Active Directory & Office 365 Reporting Tool

Deep Dive into Active Directory Group Policies. Securing our organization’s digital infrastructure is paramount in today’s rapidly evolving digital landscape. Active Directory Group Policies are critical in this endeavor, allowing administrators to enforce network security settings and configurations. This deep aims to elucidate their significance, functionality, and best practices for safeguarding our digital assets effectively.

Deep Dive into Active Directory Group Policies

Group Policy is a common way to apply configuration settings, install software, run scripts, and more across thousands of Active Directory (AD) domain-joined computers. Group policy comprises many different services and workflows, which we tackle in the next section.

Overview of Group Policy Objects (GPOs)

A good Organizational Unit OU structure is essential for efficient management in a well-structured Active Directory environment. Organizing users and computers into separate OUs allows us to quickly identify and administer specific groups within our network. We effectively link Group Policy Objects (GPOs) at the OU or domain levels to enforce policies and settings.

We configure user rights assessments through GPOs to ensure the right individuals have the necessary permissions and privileges. Group Policy Preferences also fine-tune user and computer settings and preferences, allowing for a more customized and streamlined management approach.

Group Policy Settings give the administrator centralized control, making it easier for the admin to apply computer configurations to manage applications, operating systems, and user settings in Active Directory. Moreover, Group Policy has many advantages, including efficient system management, robust password policy implementation, configuration of folders, and file redirection.

Group Policy Templates

Active Directory stores GPOs in a SYSOL, a unique directory that resides on each domain controller (DC) within a domain. Group Policy Templates (GPTs) encompass registry configurations, security files, applications, scripts, installers, shortcuts, XML files, graphical files, and other elements, which vary depending on the corresponding Group Policy Object (GPO) settings.

Manage and control Group Policies via the Group Policy Management Console (GPMC). A built-in tool on all domain controllers and is part of the Remote Server Administration Toolkit (RSAT). GPMC connects with the domain controller that hosts the Primary Domain Controller Emulator (PDCe) role to modify Group Policy settings.

Within GPMC we generate and allocate Group Policy Objects (GPOs) to various components such as AD organizational units (OUs), AD sites, and additional entities. To know more on how to install RSAT, click this link.

How Group Policy Replication Works

GPOs and GPTs are part of AD. They are part of the typical Active Directory replication process.

A particular process initiates upon creating or updating a new Group Policy Object (GPO) and directing it towards an Active Directory Organizational Unit (OU).

  1. Once we change a GPO via the GPMC, the GPMC connects to the PDCe DC.
  2. The GPMC then creates or modifies the GPO inside the Active Directory databases and creates/updates the GPT in SYSVOL.
  3. After modification, Active Directory replication assumes control. It duplicates both the Group Policy Object (GPO) and Group Policy Template (GPT) to the remaining Domain Controllers (DCs) based on the Active Directory replication timetable. Replication usually takes up to 5 minutes if our “local” DC and the PDCE are on the same site or longer if they’re on different sites.

DCs also replicate the GPTs in SYSVOL once created with the GPMC, but via a separate replication mechanism called DFS-R. The replication schedule for SYSVOL is the same as the replication schedule for the AD database. Both components of a GP should arrive at roughly the same time in our local DC.

How GPOs Are Applied

So, the GPMC has created the GPO/GPT, which the system replicates to all DCs in our AD environment. Now, the client(s) need to pick up the policy. It’s up to the client to check the DC for new/changed policies.

Clients adhere to their defined Group Policy refresh interval. This interval is the interval they routinely check for changes with their DC. The refresh interval is 90 minutes by default, with a randomized offset ranging from 0 to 30 minutes. If we target a Domain Controller with a policy, the default refresh interval is only 5 minutes.

Once the refresh interval is up, the Group Policy Client service on the client checks with the DC for any new or changed policies. It downloads these policies and executes the instructions on the client’s computer if found. The Group Policy Client service may not immediately apply new settings. We cannot use some settings directly, such as at the next logon, redirect folders, after the next restart, etc.

Some GPs apply that, though the last time we used it, it has remained the same. A good example is security settings, which are re-applied at the computer startup and every 16 hours for an unrestarted computer. This process is essential: if someone has changed a specific security configuration, they are restored at the next refresh (think of opened firewall ports in Windows firewall or members added to/ removed from Restricted Groups on the local computer).

The CVE-2020-1317 vulnerability enables a regular user within a domain environment to execute a file system attack, enabling malicious actors to circumvent anti-malware measures, surpass security enhancements, and gain complete control over Windows systems. This vulnerability affects all Windows machines (2008 or later) and elevates privileges within a domain environment.

A Remote Code Execution (RCE) vulnerability exists if we do not harden the GPO. If the GPO fails to retrieve a valid security policy, it applies a default potentially less secure group policy. An RCE vulnerability may vary in its impact, from executing malware to granting an attacker absolute control over a compromised system.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Security Baselines Using GPO

Domain controller server hardening reduces the attack surface to compromise active directory security. The presence of branch offices and browsing of internet websites creates multiple potential entry points for attackers to gain access to a domain. To limit exposure to attacks, domain controller security is a top priority.

Microsoft has its security baselines, the Center of Internet Security (CIS) is generally preferred. CIS benchmarks are favoured over Microsoft Security Baselines for their neutral, third-party development, ensuring comprehensive and unbiased security standards applicable across diverse IT environments. Widely adopted by cybersecurity professionals globally, CIS benchmarks provide standardized security configurations that are updated regularly to address emerging threats and regulatory changes.

