| Recommended Group Policy Settings | | | | recommend you audit the failures ofthe rest |
| | | | of the items. |
| This is by no means a definitive list. We | | | | |
| will make some recommendations to youfor your | | | | Computer Configuration: Windows Settings: |
| Group Policy settings. This could be | | | | Security Settings: Local Policies: |
| considered a starter list. Youshould review | | | | |
| all of the Group Policy settings to see how | | | | Security Options |
| they fit in yourbusiness requirements. | | | | |
| | | | We recommend you set Accounts: Rename |
| There are three categories of group policy | | | | administrator account to enabled andrename |
| settings underneath two broad groups: | | | | the administrator account to something else. |
| | | | This will help increasesecurity by not giving |
| Computer Configuration and User | | | | a potential hacker the username at the start. |
| Configuration. Inside those are Software | | | | |
| | | | You should also consider setting Interactive |
| Settings, Windows Settings, and | | | | logon: Do not display last username to |
| Administrative Templates. | | | | Enabled. This will display a blank username |
| | | | field at every boot - theuser will be |
| Policies you apply within Computer | | | | responsible for remembering their username. |
| Configuration apply to the whole computer | | | | If someone gains accessto the workstation |
| | | | physically, they would need to know a |
| (and all of its users) while settings you | | | | username to attempt tologin. |
| apply within User Configuration applyto a the | | | | |
| specific user. | | | | Computer Configuration: Administrative |
| | | | Templates: Windows Components |
| We are offering these as recommendations. You | | | | |
| should review all group policychanges prior | | | | The Administrative Templates section of Group |
| to implementation. | | | | Policy allows you to set policiesfor the |
| | | | Windows operating system and its components. |
| Computer Configuration: Windows Settings: | | | | |
| Security Settings: Account Policies: | | | | Computer Configuration: Administrative |
| | | | Templates: Windows Components: Internet |
| Password Policy | | | | |
| | | | Explorer |
| Group Policy Objects to Set: Enforce password | | | | |
| history; maximum password age;minimum | | | | If you have a proxy or ISA server, you may |
| password age, minimum password length; | | | | want to set Make proxy settingsper-machine. |
| Password must meet complexityrequirements. | | | | This policy will allow you to set the policy |
| | | | settings for oneaccount and then every |
| By default, these policy objects are set. In | | | | account that logs in will receive the proxy |
| our environment, password historyis set to '6 | | | | settings. |
| passwords remembered'; maximum password age | | | | |
| is set at 45 days; andminimum password length | | | | Computer Configuration: Administrative |
| is set to 7 characters. | | | | Templates: Windows Components: Internet |
| | | | |
| There are frequent questions surrounding the | | | | Information Services |
| minimum password age of '1 day' andwhy it is | | | | |
| important to have a minimum password age. If | | | | If you set Prevent IIS installation, you can |
| a user is forced tochange their password | | | | prevent rogue IIS servers frompopping up on |
| every 42 days (as in the default policy), the | | | | the network. |
| user couldsimply change their password the | | | | |
| required number of times to get back to | | | | Computer Configuration: Administrative |
| theiroriginal password. To prevent this | | | | Templates: Windows Components: Windows |
| security issue, a minimum password age is | | | | |
| setso the user can only change their | | | | Messenger |
| passwords once a day. | | | | |
| | | | We do not like the Windows Messenger (the MSN |
| Computer Configuration: Windows Settings: | | | | like instant messenger application |
| Security Settings: Account Policies: | | | | |
| | | | Microsoft installs by default). We enable Do |
| Account Lockout Policy | | | | not allow Windows Messenger to berun and Do |
| | | | not automatically start Windows Messenger |
| There are three policy settings in this | | | | initially. |
| category: account lockout duration;account | | | | |
| lockout threshold; reset account lockout | | | | Computer Configuration: Administrative |
| counter after. We recommendsetting the | | | | Templates: Windows Components: Windows |
| Account lockout threshold to '5 invalid login | | | | |
| attempts.' This willautomatically set the | | | | Update |
| other two settings to 30 minutes. | | | | |
| | | | If you are using SUS or want the machines to |
| This setting will lock a user account for 30 | | | | perform automatic updates, you canconfigure |
| minutes if there are five invalidlogin | | | | those options in this section. |
| attempts. This helps stop hackers from using | | | | |
| automated password guessingsoftware on user | | | | User Configuration: Windows Settings: |
| accounts. | | | | Internet Explorer Maintenance |
| | | | |
| Computer Configuration: Windows Settings: | | | | There are several configuration options for |
| Security Settings: Local Policies: | | | | Internet Explorer. If you want toforce users |
| | | | to have the same homepage or options, you can |
| Audit Policy | | | | configure theseoptions. |
| | | | |
| There are several security items you can | | | | There are hundreds of policy settings you |
| audit under the audit policy. To auditin | | | | could potentially apply. We recommendcaution |
| Windows means to record the actions in the | | | | and to only apply policies that are |
| local logs. We recommend you auditthe | | | | absolutely necessary - leaving therest as |
| successes and failures of: account logon | | | | "Not Configured." This will make your user |
| events, account management, logonevents, | | | | community much happier. |
| policy change, and privilege use. We | | | | |