Most Important Group Policy Settings for Preventing Security Breaches

by

In this article, we will tell you some most important Group Policy Settings for preventing security breaches and secure your environment. Also, you will learn why these AD Group Policy settings cannot be ignored and Best Practice for Active Directory Group Policy Settings.

A secure environment is a priority of each and every either large, medium or small organization and group policy plays a very important role in it. 

Using Group Policy you can prevent user access, disable PowerShell script, and much more. So it is always recommended to follow the Principle of Least Privilege.

Important Group Policy Settings to Prevent Breaches

Here is the list of top 12 Group Policy Settings:

  1. Do not set GPOs at the domain level
  2. Moderating Access to Control Panel
  3. Prevent Windows from Storing LAN Manager Hash
  4. Control Access to Command Prompt
  5. Disable Forced System Restarts
  6. Disable USB ports and Folder Redirection
  7. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
  8. Restrict Software Installations
  9. Disable Guest Account
  10. Set Minimum Password Length to Higher Limits
  11. Set Maximum Password Age to Lower Limits
  12. Disable Anonymous SID Enumeration

1. Do not set GPOs at the Domain Level

Default Domain Policy is the only GPO set at domain level. Any other policy set at the domain level will get applied to all user and computer objects. This could lead to all kinds of settings getting applied to objects that you don’t want. It’s better to apply the policies at a more granular level. 

The best practice is to Apply GPOs at an OU root level.

2. Moderating Access to Control Panel

Limiting access to control panel creates your environment more secure. To do this you can follow the below steps:

  1. Go to the Group Policy Management Editor, then navigate to “User Configuration” -> “Administrative Templates” -> “Control Panel”.
  2. Then in the right pane, you need to double-click and select “Prohibit access to Control Panel and PC settings” policy in and open its properties.
  3. After that select “Enabled” from the three options.
  4. Click “Apply” and “OK”.
  5. Reboot the computer to make it effect.

3. Prevent Windows from Storing LAN Manager Hash

Passwords are generated and stored in the form of “hashes”. Both a LM hash (LAN Manager) and Windows NT hash store in Accounts Manager (SAM) database or Active Directory. LM hashes are more prone to hacking. Follow the below steps to prevent windows from storing LAN manager hash.

  1. Go to the Group Policy Management Editor window, Then navigate to “Computer Configuration” ->  “Windows Settings” -> “Security Settings” -> “Local Policies” -> “Security Options”.
  2. Then in the right pane, you have to double-click on “Network security: Do not store LAN Manager hash value on next password change” policy.
  3. After that you have to select “Define this policy setting” checkbox and click on “Enabled”.
  4. Click “Apply” and “OK”.
  5. Reboot the computer to make it effect.

4. Control Access to Command Prompt

In-order to secure system resources , its recommended to disable Command Prompt, which can be used to run commands and cause the security breach. To do this follow the below steps:

  1. Go to the Group Policy Management Editor, then go to “User Configuration” “Windows Settings” -> “Policies” -> “Administrative Templates” -> “System”.
  2. Then in the right pane, double-click on “Prevent access to the command prompt” policy.
  3. After that click on “Enabled” to apply the policy.
  4. Click “Apply” and “OK”.
  5. Reboot the system to make it effect.

5. Disable Forced System Restarts or Shutdown

The main reason to disable forced system restart or shutdown is to prevent losing of important and unsaved work.

Due to security updates, windows update or application install system needs to restart to make it effective either it restart suddenly or after some time automatically. To prevent this follow the below steps:

  1. Go to the “Group Policy Management Editor”, then go to “Computer Configuration” -> “Administrative Templates” -> “Windows Component” “Windows Update”.
  2. Then in the right pane, you have to double-click on “No auto-restart with logged on users for scheduled automatic updates installations” policy.
  3. After that click on “Enabled” to enable the policy.
  4. Click “Apply” and “OK”.
  5. Reboot the system to make it effective.

6. Disable USB Port and Folder Redirection

USB ports are the Companies most common reason or threat of stealing their critical data. A very important policy to deploy and make your environment secure from copying confidential data or injecting virus in network.

Folder redirection is an another important Group Policy to be deployed in Organizations. It is used to redirect Domain User data to the network location. It will lets you keep track of user data and also helps in taking backup of critical data. 

