Group PolicyWindowsServer2012R2

Eight Important Group Policies to secure your environment

Eight Important Group Policies to Secure your Environment

Group Policies enable System Administrators to manage domain objects through Group Policy Management Console (GPMC). Planning and deploying group policy are an important job of a system administrator and without having a good knowledge of group policies it is not possible. In this post, we will tell you about eight most important group policies to secure your environment.

A secure environment is a priority of each and every organization and group policy plays a very important role in it. Group policy is an administrative tool and gets installed during domain controller promotion. Group policy works on the priority. We can remember the priority of group policy by a word “LSDOU“. Here, L stands for a local computer, S stands for Site (computers situated in a single geographical location ), D stands for domain and OU stands for Organizational Unit (a container in Active Directory).

OU has the highest priority in group policy preferences. Policies linked with Domain have less priority as compared to OU but more then Site. A site is preferred at a third position in terms of group policy preferences. And Local has the least priority in terms of deploying group policies.

Eight most critical group policies to secure your organization’s environment are:

1. Software Restriction policySoftware restriction policy is another critical Group Policy used to restrict the users from accessing any pre-installed or newly installed application. Using this policy you can restrict user to run a specific software on their desktops. Users would not be able to run the Software that would you restrict for them. It is important for the Organization where you don’t want users to use any unauthorized software on their desktops.

2. Disable USB portsUSB is one of the most common methods of connecting media devices like hard disks, pen drives and cameras to computers through USB ports. Most of the organizations are continuous under threat of stealing their critical data. Therefore, they want to disable USB ports to prevent copying of their confidential data or injecting of harmful viruses in their network. This is very important policy that Organizations are deploying to secure their environment.

3. Folder Redirection: Folder redirection is another important Group Policy to be deployed in Organizations. It can be used to redirect Domain User data to the network location. It not only helps in keeping track of user data but it also helps in taking backup of critical data. Some of the special folder redirection policies that can be deployed are Application Data, Desktop, My Documents, Picture, Start menu, etc.

4. Install software remotely: Install Software remotely is another critical Group Policy that most of the Organizations are using to automate the process of deploying Softwares using the single console. Using this GPO, you can deploy software packages e.g. MSI packages on all the Domain Computers. This prevents the manual intervention required to install Software packages on large number of Desktops and Laptops.

5. Item Level Targeting: Another critical Group Policy that can be used to target certain set of users. In item level targeting, we target the group policy to be deployed on the certain set of users. The Group policy is linked to an OU, but the policy is deployed only to the targeted users that are the members of the security group and not to the entire population. It is crucial for the environments in which you don’t want GPOs to be executed to certain set of users.

6. Hide Drives: Hide drives using group policy is very important requirement coming from many organizations, primarily from the Organizations who wants their environment to be secure. This policy allows us to remove or hide the hard drive icons from “my computer” and file explorer. Through this policy, we can only remove the icons of hard drives, but we still access it through different methods. In every organization, there is some important documents or file which are in particular drive but we want to restrict the users to access them, then this policy helps a lot to secure the organization documents.

7. Disable shutdown: Another critical Group Policy is to disable the icons of the Shutdown, Restart, Hibernate from the start menu. The only option left to the user regarding power options are logoff and switch user. After enabling this policy all the power options except logoff and switch user would be disabled from the start menu as well as from the Ctrl+Alt+Del option.

8. Password Policy: The most simple and easy technique of authenticating user’s identity is using a password. Users should always keep strong passwords for enhancing their security. A network is said secured only when all the users use strong passwords to prevent the security lapse. Sometimes, users keep passwords that are easy to guess or not change passwords frequently. It is a negligence in security.

To prevent all security issues related to user’s password, some password policies are pre-defined. These pre-defined group policies are configured in the GPO naming “Default Domain Policy”  and is linked with the domain. The path of password policy in GPME console is “Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy “. Here, settings are pre-defined with its default values but we can change these values as per our requirements.

  1. Enforce password history:                                      24 passwords
  2. Maximum password age:                                        42 days
  3. Minimum password age:                                         1 day
  4. Minimum password length:                                    7 characters
  5. Password must meet complexity requirements: Enabled
  6. Store passwords using reversible encryption:     Disabled

Enforce password history record last 24 unique passwords of the users so that they cannot repeat passwords frequently. This will enhance the security of user accounts and administrators can ensure that old passwords cannot be used continuously.

Maximum password age setting determines the time period in days that a single password can be used for. The default value of this policy is 42 days but we can set any value between 1 to 999 days. If we set the value to 0 then password will never expire.

Minimum password age setting determines the minimum age of the password. Users can change a password again only after this period. The default value of this policy is 1 day and we can set any value between 1 to 998 days. The minimum password age must be less than maximum password age.

Minimum password length setting determines the least number of characters that must contain in password set by users. The default value is 7 but we can change the value between 1 to 14 characters.

Password must meet complexity requirements setting determines that the password should meet minimum requirements like should have minimum 6 characters in length, should have both uppercase and lowercase alphabets and have special characters (!, @, #, $ etc).

Store passwords using reversible encryption determines whether the Operating System stores passwords using reversible encryption. By default it is disabled.