Top 10 Most Important Group Policy Settings for Preventing Security Breaches (2023)

There are some simple Group Policy Settings, which if appropriately configured, can help to prevent data breaches. You can make your organizational network safer by configuring the security and operational behavior of computers through Group Policy (a group of settings in the computer registry). Through Group Policy, you can prevent users from accessing specific resources, run scripts, and perform simple tasks such as forcing a particular home page to open for every user in the network.

Important Group Policy Settings to Prevent Breaches

Here is the list of top 10 Group Policy Settings:

  1. Moderating Access to Control Panel
  2. Prevent Windows from Storing LAN Manager Hash
  3. Control Access to Command Prompt
  4. Disable Forced System Restarts
  5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
  6. Restrict Software Installations
  7. Disable Guest Account
  8. Set Minimum Password Length to Higher Limits
  9. Set Maximum Password Age to Lower Limits
  10. Disable Anonymous SID Enumeration

In this article, you will learn why these Group Policy settings simply cannot be ignored.

1. Moderating Access to Control Panel

Setting limits on a computers’ Control Panel creates a safer business environment. Through Control Panel, you can control all aspects of your computer. So, by moderating who has access to the computer, you can keep data and other resources safe. Perform the following steps:

  1. In Group Policy Management Editor (opened for a user-created GPO), navigate to “User Configuration” “Administrative Templates” “Control Panel”.
  2. In the right pane, double-click “Prohibit access to Control Panel and PC settings” policy in to open its properties.
  3. Select “Enabled” from the three options.
  4. Click “Apply” and “OK”.

Figure 1: Configuring Control panel settings through GPO

2. Prevent Windows from Storing LAN Manager Hash

Windows generates and stores user account passwords in “hashes.” Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of passwords. It stores them in the local Security Accounts Manager (SAM) database or Active Directory.

The LM hash is weak and prone to hacking. Therefore, you should prevent Windows from storing an LM hash of your passwords. Perform the following steps to do so:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
  2. In the right pane, double-click “Network security: Do not store LAN Manager hash value on next password change” policy.
  3. Select “Define this policy setting” checkbox and click “Enabled.
  4. Click “Apply” and “OK”.

Figure 2: Configuring policy to not store LAN Manager hash value policy

(Video) 🇱🇰 Top 06 Most Important Group Policy Settings For Preventing Security Breaches - Sachin Nimshan

3. Control Access to Command Prompt

Command Prompts can be used to run commands that give high-level access to users and evade other restrictions on the system. So, to ensure system resources’ security, it’s wise to disable Command Prompt.

After you have disabled Command Prompt and someone tries to open a command window, the system will display a message stating that some settings are preventing this action. Perform the following steps:

  1. In the window of Group Policy Management Editor (opened for a custom GPO), go to “User Configuration” “Windows Settings” “Policies” “Administrative Templates” “System”.
  2. In the right pane, double-click “Prevent access to the command prompt” policy.
  3. Click “Enabled” to apply the policy.
  4. Click “Apply” and “OK”.

Figure 3: Prevent access to the command prompt window

4. Disable Forced System Restarts

Forced system restarts are common. For example, you may face a situation where you were working on your computer and Windows displays a message stating that your system needs to restart because of a security update.

In many cases, if you fail to notice the message or take some time to respond, the computer restarts automatically, and you lose important, unsaved work. To disable forced restart through GPO, perform the following steps:

  1. In “Group Policy Management Editor” window (opened for a custom GPO), go to “Computer Configuration” “Administrative Templates” “Windows Component” “Windows Update”.
  2. In the right pane, double-click “No auto-restart with logged on users for scheduled automatic updates installations” policy.
  3. Click “Enabled” to enable the policy.
  4. Click “Apply” and “OK”.

Figure 4: No system auto-restart with logged on users

5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives

Removable media drives are very prone to infection, and they may also contain a virus or malware. If a user plugs an infected drive to a network computer, it can affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to infection.