7. Disallow Removable Media Drives, DVDs & CDs

Removable media drives likes; CDs, DVDs, USB, floppy drives, ect.., are very prone to infection via virus or malware. To prevent this follow the below steps:

  1. Go to Group Policy Management Editor window, then go to “User Configuration” -> “Policies” -> “Administrative Templates” -> “System” “Removable Storage Access”.
  2. After that in the right pane, you have to double-click on “All removable storage classes: Deny all accesses” policy.
  3. Then click on “Enabled” to enable the policy.
  4. Click “Apply” and “OK”.
  5. Reboot the computer to make it effective.

Check this article, in case you want to use Group policy to Disable PowerShell with Software Restriction Policies

8. Restrict Software Installations

To make secure environment its recommended to prevent software installations. Users having rights to install software they can also uninstall them which makes your system prone to hacking or compromise. To prevent this follow the below steps:

  1. Go to the Group Policy Management Editor, then go to “Computer Configuration” -> “Administrative Templates” -> “Windows Component” -> “Windows Installer”.
  2. Then in the right pane, you gave to double-click on “Prohibit User Install” policy.
  3. Then click on “Enabled” to enable the policy
  4. Click “Apply” and “OK”.
  5. Reboot the system to make it effective.

9. Disable Guest Account

By default guest accounts are disable and enabling access to these accounts means any one can access your important sensitive data and can misuse it. To prevent this check it for disabled, if not then follow the below steps:

  1. Go to the Group Policy Management Editor, then go to “Computer Configuration” -> “Windows Settings” -> “Security Settings” -> “Local Policies” “Security Options”.
  2. Then in the right pane, you have to double-click on “Accounts: Guest Account Status” policy.
  3. After that select “Define this policy setting” checkbox and click “Disabled”.
  4. Click “Apply” and “OK”.
  5. Reboot the computer to make it effect.

10. Set Minimum Password Length to Higher Limits

As we know that passwords should be in the from of phrase or long at least 20 to 30 characters. Which is easy to remember and hard to crack for hackers. To set password length to higher follow the below steps:

  1. Go to the Group Policy Management Editor window, then go to “Computer Configuration” “Windows Settings” -> “Security Settings” -> “Account Policies” “Password Policy”.
  2. Then in the right pane, you have to double-click on “Minimum password length” policy, and select the “Define this policy setting” checkbox.
  3. Then specify a value for the password length.
  4. Click “Apply” and “OK”.
  5. Reboot the computer to make it effective.

In case if you want to to force all users to change their Active Directory password at next logon

11. Set Maximum Password Age Limit

Maximum password age is between 1 and 999 days. The default value is 42 days but adjustable, or set it to never expire, by setting the number of days to 0. 

Note- Frequent password expiration can lead to users making poor password construction decisions or reuse old passwords or simple password pattern.

Note – If you want to modify the password policy for certain groups or users, use FGPP.

As per NIST recommendation, choose long passwords or passphrases of up to 64 characters.

As per current NIST recommendation on maximum password age is to ask users to create a new password only in the case of a potential threat or suspected unauthorized access.

To set maximum password age limit, follow the below steps:

  1. Go to Group Policy Management Editor window, then go to “Computer Configuration” -> “Windows Settings” -> “Security Settings” -> “Account Policies” -> “Password Policy”.
  2. Then in the right pane, double-click on “Maximum password age” policy.
  3. After that select “Define this policy setting” checkbox and specify a value as you want.
  4. Click “Apply” and “OK”.
  5. Reboot the system to make it effective.

In case you want to notify users via email when their password is about to expire – Automate Password Change Notification Through Email

12. Disable Anonymous SID Enumeration

Active Directory assigns a unique number to objects; such as – Users, Groups and others, called Security Identifiers (SID) numbers. In the previous version of Windows users can query the SIDs. Also, hackers can get unauthorized access to data.

By default, this setting is disabled, ensure that it remains disabled.

Conclusion

Follow these important group policy settings to make secure your organization environment. However, if you are concerned about unwanted changes to these policy or other group policies, enable auditing or get help from Group policy auditing software you can also try Active Directory auditing software for the same to track changes in AD and GPO.

Leave a Comment

six − 2 =