There are some simple Group Policy Settings, which if appropriately configured, can help to prevent data breaches. You can make your organizational network safer by configuring the security and operational behavior of computers through Group Policy (a group of settings in the computer registry). Through Group Policy, you can prevent users from accessing specific resources, run scripts, and perform simple tasks such as forcing a particular home page to open for every user in the network. Show
Here is the list of top 10 Group Policy Settings:
In this article, you will learn why these Group Policy settings simply cannot be ignored. 1. Moderating Access to Control PanelSetting limits on a computers’ Control Panel creates a safer business environment. Through Control Panel, you can control all aspects of your computer. So, by moderating who has access to the computer, you can keep data and other resources safe. Perform the following steps:
2. Prevent Windows from Storing LAN Manager HashWindows generates and stores user account passwords in “hashes.” Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of passwords. It stores them in the local Security Accounts Manager (SAM) database or Active Directory. The LM hash is weak and prone to hacking. Therefore, you should prevent Windows from storing an LM hash of your passwords. Perform the following steps to do so:
3. Control Access to Command PromptCommand Prompts can be used to run commands that give high-level access to users and evade other restrictions on the system. So, to ensure system resources’ security, it’s wise to disable Command Prompt. After you have disabled Command Prompt and someone tries to open a command window, the system will display a message stating that some settings are preventing this action. Perform the following steps:
4. Disable Forced System RestartsForced system restarts are common. For example, you may face a situation where you were working on your computer and Windows displays a message stating that your system needs to restart because of a security update. In many cases, if you fail to notice the message or take some time to respond, the computer restarts automatically, and you lose important, unsaved work. To disable forced restart through GPO, perform the following steps:
5. Disallow Removable Media Drives, DVDs, CDs, and Floppy DrivesRemovable media drives are very prone to infection, and they may also contain a virus or malware. If a user plugs an infected drive to a network computer, it can affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to infection. It is therefore best to disable all these drives entirely. Perform the following steps to do so:
6. Restrict Software InstallationsWhen you give users the freedom to install software, they may install unwanted apps that compromise your system. System admins will usually have to routinely do maintenance and cleaning of such systems. To be on the safe side, it’s advisable to prevent software installations through Group Policy:
7. Disable Guest AccountThrough a Guest Account, users can get access to sensitive data. Such accounts grant access to a Windows computer and do not require a password. Enabling this account means anyone can misuse and abuse access to your systems. Thankfully, these accounts are disabled by default. It’s best to check that this is the case in your IT environment as, if this account is enabled in your domain, disabling it will prevent people from abusing access:
8. Set Minimum Password Length to Higher LimitsSet the minimum password length to higher limits. For example, for elevated accounts, passwords should be set to at least 15 characters, and for regular accounts at least 12 characters. Setting a lower value for minimum password length creates unnecessary risk. The default setting is “zero” characters, so you will have to specify a number:
9. Set Maximum Password Age to Lower LimitsIf you set the password expiration age to a lengthy period of time, users will not have to change it very frequently, which means it’s more likely a password could get stolen. Shorter password expiration periods are always preferred. Windows’ default maximum password age is set to 42 days. The following screenshot shows the policy setting used for configuring “Maximum Password Age”. Perform the following steps:
10. Disable Anonymous SID EnumerationActive Directory assigns a unique number to all security objects in Active Directory; including Users, Groups and others, called Security Identifiers (SID) numbers. In older Windows versions, users could query the SIDs to identify important users and groups. This provision can be exploited by hackers to get unauthorized access to data. By default, this setting is disabled, ensure that it remains that way. Perform the following steps:
If you get these Group Policy settings correct, your organization’s security will automatically be in a better state. Please make sure to apply the modified Group Policy Object to everyone and update the Group Policies to reflect them on all domain controllers in your environment. If you want to remain in full control of your IT infrastructure, you have to make sure no unwanted changes in these policies and other Group Policies are made. You can do this by continuous monitoring of Group Policy changes. However, doing through native auditing can be tricky, due to the amount of noise generated and the unavailability of predefined reports. To keep a continuous track of changes made in Group Policy Objects, try Lepide Group Policy Auditor. Our solution allows you to audit every change made to Group Policies in real time. You can also rollback any unwanted or unplanned Group Policy change quickly. |