The first set are located under Computer Configuration Windows Settings Security Settings Local Policies

User Rights Assignment
- Allow logon locally - allow only administrative groups i.e. Domain Admins
- Allow logon through Terminal Services - allow only administrative groups i.e. Domain Admin
- Back up files and folders - allow only administrative groups i.e. Domain Admins

Security Options
- Network access: Allow anonymous SID/Name translation - Disabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
- Network access: Let Everyone permissions apply to anonymous users - Disabled
- Network security: LAN Manager authentication level - Send NTLMv2 response only
- Network security: Do not store LAN Manager hash value on next password change - Enabled