Applying security frameworks such as the CIS Benchmark through Group Policy Objects (GPOs) locks down domain controllers to prevent unauthorized changes by compromised user accounts across Active Directory. The following GPOs are just some CIS Policies out of hundreds applied via Group Policies.

Moderating Access to Control Panel

Creating a GPO Setting that limits access to the computers’ control panel provides a safe organizational environment. All computer operations are controllable via the Control Panel, and by moderating access to the control panel, data is made safe and unreachable. Open Group Policy Management Editor by searching for “Group Policy Management” or by pressing “Windows + R” to open Run, then typing “gpedit.msc” and clicking “OK.”

Steps to set this policy:
a. Navigate to User Configuration > Administrative Templates > Control Panel. Then, open “Prohibit access to Control Panel and PC settings.
b. Select “Enabled“.
c. Click “Apply” and “OK“.

Moderating Access to the Command Prompt

Controlling user access to the Command Prompt (cmd.exe) to secure system resources is vital. With access to cmd.exe, a user passes commands to authorize high-level access to user accounts. Disabling access to cmd.exe makes the system resources secure.

Steps to set this policy:
ba. Go to User Configuration > Administrative Templates > System, and then access the setting “Prevent access to the command prompt.”
b. Select “Enabled“.
c. Click “Apply” and “OK“.

Disallow Removable Media Drives

Removable media drives are primarily defenceless, making them an accessible medium for transferring viruses and malware

Steps to set this policy:
a. Navigate to User Configuration > Administrative Templates > System > Removable Storage Access. Then, open “All Removable Storage classes: Deny all access.”
b. Select “Enabled“.
c. Click “Apply” and “OK“.

Disable Guest Account

With a Guest Account, a user accesses Windows, and does not require a password for a Guest Account. So, a user account accesses sensitive data, which is disastrous sometimes. The system deactivates guest accounts by default, but checking this policy setting must be a priority.

Steps to set this policy:

a. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Then, open “Accounts: Guest account status.
b. Select “Disabled“.
c. Click “Apply” and “OK”.

Prevent Windows From Storing LAN Manager Hash

Create user account credentials in Windows and store them in the Security Accounts Manager (SAM) database. Windows stores the passwords in the Lan Manager hash (LM hash) and Windows New Technology hash (NT hash). Storing passwords in LM hash is not preferred because it relies on a conventional and weak method susceptible to hacking.

Steps to set this policy:

a. Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Security Options. Then, open “Network Security: Do not store LAN Manager hash value on next password change.
b. Select “Enabled“.
c. Click “Apply” and then “OK.”

Disable Forced System Restarts

If, a systems displays a message indicating to restart system due to an update. Here, if we miss the pop-up, our system forces a restart. So, it’s essential to turn off forced system restarts.

Steps to set this policy:

a. Under Computer Configuration, navigate to Administrative Templates -> Windows Components -> Windows Update -> Legacy Policies. Then, open “No auto-restart with logged-on users for scheduled automatic updates installations.”
b. Select “Enabled“.
c. Click “Apply” and then “OK.”

Restrict Software Installations

Restricting the installation of unwanted software that may compromise our system is essential. If installation is allowed, then the system admins have to do routine checkups of the systems. The best case solution for this is to restrict software installations via group policy.

Steps to set this policy:

a. Under Computer Configuration, navigate to Administrative Templates -> Windows Components -> Windows Installer. Then, open “Prohibit User Installs.
b. Select “Enabled“.
c. Click “Apply” and then “OK“.

Set Minimum Password Lengths to Higher Limits

Setting the minimum password length to higher limits reduces unnecessary risks. By default, this setting is “0”. We must specify a number to set the minimum password length.

Steps to set this policy:

a. Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Account Policies -> Password Policy. Then, open Minimum Password Length.
b. Enter the numeric value (preferably 12 characters).
c. Click on Apply and OK.

Set Maximum Password Age to Lower Limits

Setting the maximum password age to lower limits ensures users change their passwords frequently, protecting against password breaches or stolen passwords.

Steps to set this policy:

a. Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Account Policies -> Password Policy. Then, open Maximum password age.
b. Enter the numeric value (preferably 30 days).
. Click on Apply and OK.

Disable Anonymous SID Enumeration

All security objects, such as Users, Groups, and others, have unique Security Identifier (SID) numbers. This vulnerability could be exploited by attackers, leading to data breaches. By default, make sure to keep this policy setting disabled.

Steps to set this policy:

a. Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Local Policies -> Security Options. Then, open Network Access: Do not allow anonymous enumeration of SAM accounts and shares.
b. Select Enabled.
c. Click on Apply and OK.

This Group Policy Setting determines whether an anonymous user accesses the system by requesting Security Identifiers (SIDs). If Enabled, this setting allows a user to submit the SID of the Administrator account anonymously, increasing the risk of a data breach. The preferred state for this group policy setting is “Disabled.”

Steps to set this policy:

a. Under Computer Configuration, navigate to Windows Settings -> Security Settings -> Local Policies -> Security Options. Then, open Network Access: Allow anonymous SID/Name translation.
b. Select Disabled.
c. Click on Apply and OK.

Great job. We are at the end of an article about Deep Dive into Active Directory Group Policies. Shall we summarize it now?

A Deep Dive into Active Directory Group Policies Conclusion

In conclusion, Group Policy Objects (GPOs) are essential tools for fortifying digital security infrastructure. By configuring GPO settings with precision, organizations mitigate risks and adhere to regulatory standards, ensuring the protection of sensitive data. Regular review and adjustment of GPOs are paramount to maintaining robust security measures that align with evolving threats and industry standards.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *