There are certain easy Group Policy Settings that, when properly implemented, can aid in the prevention of data breaches. You can make your organization's network safer by customizing the security and operational behavior of machines using Group Policy (a set of registry settings). You can use Group Policy to block users from accessing specified resources, run scripts, and do simple tasks like requiring a set home page to open for all network users.
The following are the top ten Group Policy Settings:
1. Moderating Access to Control Panel
2. Prevent Windows from Storing LAN Manager Hash
3. Control Access to Command Prompt
4. Disable Forced System Restarts
5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
6. Restrict Software Installations
7. Disable Guest Account
8. Set Minimum Password Length to Higher Limits
9. Set Maximum Password Age to Lower Limits
10. Disable Anonymous SID Enumeration
11. Disable NTLM version 1
12. Disable SMB version 1
1. Moderating Access to Control Panel
Setting limits on a computers’ Control Panel creates a safer business environment. Through Control Panel, you can control all aspects of your computer. So, by moderating who has access to the computer, you can keep data and other resources safe. Perform the following steps:
1. In Group Policy Management Editor (opened for a user-created GPO), navigate to “User Configuration” “Administrative Templates” “Control Panel”.
2. In the right pane, double-click “Prohibit access to Control Panel and PC settings” policy in to open its properties.
3. Select “Enabled” from the three options.
4. Click “Apply” and “OK”.
2. Prevent Windows from Storing LAN Manager Hash
Windows generates and stores user account passwords in “hashes.” Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of passwords. It stores them in the local Security Accounts Manager (SAM) database or Active Directory.
The LM hash is weak and prone to hacking. Therefore, you should prevent Windows from storing an LM hash of your passwords. Perform the following steps to do so:
1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
2. In the right pane, double-click “Network security: Do not store LAN Manager hash value on next password change” policy.
3. Select “Define this policy setting” checkbox and click “Enabled.
4. Click “Apply” and “OK”.
3. Control Access to Command Prompt
Command Prompts can be used to run commands that give high-level access to users and evade other restrictions on the system. So, to ensure system resources’ security, it’s wise to disable Command Prompt.
After you have disabled Command Prompt and someone tries to open a command window, the system will display a message stating that some settings are preventing this action. Perform the following steps:
1. In the window of Group Policy Management Editor (opened for a custom GPO), go to “User Configuration” “Windows Settings” “Policies” “Administrative Templates” “System”.
2. In the right pane, double-click “Prevent access to the command prompt” policy.
3. Click “Enabled” to apply the policy.
4. Click “Apply” and “OK”.
4. Disable Forced System Restarts
Forced system restarts are common. For example, you may face a situation where you were working on your computer and Windows displays a message stating that your system needs to restart because of a security update.
In many cases, if you fail to notice the message or take some time to respond, the computer restarts automatically, and you lose important, unsaved work. To disable forced restart through GPO, perform the following steps:
1. In “Group Policy Management Editor” window (opened for a custom GPO), go to “Computer Configuration” “Administrative Templates” “Windows Component” “Windows Update”.
2. In the right pane, double-click “No auto-restart with logged on users for scheduled automatic updates installations” policy.
3. Click “Enabled” to enable the policy.
4. Click “Apply” and “OK”.
5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
Removable media drives are very prone to infection, and they may also contain a virus or malware. If a user plugs an infected drive to a network computer, it can affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to infection.
It is therefore best to disable all these drives entirely. Perform the following steps to do so:
1. In Group Policy Management Editor window (opened for a custom GPO), go to “User Configuration” “Policies” “Administrative Templates” “System” “Removable Storage Access”.
2. In the right pane, double-click “All removable storage classes: Deny all accesses” policy
3. Click “Enabled” to enable the policy.
Recommended by LinkedIn
4. Click “Apply” and “OK”.
6. Restrict Software Installations
When you give users the freedom to install software, they may install unwanted apps that compromise your system. System admins will usually have to routinely do maintenance and cleaning of such systems. To be on the safe side, it’s advisable to prevent software installations through Group Policy:
1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Administrative Templates” “Windows Component” “Windows Installer”.
