Mastering Security: Best Practices for Microsoft Windows Group Policy Objects (GPOs)

Publish Date: 22/08/2023

What is GPO?

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts.Group Policy Settings gives centralized control to the sys admin allowing him to manage and configure applications, operating systems, and user settings in Active Directory.

How many types of GROUP POLICY OBJECTS (GPOS) are there?

There are three main types of GPO’s to be aware of:

Local Group Policy Objects

If policy settings need to be implemented only for one Windows computer or just for one user, this is when this type of GPOs is of use. Local group policy objects exist by default on all Windows computers and are utilized when IT admins need to apply policy settings to a single Windows computer or user. These types of GPO’s only apply to local computers and to the users that log on to that computer on-site.

Non-local Group Policy Objects

Unlike local GPO’s, non-local group policy objects require your Windows computers and users to be linked to Active Directory objects, sites, domains, or organizational units. This means that non-local GPO’s can apply to one or more Windows computers and users.

Starter Group Policy Objects

Starter GPO’s are nonlocal GPO templates for group policy settings. These templates are particularly useful when creating in the Active Directory a new GPO. They enable IT administrators, to pre-configure a group of settings that represent a baseline for any future policy to be created.

Big List Of Most Commonly Used GPOs

MODERATING ACCESS TO CONTROL PANEL

Creating a Group Policy Setting that limits access to the computers’ control panel provides a safe organizational environment.

CONTROL ACCESS TO COMMAND PROMPT

Controlling user access to Command Prompt (cmd.exe), to secure system resources in vital. Because with access to cmd.exe a user can pass commands to authorize high-level access to user accounts.

DISALLOW REMOVABLE MEDIA DRIVES, DVDS, CDS, AND FLOPPY DRIVES

Removable media drives are mostly defenseless so they are an easy medium for transferring viruses and malwares.

DISABLE GUEST ACCOUNT

With a Guest Account a user can access Windows and a password is not required for a Guest Account. So, with this a user can access sensitive data which can be disastrous sometimes. By default, guest accounts are disabled but checking this policy setting must be a priority.

PREVENT WINDOWS FROM STORING LAN MANAGER HASH

User accounts credentials are generated in Windows and are stored in the Security Accounts Manager (SAM) database. Windows stores the passwords in both Lan Manager hash (LM hash) and Windows New Technology hash (NT hash). It is preferred that the passwords should not be stored in LM hash because it is a conventional and weak method and can be hacked.

DISABLE FORCED SYSTEM RESTARTS

This is a common problem and needs to be solved if you don’t want to lose your important unsaved work. Sometimes systems display a message that your system needs to restart because of an update and if that pop up is missed your system tends go to forced restart. This has got to do with more of system reliability rather than security. But if your Windows System is running something critical it is best practice to have this enabled.

RESTRICT SOFTWARE INSTALLATIONS

Restricting the installation of unwanted software that may compromise your system is important. If installation is allowed then the system admins have to do routine checkup of the systems.

SET MINIMUM PASSWORD LENGTHS TO HIGHER LIMITS

Setting the minimum password length to higher limits lowers unnecessary risks. By default, I think the value for this setting is “0”. You have to specify a number in order to set minimum password length.

SET MAXIMUM PASSWORD AGE TO LOWER LIMITS

Password maximum age must be set to lower limits. So, the users will have to change their passwords frequently which will protect the user in case of a password breach or stolen password.

DISABLE ANONYMOUS SID ENUMERATION

All security objects; Users, Groups, and others are assigned unique Security Identifier (SID) numbers. This is viable to be hacked by attackers and important data can be breached. By default, this policy setting is set to disabled, but ensure that this setting remains the same.

DISABLE SID/NAME TRANSLATION

This Group Policy Setting determines whether an anonymous user can get access to the system or not by asking for Security Identifiers (SID). If Enabled, this setting will allow a user to anonymously submit SID of Administrator account making it prone to data breach. The preferred state for this group policy setting is “Disabled”.

DISABLE AUTOMATIC DRIVER UPDATES

Although I think automatic security updates should be enabled in your system but your system Driver updates can cause serious problems for Windows users. Regular users can’t switch updates off since it’s an automated feature. Windows Group Policy settings can be changed to disable automatic driver updates, using the Turn off Windows Update device driver searching policy. However, you must specify the hardware IDs of the devices you want to stop updates on. You can find this information in Device Manager.

DISABLE SOFTWARE INSTALLATIONS

There are many ways you can block users from installing new software on their system. Doing this reduces maintenance work and helps avoid the cleanup required when something bad is installed. You can prevent software installation by changing the AppLocker and Software Restriction Group Policy settings and disabling certain extensions (such as “.exe”) from running.

DISABLE NTLM

NTLM is used for computers that are members of a workgroup and local authentication. In an Active Directory environment, Kerberos authentication has to be used instead of NTLM, because it is stronger authentication protocol that uses mutual authentication rather than the NTLM challenge/response method. NTLM has a lot of known vulnerabilities and uses weaker cryptography, so it is very vulnerable to brute-force attacks. You should disable NTLM authentication in your network using Group Policy to allow only Kerberos authentication, but first ensure that both Microsoft and other third-party applications in your network do not require NTLM authentication.

MONITOR GPO CHANGES

Your Group Policy management can get out of hand when several admins start to modify GPOs. So, keep track of all GPO changes to ensure that any change made by users is in-line with your organization's security and compliance obligations.

ENABLE AUDIT LOGS

Enabling audit logs helps to monitor activity on your network and is a great security tool for identifying threats in your infrastructure. At a minimum, you should enable Audit System Events. This policy is in Computer Configuration -> Windows Settings –> Security Settings –> Audit Policy. Change Audit System Events to Success, Failure.

BLOCK MICROSOFT STORE

Users can get carried away with launching apps from Microsoft Store. This creates an admin nightmare. To block Microsoft Store, Enable the setting Turn off the store application. This setting is in Computer Configuration –> Administrative Templates -> Windows Components –> Store .

There are some apps that still require updating via Microsoft Store, you can allow this by going to Computer Configuration –> Administrative Templates –> Windows Components –> Store. Select the policy Turn off automatic download and install of updates and select disable.

LIMIT ACCESS TO THE REGISTRY

Altering the registry settings is always a major concern for admins. You can lock down the registry so that users can’t alter it. This setting is in User Configuration –> Administrative Templates –> System. Select the policy Prevent access to registry editing tools and set it to Enabled. Then under Disable regedit from running silently, change to Yes.

DISABLE LLMNR

Link local Multicast Name Resolution (LLMNR) is a protocol used to resolve IP Addresses to host names. Basically, it performs domain name lookups without a DNS server. It works by sending a broadcast out on the network looking for an address and any devices on the network can respond. This can easily be used by an attacker to respond to these broadcasts and connect to machines. In a business network, your devices should be using a DNS server you control or approve. You can disable LLMNR with this policy setting. Computer Configuration -> Administrative Templates -> Network -> DNS ClientEnable Turn Off Multicast Name Resolution policy by changing its value to Enabled