| Recommended Group Policy Settings | | | | account logon events, account |
| This is by no means a definitive list. | | | | management, logonevents, policy change, |
| We will make some recommendations to | | | | and privilege use. We recommend you |
| youfor your Group Policy settings. This | | | | audit the failures ofthe rest of the |
| could be considered a starter list. | | | | items. |
| Youshould review all of the Group Policy | | | | Computer Configuration: Windows |
| settings to see how they fit in | | | | Settings: Security Settings: Local |
| yourbusiness requirements. | | | | Policies: |
| There are three categories of group | | | | Security Options |
| policy settings underneath two broad | | | | We recommend you set Accounts: Rename |
| groups: | | | | administrator account to enabled |
| Computer Configuration and User | | | | andrename the administrator account to |
| Configuration. Inside those are Software | | | | something else. This will help |
| Settings, Windows Settings, and | | | | increasesecurity by not giving a |
| Administrative Templates. | | | | potential hacker the username at the |
| Policies you apply within Computer | | | | start. |
| Configuration apply to the whole | | | | You should also consider setting |
| computer | | | | Interactive logon: Do not display last |
| (and all of its users) while settings | | | | username to Enabled. This will display a |
| you apply within User Configuration | | | | blank username field at every boot - |
| applyto a the specific user. | | | | theuser will be responsible for |
| We are offering these as | | | | remembering their username. If someone |
| recommendations. You should review all | | | | gains accessto the workstation |
| group policychanges prior to | | | | physically, they would need to know a |
| implementation. | | | | username to attempt tologin. |
| Computer Configuration: Windows | | | | Computer Configuration: Administrative |
| Settings: Security Settings: Account | | | | Templates: Windows Components |
| Policies: | | | | The Administrative Templates section of |
| Password Policy | | | | Group Policy allows you to set |
| Group Policy Objects to Set: Enforce | | | | policiesfor the Windows operating system |
| password history; maximum password | | | | and its components. |
| age;minimum password age, minimum | | | | Computer Configuration: Administrative |
| password length; Password must meet | | | | Templates: Windows Components: Internet |
| complexityrequirements. | | | | Explorer |
| By default, these policy objects are | | | | If you have a proxy or ISA server, you |
| set. In our environment, password | | | | may want to set Make proxy |
| historyis set to '6 passwords | | | | settingsper-machine. This policy will |
| remembered'; maximum password age is set | | | | allow you to set the policy settings for |
| at 45 days; andminimum password length | | | | oneaccount and then every account that |
| is set to 7 characters. | | | | logs in will receive the proxy settings. |
| There are frequent questions surrounding | | | | Computer Configuration: Administrative |
| the minimum password age of '1 day' | | | | Templates: Windows Components: Internet |
| andwhy it is important to have a minimum | | | | Information Services |
| password age. If a user is forced | | | | If you set Prevent IIS installation, you |
| tochange their password every 42 days | | | | can prevent rogue IIS servers |
| (as in the default policy), the user | | | | frompopping up on the network. |
| couldsimply change their password the | | | | Computer Configuration: Administrative |
| required number of times to get back to | | | | Templates: Windows Components: Windows |
| theiroriginal password. To prevent this | | | | Messenger |
| security issue, a minimum password age | | | | We do not like the Windows Messenger |
| is setso the user can only change their | | | | (the MSN like instant messenger |
| passwords once a day. | | | | application |
| Computer Configuration: Windows | | | | Microsoft installs by default). We |
| Settings: Security Settings: Account | | | | enable Do not allow Windows Messenger to |
| Policies: | | | | berun and Do not automatically start |
| Account Lockout Policy | | | | Windows Messenger initially. |
| There are three policy settings in this | | | | Computer Configuration: Administrative |
| category: account lockout | | | | Templates: Windows Components: Windows |
| duration;account lockout threshold; | | | | Update |
| reset account lockout counter after. We | | | | If you are using SUS or want the |
| recommendsetting the Account lockout | | | | machines to perform automatic updates, |
| threshold to '5 invalid login attempts.' | | | | you canconfigure those options in this |
| This willautomatically set the other two | | | | section. |
| settings to 30 minutes. | | | | User Configuration: Windows Settings: |
| This setting will lock a user account | | | | Internet Explorer Maintenance |
| for 30 minutes if there are five | | | | There are several configuration options |
| invalidlogin attempts. This helps stop | | | | for Internet Explorer. If you want |
| hackers from using automated password | | | | toforce users to have the same homepage |
| guessingsoftware on user accounts. | | | | or options, you can configure |
| Computer Configuration: Windows | | | | theseoptions. |
| Settings: Security Settings: Local | | | | There are hundreds of policy settings |
| Policies: | | | | you could potentially apply. We |
| Audit Policy | | | | recommendcaution and to only apply |
| There are several security items you can | | | | policies that are absolutely necessary - |
| audit under the audit policy. To auditin | | | | leaving therest as "Not Configured." |
| Windows means to record the actions in | | | | This will make your user community much |
| the local logs. We recommend you | | | | happier. |
| auditthe successes and failures of: | | | | |