2. In the right pane, double-click “Prohibit User Install” policy.
3. Click “Enabled” to enable the policy
4. Click “Apply” and “OK”.
7. Disable Guest Account
Through a Guest Account, users can get access to sensitive data. Such accounts grant access to a Windows computer and do not require a password. Enabling this account means anyone can misuse and abuse access to your systems.
Thankfully, these accounts are disabled by default. It’s best to check that this is the case in your IT environment as, if this account is enabled in your domain, disabling it will prevent people from abusing access:
1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
2. In the right pane, double-click “Accounts: Guest Account Status” policy.
3. Select “Define this policy setting” checkbox and click “Disabled”.
4. Click “Apply” and “OK”.
8. Set Minimum Password Length to Higher Limits
Set the minimum password length to higher limits. For example, for elevated accounts, passwords should be set to at least 15 characters, and for regular accounts at least 12 characters. Setting a lower value for minimum password length creates unnecessary risk. The default setting is “zero” characters, so you will have to specify a number:
1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”.
2. In the right pane, double-click “Minimum password length” policy, select “Define this policy setting” checkbox.
3. Specify a value for the password length.
4. Click “Apply” and “OK”.
9. Set Maximum Password Age to Lower Limits
If you set the password expiration age to a lengthy period of time, users will not have to change it very frequently, which means it’s more likely a password could get stolen. Shorter password expiration periods are always preferred.
Windows’ default maximum password age is set to 42 days. The following screenshot shows the policy setting used for configuring “Maximum Password Age”. Perform the following steps:
1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”.
2. In the right pane, double-click “Maximum password age” policy.
3. Select “Define this policy setting” checkbox and specify a value.
4. Click “Apply” and “OK”.
10. Disable Anonymous SID Enumeration
Active Directory assigns a unique number to all security objects in Active Directory; including Users, Groups and others, called Security Identifiers (SID) numbers. In older Windows versions, users could query the SIDs to identify important users and groups. This provision can be exploited by hackers to get unauthorized access to data. By default, this setting is disabled, ensure that it remains that way. Perform the following steps:
1. In Group Policy Management Editor window, go to “Computer Configuration” “Policies” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
2. In the right pane, double-click “Network Access: Do not allow anonymous enumeration of SAM accounts and shares” policy setting.
3. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.
If you get these Group Policy settings correct, your organization’s security will automatically be in a better state. Please make sure to apply the modified Group Policy Object to everyone and update the Group Policies to reflect them on all domain controllers in your environment.
11. Disable NTLM version 1
NTLM attacksare especially relevant to Active Directory environments. One of the most common attack scenarios is NTLM Relay, in which the attacker compromises one machine and then spreads laterally to other machines by using NTLM authentication directed at the compromised server. The best way to cope with NTLM vulnerabilities is basically not to use NTLM, but NTLMV2 is more secure.
To disable NTLM v1 follow the steps below:
12. Disable SMB Version 1
If there are no SMB 1.x clients left on your network, you must completely disable SMBv1 on all Windows devices. By disabling SMB 1.0, you can protect Windows computers from a wide range of vulnerabilities in this legacy protocol (the most famous public exploit for SMBv1 is EternalBlue). As a result, your devices will use new, more efficient, secure and functional versions of the SMB protocol when accessing network shares.
The below Microsoft article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.
While disabling or removing SMBv1 might cause some compatibility issues with old computers or software, SMBv1 has significant security vulnerabilities, and we strongly encourage you not to use it. SMB 1.0 isn't installed by default in any edition of Windows 11 or Windows Server 2019 and later. SMB 1.0 also isn't installed by default in Windows 10, except Home and Pro editions. We recommend that instead of reinstalling SMB 1.0, you update the SMB server that still requires it.
