| Recommended Group Policy Settings | | | | events, account management, logonevents, policy |
| This is by no means a definitive list. We will make | | | | change, and privilege use. We recommend you audit |
| some recommendations to youfor your Group Policy | | | | the failures ofthe rest of the items. |
| settings. This could be considered a starter list. | | | | Computer Configuration: Windows Settings: Security |
| Youshould review all of the Group Policy settings to | | | | Settings: Local Policies: |
| see how they fit in yourbusiness requirements. | | | | Security Options |
| There are three categories of group policy settings | | | | We recommend you set Accounts: Rename |
| underneath two broad groups: | | | | administrator account to enabled andrename the |
| Computer Configuration and User Configuration. Inside | | | | administrator account to something else. This will help |
| those are Software | | | | increasesecurity by not giving a potential hacker the |
| Settings, Windows Settings, and Administrative | | | | username at the start. |
| Templates. | | | | You should also consider setting Interactive logon: Do |
| Policies you apply within Computer Configuration apply | | | | not display last username to Enabled. This will display a |
| to the whole computer | | | | blank username field at every boot - theuser will be |
| (and all of its users) while settings you apply within | | | | responsible for remembering their username. If |
| User Configuration applyto a the specific user. | | | | someone gains accessto the workstation physically, |
| We are offering these as recommendations. You | | | | they would need to know a username to attempt |
| should review all group policychanges prior to | | | | tologin. |
| implementation. | | | | Computer Configuration: Administrative Templates: |
| Computer Configuration: Windows Settings: Security | | | | Windows Components |
| Settings: Account Policies: | | | | The Administrative Templates section of Group Policy |
| Password Policy | | | | allows you to set policiesfor the Windows operating |
| Group Policy Objects to Set: Enforce password | | | | system and its components. |
| history; maximum password age;minimum password | | | | Computer Configuration: Administrative Templates: |
| age, minimum password length; Password must meet | | | | Windows Components: Internet |
| complexityrequirements. | | | | Explorer |
| By default, these policy objects are set. In our | | | | If you have a proxy or ISA server, you may want to |
| environment, password historyis set to '6 passwords | | | | set Make proxy settingsper-machine. This policy will |
| remembered'; maximum password age is set at 45 | | | | allow you to set the policy settings for oneaccount and |
| days; andminimum password length is set to 7 | | | | then every account that logs in will receive the proxy |
| characters. | | | | settings. |
| There are frequent questions surrounding the minimum | | | | Computer Configuration: Administrative Templates: |
| password age of '1 day' andwhy it is important to have | | | | Windows Components: Internet |
| a minimum password age. If a user is forced tochange | | | | Information Services |
| their password every 42 days (as in the default policy), | | | | If you set Prevent IIS installation, you can prevent |
| the user couldsimply change their password the | | | | rogue IIS servers frompopping up on the network. |
| required number of times to get back to theiroriginal | | | | Computer Configuration: Administrative Templates: |
| password. To prevent this security issue, a minimum | | | | Windows Components: Windows |
| password age is setso the user can only change their | | | | Messenger |
| passwords once a day. | | | | We do not like the Windows Messenger (the MSN like |
| Computer Configuration: Windows Settings: Security | | | | instant messenger application |
| Settings: Account Policies: | | | | Microsoft installs by default). We enable Do not allow |
| Account Lockout Policy | | | | Windows Messenger to berun and Do not |
| There are three policy settings in this category: | | | | automatically start Windows Messenger initially. |
| account lockout duration;account lockout threshold; | | | | Computer Configuration: Administrative Templates: |
| reset account lockout counter after. We | | | | Windows Components: Windows |
| recommendsetting the Account lockout threshold to '5 | | | | Update |
| invalid login attempts.' This willautomatically set the | | | | If you are using SUS or want the machines to perform |
| other two settings to 30 minutes. | | | | automatic updates, you canconfigure those options in |
| This setting will lock a user account for 30 minutes if | | | | this section. |
| there are five invalidlogin attempts. This helps stop | | | | User Configuration: Windows Settings: Internet Explorer |
| hackers from using automated password | | | | Maintenance |
| guessingsoftware on user accounts. | | | | There are several configuration options for Internet |
| Computer Configuration: Windows Settings: Security | | | | Explorer. If you want toforce users to have the same |
| Settings: Local Policies: | | | | homepage or options, you can configure theseoptions. |
| Audit Policy | | | | There are hundreds of policy settings you could |
| There are several security items you can audit under | | | | potentially apply. We recommendcaution and to only |
| the audit policy. To auditin Windows means to record | | | | apply policies that are absolutely necessary - leaving |
| the actions in the local logs. We recommend you | | | | therest as "Not Configured." This will make your user |
| auditthe successes and failures of: account logon | | | | community much happier. |