Your IT Consultant

Ten Windows Group Policies to Improve Security

August 10, 2017

If you are running a Windows environment, hopefully you have heard of group policies. If not, learn about them. Basically, Group Policy Objects (GPO) are settings that are enforced on computers (and users too) to control security settings and other operational behaviors. Without getting really into the weeds, GPOs are applied within the Active Directory environment and can "trickle" down from the domain, site, computer, user, etc. There are a "ton" of available settings. As an example, Windows Server 2012 R2 has more than 3,700 settings for the operating system alone. With so many options, which ones should you concentrate on? CSO has a post that lists the ten policies that you should really care about.

1. Rename the Local Administrator Account
2. Disable the Guest Account
3. Disable LM and NTLM v1
4. Disable LM hash storage
5. Minimum password length
6. Maximum password age
7. Event logs
8. Disable anonymous SID enumeration
9. Don't let the anonymous account reside in the everyone group
10. Enable User Account Control

Read the post to get details for each of the GPOs identified. I would disagree with portions of numbers 5 and 6, especially given the anticipated approval of password usage from NIST. I would suggest having a minimum of 15 or more characters for ALL users, not just elevated account users. Also, in conformance to the anticipated NIST guidelines, don't expire the passwords unless you know they have been compromised in a breach. There are some other cool things you can do with a GPO as well. Defining a specific screen saver timeout, automatically installing printers and installing software applications are just of few of the additional items to consider.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com