| Recommended Group Policy Settings
| |
| | policy change, and privilege use. We
|
| This is by no means a definitive list. We
| |
| | recommend you audit the failures ofthe
|
| will make some recommendations to youfor
| |
| | rest of the items.
|
| your Group Policy settings. This could be
| |
| | Computer Configuration: Windows Settings:
|
| considered a starter list. Youshould
| |
| | Security Settings: Local Policies:
|
| review all of the Group Policy settings
| |
| | Security Options
|
| to see how they fit in yourbusiness
| |
| | We recommend you set Accounts: Rename
|
| requirements.
| |
| | administrator account to enabled
|
| There are three categories of group
| |
| | andrename the administrator account to
|
| policy settings underneath two broad
| |
| | something else. This will help
|
| groups:
| |
| | increasesecurity by not giving a
|
| Computer Configuration and User
| |
| | potential hacker the username at the
|
| Configuration. Inside those are Software
| |
| | start.
|
| Settings, Windows Settings, and
| |
| | You should also consider setting
|
| Administrative Templates.
| |
| | Interactive logon: Do not display last
|
| Policies you apply within Computer
| |
| | username to Enabled. This will display a
|
| Configuration apply to the whole computer
| |
| | blank username field at every boot -
|
| (and all of its users) while settings you
| |
| | theuser will be responsible for
|
| apply within User Configuration applyto a
| |
| | remembering their username. If someone
|
| the specific user.
| |
| | gains accessto the workstation
|
| We are offering these as recommendations.
| |
| | physically, they would need to know a
|
| You should review all group policychanges
| |
| | username to attempt tologin.
|
| prior to implementation.
| |
| | Computer Configuration: Administrative
|
| Computer Configuration: Windows Settings:
| |
| | Templates: Windows Components
|
| Security Settings: Account Policies:
| |
| | The Administrative Templates section of
|
| Password Policy
| |
| | Group Policy allows you to set
|
| Group Policy Objects to Set: Enforce
| |
| | policiesfor the Windows operating system
|
| password history; maximum password
| |
| | and its components.
|
| age;minimum password age, minimum
| |
| | Computer Configuration: Administrative
|
| password length; Password must meet
| |
| | Templates: Windows Components: Internet
|
| complexityrequirements.
| |
| | Explorer
|
| By default, these policy objects are set.
| |
| | If you have a proxy or ISA server, you
|
| In our environment, password historyis
| |
| | may want to set Make proxy
|
| set to '6 passwords remembered'; maximum
| |
| | settingsper-machine. This policy will
|
| password age is set at 45 days;
| |
| | allow you to set the policy settings for
|
| andminimum password length is set to 7
| |
| | oneaccount and then every account that
|
| characters.
| |
| | logs in will receive the proxy settings.
|
| There are frequent questions surrounding
| |
| | Computer Configuration: Administrative
|
| the minimum password age of '1 day'
| |
| | Templates: Windows Components: Internet
|
| andwhy it is important to have a minimum
| |
| | Information Services
|
| password age. If a user is forced
| |
| | If you set Prevent IIS installation, you
|
| tochange their password every 42 days (as
| |
| | can prevent rogue IIS servers frompopping
|
| in the default policy), the user
| |
| | up on the network.
|
| couldsimply change their password the
| |
| | Computer Configuration: Administrative
|
| required number of times to get back to
| |
| | Templates: Windows Components: Windows
|
| theiroriginal password. To prevent this
| |
| | Messenger
|
| security issue, a minimum password age is
| |
| | We do not like the Windows Messenger (the
|
| setso the user can only change their
| |
| | MSN like instant messenger application
|
| passwords once a day.
| |
| | Microsoft installs by default). We enable
|
| Computer Configuration: Windows Settings:
| |
| | Do not allow Windows Messenger to berun
|
| Security Settings: Account Policies:
| |
| | and Do not automatically start Windows
|
| Account Lockout Policy
| |
| | Messenger initially.
|
| There are three policy settings in this
| |
| | Computer Configuration: Administrative
|
| category: account lockout
| |
| | Templates: Windows Components: Windows
|
| duration;account lockout threshold; reset
| |
| | Update
|
| account lockout counter after. We
| |
| | If you are using SUS or want the machines
|
| recommendsetting the Account lockout
| |
| | to perform automatic updates, you
|
| threshold to '5 invalid login attempts.'
| |
| | canconfigure those options in this
|
| This willautomatically set the other two
| |
| | section.
|
| settings to 30 minutes.
| |
| | User Configuration: Windows Settings:
|
| This setting will lock a user account for
| |
| | Internet Explorer Maintenance
|
| 30 minutes if there are five invalidlogin
| |
| | There are several configuration options
|
| attempts. This helps stop hackers from
| |
| | for Internet Explorer. If you want
|
| using automated password guessingsoftware
| |
| | toforce users to have the same homepage
|
| on user accounts.
| |
| | or options, you can configure
|
| Computer Configuration: Windows Settings:
| |
| | theseoptions.
|
| Security Settings: Local Policies:
| |
| | There are hundreds of policy settings you
|
| Audit Policy
| |
| | could potentially apply. We
|
| There are several security items you can
| |
| | recommendcaution and to only apply
|
| audit under the audit policy. To auditin
| |
| | policies that are absolutely necessary -
|
| Windows means to record the actions in
| |
| | leaving therest as "Not Configured." This
|
| the local logs. We recommend you auditthe
| |
| | will make your user community much
|
| successes and failures of: account logon
| |
| | happier.
|
| events, account management, logonevents,
| |
| |
|