It is therefore best to disable all these drives entirely. Perform the following steps to do so:

(Video) Important Group Policy Settings for Preventing Security Breaches

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “User Configuration” “Policies” “Administrative Templates” “System” “Removable Storage Access”.
  2. In the right pane, double-click “All removable storage classes: Deny all accesses” policy
  3. Click “Enabled” to enable the policy.
  4. Click “Apply” and “OK”.

Figure 5: Deny access to all removable storage classes

6. Restrict Software Installations

When you give users the freedom to install software, they may install unwanted apps that compromise your system. System admins will usually have to routinely do maintenance and cleaning of such systems. To be on the safe side, it’s advisable to prevent software installations through Group Policy:

  1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Administrative Templates” “Windows Component” “Windows Installer”.
  2. In the right pane, double-click “Prohibit User Install” policy.
  3. Click “Enabled” to enable the policy
  4. Click “Apply” and “OK”.

Figure 6: Restricting software installations

7. Disable Guest Account

Through a Guest Account, users can get access to sensitive data. Such accounts grant access to a Windows computer and do not require a password. Enabling this account means anyone can misuse and abuse access to your systems.

Thankfully, these accounts are disabled by default. It’s best to check that this is the case in your IT environment as, if this account is enabled in your domain, disabling it will prevent people from abusing access:

  1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
  2. In the right pane, double-click “Accounts: Guest Account Status” policy.
  3. Select “Define this policy setting” checkbox and click “Disabled”.
  4. Click “Apply” and “OK”.

Figure 7: Disabling guest account

8. Set Minimum Password Length to Higher Limits

Set the minimum password length to higher limits. For example, for elevated accounts, passwords should be set to at least 15 characters, and for regular accounts at least 12 characters. Setting a lower value for minimum password length creates unnecessary risk. The default setting is “zero” characters, so you will have to specify a number:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”.
  2. In the right pane, double-click “Minimum password length” policy, select “Define this policy setting” checkbox.
  3. Specify a value for the password length.
  4. Click “Apply” and “OK”.

Figure 8: Configuring minimum password age policy setting

(Video) 5 important Group Policy Settings for Preventing Security Breaches

9. Set Maximum Password Age to Lower Limits

If you set the password expiration age to a lengthy period of time, users will not have to change it very frequently, which means it’s more likely a password could get stolen. Shorter password expiration periods are always preferred.

Windows’ default maximum password age is set to 42 days. The following screenshot shows the policy setting used for configuring “Maximum Password Age”. Perform the following steps:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”.
  2. In the right pane, double-click “Maximum password age” policy.
  3. Select “Define this policy setting” checkbox and specify a value.
  4. Click “Apply” and “OK”.

Figure 9: Configuring maximum password age policy setting

10. Disable Anonymous SID Enumeration

Active Directory assigns a unique number to all security objects in Active Directory; including Users, Groups and others, called Security Identifiers (SID) numbers. In older Windows versions, users could query the SIDs to identify important users and groups. This provision can be exploited by hackers to get unauthorized access to data. By default, this setting is disabled, ensure that it remains that way. Perform the following steps:

  1. In Group Policy Management Editor window, go to “Computer Configuration” “Policies” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
  2. In the right pane, double-click “Network Access: Do not allow anonymous enumeration of SAM accounts and shares” policy setting.
  3. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.



If you get these Group Policy settings correct, your organization’s security will automatically be in a better state. Please make sure to apply the modified Group Policy Object to everyone and update the Group Policies to reflect them on all domain controllers in your environment.

How Lepide Keeps Group Policy Changes in Control

If you want to remain in full control of your IT infrastructure, you have to make sure no unwanted changes in these policies and other Group Policies are made. You can do this by continuous monitoring of Group Policy changes.

However, doing through native auditing can be tricky, due to the amount of noise generated and the unavailability of predefined reports. To keep a continuous track of changes made in Group Policy Objects, try Lepide Group Policy Auditor. Our solution allows you to audit every change made to Group Policies in real time. You can also rollback any unwanted or unplanned Group Policy change quickly.

(Video) Most popular Group Policies for organization

Keep Group Policy Changes in Control with Lepide Group Policy Auditor

x

Or Deploy With Our Virtual Appliance

FAQs

What are 3 Best Practices for GPOs? ›

Here are Active Directory Group Policy best practices that will help you to secure your systems and optimize Group Policy performance.
  • Do not modify the Default Domain Policy and Default Domain Controller Policy. ...
  • Create a well-designed organizational unit (OU) structure in Active Directory. ...
  • Give GPOs descriptive names.

What is a group policy and example? ›

Examples of group policies include configuring operating system security, adding firewall rules, or managing applications like Microsoft Office or a browser. Group Policies also install software and run startup and login scripts.

How many GPO settings are there? ›

There are three types of GPOs: local, non-local and starter.

What type of options are available in security policies? ›

The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
  • Account Policies. ...
  • Local Policies. ...
  • Windows Firewall with Advanced Security. ...
  • Network List Manager Policies. ...
  • Public Key Policies. ...
  • Software Restriction Policies. ...
  • Application Control Policies.
27 Oct 2022

What are policy settings? ›

used to describe an organization, etc. that decides new policies for a government, political party, etc.: policy-setting committee/council/panel Investors are concerned the Federal Reserve's policy-setting committee will raise interest rates at its next meeting.

How do I secure my system using Group Policy? ›

Top 10 Most Important Group Policy Settings for Preventing Security Breaches
  1. Moderating Access to Control Panel.
  2. Prevent Windows from Storing LAN Manager Hash.
  3. Control Access to Command Prompt.
  4. Disable Forced System Restarts.
  5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives.
  6. Restrict Software Installations.
17 Oct 2022

How do I manage Group Policy? ›

Open the Control Panel on the Start Menu. Click the Windows icon on the Toolbar, and then click the widget icon for Settings. Start typing 'group policy' or 'gpedit' and click the 'Edit Group Policy' option.

How do I set GPO security filtering? ›

Open the Group Policy Management console. In the navigation pane, find and then click the GPO that you want to modify. In the details pane, under Security Filtering, click the currently assigned security group, and then click Remove. Now you can add the appropriate security group to this GPO.

What is the purpose of group policy? ›

Group Policy is primarily a security tool, and can be used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers.

Why do we need group policy? ›

It essentially provides a centralized place for administrators to manage and configure operating systems, applications and users' settings. Group Policies, when used correctly, can enable you to increase the security of user's computers and help defend against both insider threats and external attacks.

Which group policy has the highest precedence? ›

GPOs linked to organizational units have the highest precedence, followed by those linked to domains. GPOs linked to sites always take the least precedence. To understand which GPOs are linked to a domain or OU, click the domain or OU in GPMC and select the Linked Group Policy Objects tab.

How many GPO can be applied to any one computer? ›

Each computer running the windows line of the operating system has exactly one local group policy. It is available only to the particular computer in which it resides and the users who log on to that computer. The local group policy objects reside in the %systemroot%\System32\Group Policy folder.

What is Group Policy preferences? ›

Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings are administrative configuration choices deployed to desktops and servers.

What is GPO in cyber security? ›

​Group Policy Objects (GPOs) provides an infrastructure for centralized configuration management of the Windows operating system and applications that run on the operating system. GPOs are a collection of settings that define what a system will look like and how it will behave for a defined group of computers or users.

What is the importance of a security policy? ›

Security policies are important because they protect an organizations' assets, both physical and digital. They identify all company assets and all threats to those assets.

What is security setting? ›

Security settings features are the second layer authentication mechanism provided by bank to its customers for increased protection against threats. This features protects the application from unauthorized access, modification, analysis or exploitation.

What are the main setting in the default domain policy? ›

Default Domain Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain.

How do you set a local security policy to enforce password restrictions? ›

In the console tree, click Computer Configuration, click Windows Settings, and then click Security Settings. Do one of the following: Click Account Policies to edit the Password Policy or Account Lockout Policy. Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.

How do I save group policy settings? ›

Right-click the GPO, and then click Export to. Enter a file name for the file to which you want to export the GPO, and then click Export. If the file does not exist, it is created.

