fbpx
Active Directory & Office 365 Reporting Tool

Group Policy Best Practices – GPO Security Settings. Embarking on effective network administration demands a keen grasp of Group Policy Objects (GPOs). This exploration zeroes in on GPO security settings, unraveling fundamental principles and strategies to fortify Active Directory environments. This article discusses more on multiple Group Policy best practices.

Group Policy Best Practices - GPO Security Settings

Certain straightforward Group Policy Settings, when configured correctly, have the potential to mitigate the risk of data breaches. Enhancing the security and operational conduct of computers within our organization is achieved by adjusting settings in the computer registry through Group Policy. This powerful tool allows us to restrict user access to specific resources, execute scripts, and carry out routine tasks, such as enforcing a designated homepage for every user on the network.

Moderating Access to Control Panel

Setting limits on a computer’s Control Panel creates a safer business environment. Through the Control Panel, we control all aspects of our computer. So, by moderating who has access to the computer, we keep data and other resources safe. Perform the following steps:

  1. In Group Policy Management Editor (opened for a user-created GPO), navigate to User Configuration>Administrative Templates>Control Panel.
  2. Double-click the Prohibit access to Control Panel and PC settings policy in the right pane reveals its properties.
  3. Select Enabled from the three options.
  4. Click Apply and OK.

Prevent Windows from Storing LAN Manager Hash

Windows generates and stores user account passwords in hashes. Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of passwords. It stores them in the local Security Accounts Manager (SAM) database or Active Directory.

The LM hash is weak and prone to hacking. Therefore, we should prevent Windows from storing an LM hash of our passwords. Perform the following steps to do so:

  1. Locate Security Options under Computer Configuration>Windows Settings>Security Settings>Local Policies in the Group Policy Management Editor window that appeared for a custom GPO.
  2. In the right pane, double-click Do not store the LAN Manager hash value on next password change policy.
  3. Select the Define this policy setting checkbox and click Enabled.
  4. Click Apply and OK.

Control Access to Command Prompt

We use command prompts to run commands that give high-level access to users and evade other restrictions on the system. So, to ensure system resources’ security, it’s wise to disable Command Prompt.

After we have disabled Command Prompt and someone tries to open a command window, the system displays a message stating that some settings prevent this action. Perform the following steps:

  1. In the window of Group Policy Management Editor (opened for a custom GPO), go to User Configuration>Windows Settings>Policies>Administrative Templates>System.
  2. In the right pane, double-click Prevent access to the command prompt policy.
  3. Click Enabled to apply the policy.
  4. Click Apply and OK.

Disable Forced System Restarts

Restarting a system by force is frequent. For instance, we find ourselves in a scenario where we must use our computer. A notification appears on Windows informing us that a security update requires us to restart our system.

The computer often restarts itself, and we lose essential, unsaved work if we ignore the alert or take a while to react. To disable forced continue through GPO, perform the following steps:

  1. To access Windows Update, navigate to Computer Configuration>Administrative Templates>Windows Component in the Group Policy Management Editor window that has opened for a custom GPO.
  2. In the right pane, double-click No auto-restart with logged-on users for scheduled automatic updates installations policy.
  3. Click Enabled to enable the policy.
  4. Click Apply and OK.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Disallow Removable Media Drives

Removable media drives are very prone to infection, and they may also contain a virus or malware. If a user plugs an infected drive into a network computer, it affects the entire network. Similarly, DVDs, CDs, and even Floppy Drives, despite how old they are, are still prone to infection.

It is, therefore, best to turn off all these drives entirely. Perform the following steps to do so:

  1. In the Group Policy Management Editor window (opened for a custom GPO), go to User Configuration>Policies>Administrative Templates>System>Removable Storage Access.
  2. In the right pane, double-click All removable storage classes: Deny all accesses policy.
  3. Click Enabled to enable the policy.
  4. Click Apply and OK.

Restrict Software Installations

When we give users the freedom to install software, they may install unwanted apps that compromise our system. System admins usually have to do maintenance and cleaning of such systems routinely. It’s advisable to prevent software installations through Group Policy:

  1. In Group Policy Management Editor (opened for a custom GPO), go to Computer Configuration>Administrative Templates>Windows Component>Windows Installer.
  2. In the right pane, double-click the Prohibit User Install policy.
  3. Click Enabled to enable the policy.
  4. Click Apply and OK.

Disable Guest Account

Through a Guest Account, users get access to sensitive data. Such accounts grant access to a Windows computer and do not require a password. Enabling this account means anyone may misuse and abuse access to our systems.

Thankfully, we can deactivate these accounts by default. It’s best to check that this is the case in our IT environment as, if this account is enabled in our domain, disabling it prevents people from abusing access:

  1. In Group Policy Management Editor (opened for a custom GPO), go to Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.
  2. In the right pane, double-click Accounts: Guest Account Status policy.
  3. Select the Define this policy setting checkbox and click Disabled.
  4. Click Apply and OK.

Set Minimum Password Length to Higher Limits

Set the minimum password length to higher limits. For example, for elevated accounts, we should set the passwords to at least 15 characters, and for regular accounts, at least 12 characters. Setting a lower value for minimum password length creates unnecessary risk. The default setting is “zero” characters, so we have to specify a number:

  1. In the Group Policy Management Editor window (opened for a custom GPO), go to Computer Configuration>Windows Settings>Security Settings>Account Policies>PasswordPolicy.
  2. Double-click the Minimum password length policy in the right pane, then choose the Define this policy setting checkbox.
  3. Specify a value for the password length.
  4. Click Apply and OK.

Set Maximum Password Age to Lower Limits

If we set the password expiration age to a lengthy period, users only have to change it occasionally, which means it’s more likely a password could get stolen. Shorter password expiration periods are always preferred.

Windows sets the default maximum password age to 42 days. The following screenshot shows the policy setting for configuring Maximum Password Age. Perform the following steps:

  1. Go to Computer Configuration>Windows Settings>Security Settings>Account Policies>Password Policy in the Group Policy Management Editor box that appears (opened for a custom GPO).
  2. In the right pane, double-click the Maximum password age policy.
  3. Select the Define this policy setting checkbox and specify a value.
  4. Click Apply and OK.

Disable Anonymous SID Enumeration

Active Directory assigns a unique number to all security objects in Active Directory, including Users, Groups, and others, called Security Identifiers (SID) numbers. In older Windows versions, users could query the SIDs to identify essential users and groups. Hackers exploit this provision to get unauthorized access to data.

By default, this setting is disabled. Ensure that it remains that way. Perform the following steps:

  1. Navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options in the Group Policy Management Editor window.
  2. Double-click the Network Access in the right pane. Do not permit the enumeration of SAM accounts and anonymously communicate policy settings.
  3. Choose Enabled and then click Apply and OK to save our settings.

If we get these Group Policy settings correct, our organization’s security automatically is better. This list may not be complete, but it is a great starting guide to bolster security in our domain environment.

Group Policy Best Practices - GPO Security Settings Conclusion

In conclusion, navigating the intricacies of Group Policy best practices is a cornerstone in fortifying the security and efficiency of any network environment. By adhering to these guidelines, administrators not only bolster the resilience of their systems but also ensure a cohesive and standardized configuration across the organization. As the digital landscape evolves, embracing these best practices becomes imperative for safeguarding data, enhancing operational integrity, and maintaining a robust foundation for effective network administration.

InfraSOS-AD-Tools

Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *