Publish Date: 22/08/2023
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts.Group Policy Settings gives centralized control to the sys admin allowing him to manage and configure applications, operating systems, and user settings in Active Directory.
There are three main types of GPO’s to be aware of:
Local Group Policy Objects
If policy settings need to be implemented only for one Windows computer or just for one user, this is when this type of GPOs is of use. Local group policy objects exist by default on all Windows computers and are utilized when IT admins need to apply policy settings to a single Windows computer or user. These types of GPO’s only apply to local computers and to the users that log on to that computer on-site.
Non-local Group Policy Objects
Unlike local GPO’s, non-local group policy objects require your Windows computers and users to be linked to Active Directory objects, sites, domains, or organizational units. This means that non-local GPO’s can apply to one or more Windows computers and users.
Starter Group Policy Objects
Starter GPO’s are nonlocal GPO templates for group policy settings. These templates are particularly useful when creating in the Active Directory a new GPO. They enable IT administrators, to pre-configure a group of settings that represent a baseline for any future policy to be created.
Creating a Group Policy Setting that limits access to the computers’ control panel provides a safe organizational environment.
Controlling user access to Command Prompt (cmd.exe), to secure system resources in vital. Because with access to cmd.exe a user can pass commands to authorize high-level access to user accounts.
Removable media drives are mostly defenseless so they are an easy medium for transferring viruses and malwares.
With a Guest Account a user can access Windows and a password is not required for a Guest Account. So, with this a user can access sensitive data which can be disastrous sometimes. By default, guest accounts are disabled but checking this policy setting must be a priority.
User accounts credentials are generated in Windows and are stored in the
Security Accounts Manager (SAM) database. Windows stores the passwords in both
Lan Manager hash (LM hash) and Windows New Technology hash
(NT hash). It is preferred that the passwords should not be stored in LM hash because it is a conventional and weak method and can be hacked.
This is a common problem and needs to be solved if you don’t want to lose your important unsaved work. Sometimes systems display a message that your system needs to restart because of an update and if that pop up is missed your system tends go to forced restart. This has got to do with more of system reliability rather than security. But if your Windows System is running something critical it is best practice to have this enabled.
Restricting the installation of unwanted software that may compromise your system is important. If installation is allowed then the system admins have to do routine checkup of the systems.
Setting the minimum password length to higher limits lowers unnecessary risks. By default, I think the value for this setting is “0”. You have to specify a number in order to set minimum password length.
Password maximum age must be set to lower limits. So, the users will have to change their passwords frequently which will protect the user in case of a password breach or stolen password.
All security objects; Users, Groups, and others are assigned unique
Security Identifier (SID) numbers. This is viable to be hacked by attackers and important data can be breached. By default, this policy setting is set to disabled, but ensure that this setting remains the same.
This Group Policy Setting determines whether an anonymous user can get access to the system or not by asking for Security Identifiers (SID). If Enabled, this setting will allow a user to anonymously submit SID of Administrator account making it prone to data breach. The preferred state for this group policy setting is “Disabled”.
Although I think automatic security updates should be enabled in your system but your system Driver updates can cause serious problems for Windows users. Regular users can’t switch updates off since it’s an automated feature. Windows Group Policy settings can be changed to disable automatic driver updates, using the
Turn off Windows Update device driver searching policy. However, you must specify the hardware IDs of the devices you want to stop updates on. You can find this information in Device Manager.
There are many ways you can block users from installing new software on their system. Doing this reduces maintenance work and helps avoid the cleanup required when something bad is installed. You can prevent software installation by changing the
AppLocker and Software Restriction Group Policy settings and disabling certain extensions (such as “.exe”) from running.
NTLM is used for computers that are members of a workgroup and local authentication. In an Active Directory environment, Kerberos authentication has to be used instead of NTLM, because it is stronger authentication protocol that uses mutual authentication rather than the NTLM challenge/response method. NTLM has a lot of known vulnerabilities and uses weaker cryptography, so it is very vulnerable to brute-force attacks. You should disable NTLM authentication in your network using Group Policy to allow only Kerberos authentication, but first ensure that both Microsoft and other third-party applications in your network do not require NTLM authentication.
Your Group Policy management can get out of hand when several admins start to modify GPOs. So, keep track of all GPO changes to ensure that any change made by users is in-line with your organization's security and compliance obligations.
Enabling audit logs helps to monitor activity on your network and is a great security tool for identifying threats in your infrastructure. At a minimum, you should enable Audit System Events. This policy is in
Computer Configuration -> Windows Settings –> Security Settings –> Audit Policy. Change
Audit System Events to Success, Failure.
Users can get carried away with launching apps from Microsoft Store. This creates an admin nightmare. To block Microsoft Store, Enable the setting
Turn off the store application. This setting is in
Computer Configuration –> Administrative Templates -> Windows Components –> Store .
There are some apps that still require updating via Microsoft Store, you can allow this by going to
Computer Configuration –> Administrative Templates –> Windows Components –> Store. Select the policy
Turn off automatic download and install of updates and select disable.
Altering the registry settings is always a major concern for admins. You can lock down the registry so that users can’t alter it. This setting is in
User Configuration –> Administrative Templates –> System. Select the policy
Prevent access to registry editing tools and set it to Enabled. Then under Disable regedit from running silently, change to Yes.
Link local Multicast Name Resolution (LLMNR) is a protocol used to resolve IP Addresses to host names. Basically, it performs domain name lookups without a DNS server. It works by sending a broadcast out on the network looking for an address and any devices on the network can respond. This can easily be used by an attacker to respond to these broadcasts and connect to machines. In a business network, your devices should be using a DNS server you control or approve. You can disable LLMNR with this policy setting.
Computer Configuration -> Administrative Templates -> Network -> DNS ClientEnable Turn Off Multicast Name Resolution policy by changing its value to Enabled
Check out my other blogs here ✏️
Follow, Mentoring Free (& Paid) 📞
I am a Security Engineer, passionate about building secure solutions that solve a problem at scale. Currently I work with Meta as a Security Engineer with the RL Trust Team solving Manufacturing Security Challenges for Reality Labs
Subscribe to my free Security Focussed Newsletter 📰
SOC Blogs | LinkedIn
Avradeep Bhattacharya | A security and technology focused newsletter that aims to share "interesting" stories heard around the internet.