How do you apply security policies to a domain account? ›

Select Default Domain Policy, and then click Edit. Click Computer Configuration, expand Windows Settings, Security Settings, Account Policies, and then expand Account Lockout Policy. Right-click the account lockout policy that you want to implement and then select Properties from the shortcut menu.

Where are group policies stored? ›

Local Group Policy is stored in the “%windir%\system32\grouppolicy directory (usually, C:\windows\system32\grouppolicy). Each policy you create gets its own folder, named with the security ID (SID) of the corresponding user object.

Where are group policies managed? ›

You can find the Group Policy Management Console in the Tools menu of Microsoft Windows Server Manager. It is not a best practice to use domain controllers for everyday management tasks, so you should install the Remote Server Administration Tools (RSAT) for your version of Windows.

How do I check Group Policy? ›

To search for Group Policy settings in the Group Policy Management Console (GPMC), use the Group Policy Search tool. To find the Group Policy settings, click Windows Components, and then click Internet Explorer.

What is Gpresult command? ›

The gpresult command displays the resulting set of policy settings that were enforced on the computer for the specified user when the user logged on.

What is the group policy? ›

Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. To configure Group Policy settings that affect only a local computer or user, you can use the Local Group Policy Editor.

How do I apply a group policy to a specific user? ›

Click the Users tab. Select the user or group you want to apply a specific set of configurations.
...
  1. Click the OK button.
  2. Click the Finish button.
  3. Click the OK button.
  4. Click the File menu.
  5. Select the Save As option.
17 May 2022

What account does Group Policy use? ›

Group Policy supports four main types of scripts: computer startup, computer shutdown, user logon, and user logoff. The computer startup and shutdown scripts execute under the local system account; user logon and logoff scripts run as the current user account.

How do I create a Group Policy in Group Policy management? ›

Open the Group Policy Management console. In the navigation pane, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects. Click Action, and then click New. In the Name text box, type the name for your new GPO.

What is a Group Policy client? ›

Group Policy client: Maintains a policy configuration that is consistent with the policy information that is stored on the Group Policy server. This is the primary actor. The primary interests of the Group Policy client are to: Retrieve policy content from the Group Policy server.

What is the difference between Active Directory and Group Policy? ›

An Active Directory environment means that you must have at least one server with the Active Directory Domain Services installed. Group Policy allows you to centralize the management of computers on your network without having to physically go to and configure each computer individually.

Is Group Policy part of Active Directory? ›

Group Policy is an integral feature built into Microsoft Active Directory. Its core purpose is to enable IT administrators to centrally manage users and computers across an AD domain.

What is user policy? ›

A user account policy is a document which outlines the requirements for requesting and maintaining an account on computer systems or networks, typically within an organization. It is very important for large sites where users typically have accounts on many systems.

Which Group Policy takes precedence user or computer? ›

Next, the list of GPOs for the computer is added to the end of the GPOs for the user. This causes the computer's GPOs to have higher precedence than the user's GPOs.

Which is the correct order of Group Policy application? ›

Typically, when determining which policy settings to apply, the local policy of the machine is evaluated, followed by site policies, then domain policies, and finally the policies on all the OUs that contain the object being processed starting at the root of the domain.

Which Group Policy is applied last? ›

The GPO with the lowest link order will be processed last – in other words the GPO with a link order of 1 has the highest precedence, followed by link order 2, etc.

Which GPO is applied first? ›

GPOs are processed in the following order: The local GPO is applied. GPOs linked to sites are applied. GPOs linked to domains are applied.

How do I override a domain in Group Policy? ›

ARCHIVED: How do I override settings in the Default Domain Policy for my OU?
  1. From the Start menu, click Programs or All Programs, then Administrative Tools, and then Group Policy Management.
  2. Check the policy setting for Default Domain Policy to make sure you want to change it from its default:
7 Sept 2021

Which Group Policy has priority local or domain? ›

Windows reads the user-specific Local Group Policy object last; therefore, it has the highest precedence. The Local Computer Policy has lowered precedence.

