How to apply more restrictive security settings on a Windows Server 2003-based cluster server

The Microsoft Windows Server 2003 Security Guide contains templates that you can use to improve security for your Microsoft Windows Server 2003-based computer. This article contains guidelines that explain how you can enhance the security of the cluster server nodes if you apply the templates that are described in this article.

To help you apply more restrictive security settings to Windows Server 2003-based cluster server nodes without disabling ordinary cluster operations, we recommend that you use the guidelines in this article together with the information that is contained in the Windows Server 2003 Security Guide.

Before you apply more restrictive security settings to the Windows Server 2003-based cluster server nodes, we recommend that you first deploy the guidelines and the sample security templates that are provided in the Windows Server 2003 Security Guide in a lab environment. Additionally, we recommend that you carefully apply the security templates in an Active Directory environment.

To obtain the Windows Server 2003 Security Guide, visit the following Windows Server 2003 Security Guide Overview Web site: The following guidelines apply to the configuration of basic clustering services. These guidelines are specific to the Enterprise Client – Member Server Baseline template that is discussed in the "Creating a Member Server Baseline" chapter of the Windows Server 2003 Security Guide. When you apply the Enterprise Client - Member Server Baseline template, follow these guidelines to make the security settings more restrictive.

Note The following guidelines do not discuss special security concerns that are specific to programs that you may run on a server cluster, such as Microsoft SQL Server or Microsoft Exchange Server, are not discussed in these guidelines. Additionally, these guidelines do not discuss security guides that are provided by other agencies, such as the National Security Agency (NSA) or the National Institute of Standards and Technology (NIST). For more information about security guides that are provided by other agencies, click the following article number to view the article in the Microsoft Knowledge Base:

1. You must test the deployment of a security template in a lab environment before you deploy it in a production environment if the following conditions are true:
   • The Default Domain Policy setting has been changed.
   • The cluster server nodes already exist in the domain.
   • The cluster server nodes have received domain policies from a Group Policy object (GPO).
   Typically, GPOs are implemented by making changes to registry keys on the computers where these GPOs are applied. Many of the changes to the registry that are made by a GPO are not removed or returned to their default settings if the GPO is no longer applied. Therefore, even when a GPO is no longer applied, this does not guarantee that the effects of the GPO are successfully reversed.
2. Before you configure the Domain policies on your computer to use the No Override option, you must determine how the reconfigured Domain policies will affect the cluster server nodes. Typically, reconfigured Domain policies affect the cluster server nodes in several ways. For example, if you configure the Domain policies on your computer to use the No Override option, the No Override option may generate the following behavior:
   • User rights that the cluster service account needs are removed.
   • The cluster service account is removed from the local administrators group because of a Restricted Groups policy.
   • Strict LAN Manager authentication levels are implemented.
   • More restrictive remote procedure call (RPC) authentication policies are imposed.
3. If the No Override option is not configured for use by the Domain policies, you must configure a separate organizational unit (OU) for the cluster server nodes with inheritance blocked. If inheritance is blocked, policies from the domain are not applied to the OU. If the No Override option is selected on a domain level policy, the setting on the OU has no effect.
4. Before you join the cluster server nodes to the domain, you must pre-stage the computer accounts in an OU where inheritance is blocked. This prevents the cluster server nodes from picking up policies that are applied to the default Computers container in the Active Directory directory service.
   
   Note You must not modify the default cluster OU policy now.
5. After you have joined the cluster server nodes to the domain, you must configure and verify the basic cluster server functionality. Then, you must apply more restrictive security settings by using the security template. Alternatively, configure an OU GPO, and then import the template after you make modifications and export the template.
   
   Note We recommend that you do not modify the default GPO for a container. Create a new policy instead. Modify the new policy that you have created, or import a security template into this new policy.
6. Before you install an additional cluster resource or individual program, you must confirm that the cluster functionality works correctly with the security settings that you have applied. Additionally, you must review the security guidelines and the hardening procedures of each cluster server resource and of each program that you want to install.
   
   For example, to view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the following Microsoft TechNet Web page:
   http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx (http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx)
7. Apply the hotfix that is described in the following Knowledge Base article to each cluster server node before you apply the security settings that are included in the template:
   890761  (http://support.microsoft.com/kb/890761/ ) You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
   Notes
   • Hotfix 890761 is included in Windows Server 2003 Service Pack 1.
   • If Hotfix 890761 is not applied to the cluster server nodes, you must modify both the LAN Manager authentication process and RPC security in the security template.
8. After you apply the hotfix that is described in step 7, load the template into the Security Configuration and Analysis snap-in. Then, verify the configuration and the functionality of each cluster server node.
9. After you complete step 8, you may have to change the Cluster Service and Distributed Transaction Coordinator Service settings in the template. Both of these settings are set to Disabled in the template. Reset them to Enabled. The Distributed Transaction Coordinator Service setting is specifically mentioned here because this service frequently must be clustered.
10. Restart the cluster servers. The cluster server services now function correctly.

For more information about security guides that are provided by other agencies, click the following article number to view the article in the Microsoft Knowledge Base: For more information about the user rights that are required by the cluster service account, click the following article number to view the article in the Microsoft Knowledge Base: For more information about the required security template modifications, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to configure the template settings, click the following article number to view the article in the Microsoft Knowledge Base:

To view the Windows Server 2003 Security Guide, visit the following Microsoft Web page: For more information about security settings on your Windows Server 2003 server cluster nodes, visit the following Microsoft Web page: For more information about how to secure server clusters, visit the following Microsoft Web site: