This is a list of common Active Directory Group Policies (GPOs) that should be implemented in an Active Directory environment for security and administrative convenience. Please note that not all these settings may be right for your environment so consider each carefully. As with any GPO settings, test on a small group of users and computers before rolling out.
1. Enable Audit Logs
Enabling audit logs helps to monitor activity on your network and is a great security tool for identifying threats in your infrastructure.
At a minimum, you should enable Audit System Events. This policy is in Computer Configuration -> Windows Settings –> Security Settings –> Audit Policy.
Change “Audit System Events” to Success, Failure.
See the article Windows Server Audit Policy for auditing best practices.
2. Screen Lockout Time
Enable a lock-out time from inactivity on your domain computers to protect data and privacy. A generally accepted time is 10 – 15 minutes but can be shorter if need be. Teaching your users to lock their computers when they are walking away from their desks is great. But a backup plan is always ideal.
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Modify the time for Interactive Logon: Machine inactivity limit.
See the article GPO lock screen for more details.
3. Password Policy
Enforcing a strong password policy is critical for the security of your domain.
These settings are in Computer Configuration –> Windows Settings –> Security Settings –> Account Policies –> Password Policy.
See the article Active Directory password policy for more details.
4. Account Lockout Policy
Enforcing an account lockout policy will help keep your domain computers secure. A malicious actor could attempt to guess passwords for a domain account.
These settings are in Computer Configuration –> Windows Settings –> Security Settings –> Account Policies –> Account Lockout Policy.
See the article Active Directory account lockout policy for more details.
5. Removable Media
Allowing your users to plug in USB drives, external hard drives, or insert CDs, DVDs, should be turned off. You open the door up to your network being infected with viruses or malware.
These settings are in User Configuration –> Policies –> Administrative Templates –> System –> Removable Storage Access
You can enable Deny read and execute on specific devices or Enable All Removable Storage classes: Deny all access” to block all devices.
6. Restrict access to the command prompt and PowerShell
Limit access to the command prompt and PowerShell to prevent commands from being run by regular user accounts. If a system is compromised, the command prompt or PowerShell could be used to elevate a user account. Also, PowerShell can be used to run malicious scripts and is often used to spread ransomware.
To prevent access to the command prompt, enable the setting “Prevent access to the command prompt”.
The setting is in User Configuration –> Administrative Templates –> System.
To disable PowerShell, see the article disable PowerShell GPO.
7. Limit access to Control Panel options
You should limit access to what users can change in Control Panel. Users can change a lot of system settings in the Control Panel such as network settings, adding and removing software, and adding and removing users. All of these activities could open the door to a security breach.
To lock down access to the control panel, you want to enable “Prohibit access to Control Panel and PC Settings”.
This setting is located at User Configuration –> Administrative Templates –> Control Panel
8. Limit who can install software
All software should be tested and approved before being installed on a network. Also, regular user accounts should not be allowed to install software. This is for both security and to alleviate issues the software may cause.
This setting is in Computer Configuration –> Administrative Templates –> Windows Components –> Windows Installer.
Click on “Prohibit User Installs” and enable the policy.
9. Guest Account Settings
Guest accounts grant access to a computer without using a password. This is a security concern as well as a data access concern. It’s best to disable guest access.
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies -> Security Options
Click on “Accounts: Guest Account Status” and select disabled.
10. Prevent Storing LAN Manager Hash
LAN Manager stores account passwords in hashes in the local SAM database. The hash is weak and very susceptible to hacking. This should be turned off.
The setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Set “Network Security: Do not store LAN Manager hash value on next password change” policy to Enabled.
11. Limit Local Account use of a blank password to console only
Blank passwords are a high-security threat. In the case that an admin inadvertently creates a local account with no password before it is added to the domain, you can block the ability for that account to be used via RDP, Telnet, and FTP.
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Set “Accounts: Limit local account use of blank password to console logon only” to Enabled.
12. Turn off forced restarts
If you are using Windows Update, disable automatic restarts when users are logged on. This will prevent a lot of angry emails and phone calls.
This setting is in Computer Configuration –> Administrative Templates –> Windows Components –> Windows Updates.
Enable the policy “No auto-restart with logged on users for scheduled automatic updates installations”.
13. Monitor Changes to GPO Settings
Tracking changes to your Group Policy Object settings is very helpful when you have multiple admins making changes.
This setting is in Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration –> Audit Policies/DS Access.
Select Audit Directory Service Changes and click Success.
14. Block Microsoft Store
Users can get carried away with launching apps from Microsoft Store. This creates an admin nightmare.
To block Microsoft Store, Enable the setting “Turn off the store application”.
This setting is in Computer Configuration –> Administrative Templates -> Windows Components –> Store
There are some apps that still require updating via Microsoft Store, you can allow this by going to Computer Configuration –> Administrative Templates –> Windows Components –> Store.
Select the policy “Turn off automatic download and install of updates” and select disable.
15. Disable Anonymous SID/Name Translation
If this option is enabled, it is possible using the SID to get the name of the built-in Administrator account even if the admin account has been changed to a different name.
The setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Change the policy “Network access: Allow anonymous SID/Name translation” to Disabled.
16. Limit access to the Registry
Altering the registry settings is always a major concern for admins. You can lock down the registry so that users can’t alter it.
This setting is in User Configuration –> Administrative Templates –> System.
Select the policy “Prevent access to registry editing tools” and set it to Enabled.
Then under Disable regedit from running silently, change to Yes.
17. Remove Anonymous Users from Everyone Permissions
This should be disabled by default. I would double-check. If this is enabled, anonymous users can access any resources that everyone permissions have access to.
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options
“Network access: Let everyone permissions apply to anonymous users” should be set to Disabled.
18. Turn on auditing for NTLM to make sure you are not using it.
NTLM is a legacy authentication protocol and has several vulnerabilities, it was replaced with Kerberos in Windows 2000. Before you disable it, make sure you don’t have any legacy clients still using these authentication methods.
Audit NTLM Usage
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Select policy “Network Security: Restrict NTLM: Audit NTLM authentication in this domain” and enable all.
You can view the Event Viewer under Applications and Services Log – Microsoft – Windows – NTLM to see if NTLM is being used. Look for NTLM in the Authentication Package value. The Package name will show you what version of NTLM is being used.
After making sure your domain is not using NTLM, you can disable it.
Disable NTLM (Make sure you audit your network first)
This setting is in Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Security Options.
Select policy “Network Security: Restrict NTLM: NTLM authentication in this domain” and select Deny All.
19. Disable LLMNR
Link local Multicast Name Resolution (LLMNR) is a protocol used to resolve IP Addresses to host names. Basically, it performs domain name lookups without a DNS server. It works by sending a broadcast out on the network looking for an address and any devices on the network can respond. This can easily be used by an attacker to respond to these broadcasts and connect to machines. In a business network, your devices should be using a DNS server you control or approve.
You can disable LLMNR with this policy setting.
Computer Configuration -> Administrative Templates -> Network -> DNS ClientEnable Turn Off Multicast Name Resolution policy by changing its value to Enabled
20. Control the Local Administrators Group
If you do not limit access to the local administrator’s group then how do you know which accounts are full administrator rights? Over time staff will create and add existing accounts into the local administrator’s group on workstations and laptops. This will give the account full rights to the computer allowing them to install software, and drivers, make system changes, and so on. This is bad security practice and no user should be doing their day to day work with full administrator rights.
You can use group policy to control which users are members of this group and prevent other staff from making changes.
Refer to the remove local admin rights guide for step-by-step instructions.
21. Windows Firewall
I recommend you centrally manage the Windows firewall using group policy. This is similar to the local administrator rights issue, if you are not centrally managing it the rules can get out of control. If a user gets a firewall prompt to allow or deny something that could easily click allow all the time. Any requests to unblock something should come through the IT/Security team.
See the article Windows firewall best practices for more details.
22. Enable User Account Control (UAC)
With UAC, applications run in the security context of a regular user (non-administrator account) and it prompts for permissions when the application needs administrator-level access.
This is another layer of security to help protect users, computers, and your network. This is another setting that users or other staff can disable. Use group policy to centrally force UAC to be enabled and prevent it from being disabled.
The UAC policies are located in the following:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
23. Applocker or Software Restriction Policies
Applocker is a feature that allows you to control which applications and files can run. This can help prevent unapproved software and files from running. For example, if a user downloads software from the internet and it is not approved in the Applocker policy the software will be blocked.
This can also help prevent ransomware and other malicious viruses from installing and spreading on your network. Applocker is only available on Windows enterprise addition. If you are running Windows pro then look into software restriction policies.
The software restriction policies are located in the following.
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software restiriction policies
I hope you enjoyed this article. What GPOs do you use to improve security?
FAQs
What are the most useful group policies? ›
- Prohibit access to the control panel. ...
- Prevent access to the command prompt. ...
- Deny all removable storage access. ...
- Prohibit users from installing unwanted software. ...
- Reinforce guest account status settings. ...
- Do not store LAN Manager hash values on next password changes.
Examples of group policies include configuring operating system security, adding firewall rules, or managing applications like Microsoft Office or a browser. Group Policies also install software and run startup and login scripts.
What three security related GPOs would you implement to help secure end user PC's? ›- Moderating Access to Control Panel.
- Prevent Windows from Storing LAN Manager Hash.
- Control Access to Command Prompt.
- Disable Forced System Restarts.
- Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives.
- Restrict Software Installations.
- Disable Guest Account.
As always, be sure to test this in your environment as different configurations could yield different results. Note, that in no case can a client process more than 999 GPOs before the Group Policy engine gives up and dies. And that's definitely too many GPOs.
Which of the following GPOs will apply first? ›GPOs are processed in the following order: The local GPO is applied. GPOs linked to sites are applied. GPOs linked to domains are applied.
What are the two types of default GPOs? ›- Default Domain Controllers Policy.
- Default Domain Policy.
There are over 600 GPOs in the US, which are unique in how they are structured. Oftentimes, GPOs rely on fees paid by vendors to finance their operations. Significant variability exists among GPOs. Some specialize in surgical supplies and equipment, others in bulk licenses for nursing homes.
How many GPOs can be applied? ›Actually, you can have only 999 GPOs applied and affecting a user or a computer before the system gives up and won't apply any more.
What are the two types of GPO filtering? ›Default Group policy settings
To exclude certain users or computers, or to apply filters only to a select few, you can filter the group policies in two ways: Security filtering. WMI filtering.
More than one GPO can be linked to a given site, and those GPOs could have conflicting settings. In this case, you need to understand which settings will be applied.
What is Group Policy in security? ›
Group Policy allows administrators to define security policies for users and for computers. These policies, which are collectively referred to as Group Policy Objects (GPOs), are based on a collection of individual Group Policy settings.
What does a GPO allow us to do give two examples of possible GPO settings? ›System admins use GPO to adjust and customize settings for some of the following key areas: registry-based policies, security options, software installation and maintenance options, scripts options, and folder redirection options.
What are three advantages to using Group Policy Objects GPOs in your domain? ›In a nutshell, the benefits of group policy objects are: better security, better management over users' rights and their passwords, and over-computer behavior as a standardized environment will prevent wasting time with setups and let your sysadmins deploy patches or make any updates they want via GPOs.
What are the 3 components we want to protect in cyber security? ›When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.
What are the 3ps of security? ›Like a football or soccer team, security also has two lineups that must be continuously managed. One lineup involves protecting the digital assets and data of a business.
Who is the largest GPO? ›While General Purpose Operating Systems (GPOS) can handle multiple tasks efficiently, they usually do so without the pressure of time running out.
Why should an administrator use GPOs? ›It essentially provides a centralized place for administrators to manage and configure operating systems, applications, and users' settings. Group Policies, when used correctly, can enable you to increase the security of user's computers and help defend against both insider threats and external attacks.
Which GPO is created by default? ›Default Domain Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain.
How do I list applied GPOs? ›By executing the command gpresult.exe, the administrator of the OS can locate the group policies applied on the computer along with the redirected folders and the registry settings on that system. gpresult Command: To see the Gpresult commands, go to the command prompt and type the command: “gpresult /?”
What two methods are there of using starter GPOs to create new GPOs? ›
There are two ways to create a new Group Policy object from a Starter GPO. You can create a new Group Policy object from a Starter GPO at the Starter GPOs node or at the Group Policy objects node.
What are the four Group Policy levels? ›The four unique levels of hierarchy for Group Policy processing are called Local, Site, Domain, and OU.
What is GPO and its types? ›A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory.
What tools are used to find which GPOs are applied? ›The RSOP tool is handy when you need to quickly find all the applied GPO settings targeted to a computer or user. Using this tool allows you to see the applied settings; not just all the settings for GPOs targeting a specific computer or user.
Who can create GPOs? ›To create a new GPO, use the Active Directory Users and Computers MMC snap-in. To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. Open the Group Policy Management console.
How do I see all GPOs? ›In 'GPO Management' section click on the 'GPO Management' link. In the 'Group Policy Management' pane on the left hand side, click on 'All Domains' to expand the link and view all the configured domains. Click on the required Domain/OU. This will display all the GPOs that are linked to that specific container.
Is Linux a GPOs? ›Group Policy Objects (GPOs) for Linux® would be a dream come true for IT admins. Unfortunately, GPOs are a unique feature of the Microsoft® Active Directory® (AD) platform that only works for Windows® based systems.
How many 15 amp GPOs can be on a circuit? ›Technically, you can have as many outlets on a 15 amp circuit breaker as you want. However, a good rule of thumb is 1 outlet per 1.5 amps, up to 80% of the capacity of the circuit breaker. Therefore, we would suggest a maximum of 8 outlets for a 15 amp circuit.
Where are GPO files stored? ›The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard disk space.
How often do GPOs update? ›Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.
What is security filter in GPO? ›
Security filtering of a GPO allows you to limit what users or computers are hit by the GPO settings and allows you to delegate the administration of the GPO. To target a user or computer you must assign Read and Apply permissions to the user/computer or a group of which they are member.
Which two components make up a GPO? ›A GPO is a virtual object that stores policy-setting information with two components: Directory service: GPOs and their attributes are stored in a directory service, such as Active Directory. File share: GPOs also store policy settings information on a local or remote file share, such as the Group Policy file share.
What is GPO item level targeting? ›Item-Level Targeting lets you define how Group Policy settings apply to Active Directory users or computers by setting conditions. You perform the process by first selecting conditional logic statements like AND, OR, and NOT. These best practices will help you get more out of Item-level targeting.
Can you copy GPO from one domain to another? ›The Group Policy Management Console (GPMC) enables you to transfer Group Policy objects (GPOs) across domains and across forests using import and copy operations. This can be useful if you maintain separate test and production environments and need to replicate the content from one environment to the other.
Which GPO will apply if conflicts occur? ›If there is conflict between two GPO's of same container, the last applied GPO will be effective.
What is an example of a Group Policy? ›Examples of group policies include configuring operating system security, adding firewall rules, or managing applications like Microsoft Office or a browser. Group Policies also install software and run startup and login scripts.
What is the main purpose of a Group Policy? ›The primary purpose of Group Policy is to apply policy settings to computers and users in an Active Directory domain to enable IT administrators to automate one-to-many management of users and computers. This simplifies administrative tasks and reduces IT costs.
What are 3 Best Practices for GPOs? ›- Do not modify the Default Domain Policy and Default Domain Controller Policy. ...
- Create a well-designed organizational unit (OU) structure in Active Directory. ...
- Give GPOs descriptive names.
A group purchasing organization (GPO) is an entity that helps healthcare providers — such as hospitals, nursing homes and home health agencies — realize savings and efficiencies by aggregating purchasing volume and using that leverage to negotiate discounts with manufacturers, distributors and other vendors.
What policies should you use if you are using Group Policy Objects with Windows? ›- Moderating Access to Control Panel.
- Prevent Windows from Storing LAN Manager Hash.
- Control Access to Command Prompt.
- Disable Forced System Restarts.
- Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives.
- Restrict Software Installations.
- Disable Guest Account.
What are the two main components of Group Policy? ›
A GPO is a virtual object that stores policy-setting information with two components: Directory service: GPOs and their attributes are stored in a directory service, such as Active Directory. File share: GPOs also store policy settings information on a local or remote file share, such as the Group Policy file share.
What is the importance of Group Policy? ›It essentially provides a centralized place for administrators to manage and configure operating systems, applications, and users' settings. Group Policies, when used correctly, can enable you to increase the security of user's computers and help defend against both insider threats and external attacks.
What is Group Policy and why it is important? ›The primary purpose of Group Policy is to apply policy settings to computers and users in an Active Directory domain to enable IT administrators to automate one-to-many management of users and computers. This simplifies administrative tasks and reduces IT costs.
What GPOs are applied last? ›- The local GPO is applied.
- GPOs linked to sites are applied.
- GPOs linked to domains are applied.
- GPOs linked to organizational units are applied.
GPOs linked to organizational units have the highest precedence, followed by those linked to domains. GPOs linked to sites always take the least precedence. To understand which GPOs are linked to a domain or OU, click the domain or OU in GPMC and select the Linked Group Policy Objects tab.
What are the 4 Features of a group? ›Cragon, Wright, and Kasch (2008) state that the primary defining characteristic of group interaction is that it is purposeful. They go on to break down purposeful interaction into four types: problem-solving, role playing, team building, and trust building. Without purposeful interaction, a true group does not exist.
What are the three important element of group structure? ›These structural elements include roles, norms, and status. Groups are also influenced by size and the degree of group cohesiveness. Let's take a look at how each of those elements creates a structure that helps the members understand the purpose of and function within the group.
What is GPO in cyber security? ›Group Policy Objects (GPOs) provides an infrastructure for centralized configuration management of the Windows operating system and applications that run on the operating system. GPOs are a collection of settings that define what a system will look like and how it will behave for a defined group of computers or users.
How Group Policy Object GPO can help secure a company's network? ›In a nutshell, the benefits of group policy objects are: better security, better management over users' rights and their passwords, and over-computer behavior as a standardized environment will prevent wasting time with setups and let your sysadmins deploy patches or make any updates they want via GPOs.
How do you use Group Policy? ›In the console tree, right-click your domain, and then click Properties. Click the Group Policy tab, select the policy that you want, and then click Edit. Under Computer Configuration, expand Software Settings. Right-click Software installation, point to New, and then click Package.
How are GPOs applied? ›
Group Policy Objects, or GPOs, are assigned by linking them to containers (sites, domains, or Organizational Units (OUs)) in Active Directory (AD). Then, they are applied to computers and users in those containers.
What is Group Policy template? ›The Group Policy template (GPT) is a file system folder that includes policy data specified by . adm files, security settings, script files, and information about applications that are available for installation. The GPT is located in the system volume folder (SysVol) in the domain \Policies subfolder.