Which two option can be configured via Group Policy? ›

Group Policies are the easiest method administrators can use to configure computer and user settings on their networks using Active Directory Domain Services (AD DS).

What is local Group Policy? ›

A Local Group Policy is a variant of Group Policy that applies to individual computers, as opposed to all the computers that are registered on a domain. A good example is your home computer with Windows 11, Windows 10, Windows 8.1, or Windows 7.

What is a Group Policy update? ›

The remote Group Policy refresh updates all Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an OU in the Group Policy Management Console (GPMC).

How does GPO work in Active Directory? ›

Each GPO is linked to an Active Directory container in which the computer or user belongs. By default, the system processes the GPOs in the following order: local, site, domain, then organizational unit. Therefore, the computer or user receives the policy settings of the last Active Directory container processed.

What is schema master FSMO role? ›

The schema master FSMO role holder is the DC responsible for performing updates to the directory schema, that is, the schema naming context or LDAP://cn=schema,cn=configuration,dc=<domain>. This DC is the only one that can process updates to the directory schema.

What is a starter GPO? ›

System Starter Group Policy Objects (GPOs) are read-only Starter GPOs that provide a baseline of settings for a specific scenario. Like Starter GPOs, they derive from a GPO, provide the ability to store a collection of Administrative Template policy settings in a single object, and can be imported.

› definition › Group-Policy-O... ›

This definition explains Microsoft's Group Policy Object (GPO), types of GPOs and how they work with data security. It also covers benefits, limitations and...
Group Policy is a centralized method network administrators can use to manage all of the computers and users within their Active Directory infrastructures, espe...
It essentially provides a centralized place for administrators to manage and configure operating systems, applications and users' settings. Group Policies, ...

Should I edit default domain policy? ›

Do Not Modify the Default Domain Policy. This GPO should only be used for account policy settings, password policy, account lockout policy, and Kerberos policy. Any other settings should be put into a separate GPO. The Default Domain Policy is set at the domain level so all users and computers get this policy.

What are the default domain policy settings? ›

Default Domain Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. It has the highest precedence of all GPOs linked to the domain, and it applies to all users and computers in the domain.

What policies should you use if you are using Group Policy Objects with Windows? ›

Here is the list of top 10 Group Policy Settings:
  • Moderating Access to Control Panel.
  • Prevent Windows from Storing LAN Manager Hash.
  • Control Access to Command Prompt.
  • Disable Forced System Restarts.
  • Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives.
  • Restrict Software Installations.
  • Disable Guest Account.
17 Oct 2022

How do I speed up Group Policy processing? ›

How do I speed up Group Policy processing?
  1. Decrease the number of GPOs that are processed at once. ...
  2. Use a faster network. ...
  3. Disable or uninstall unnecessary software. ...
  4. Refresh policy settings. ...
  5. Reset Group Policy Editor.
30 Sept 2022

How do I set GPO security filtering? ›

Open the Group Policy Management console. In the navigation pane, find and then click the GPO that you want to modify. In the details pane, under Security Filtering, click the currently assigned security group, and then click Remove. Now you can add the appropriate security group to this GPO.

How many GPOs is too many? ›

As always, be sure to test this in your environment as different configurations could yield different results. Note, that in no case can a client process more than 999 GPOs before the Group Policy engine gives up and dies. And that's definitely too many GPOs.

What is a default domain? ›

A default domain is where you want someone to end up regardless of what they type in the address bar of their browser. If you set the WWW version as your default, that means visiting domain.com will take you to www.domain.com.

Which of the two types of default are GPO? ›

When you establish the domain and the domain controller, two GPOs are created by default: Default Domain Policy GPO. A GPO created for and linked to the domain within Active Directory. This GPO is used to establish baselines for a selection of policy settings that apply to all users and computers in a domain.

What is a Group Policy management? ›

Group Policy (GP) is a Windows management feature that allows you to control multiple users' and computers' configurations within an Active Directory environment. With GP, all Organizational Units, sites, or domains can be configured from a single and central place.

How do I find my default Group Policy? ›

Security Policies
  1. Select Start | All Programs | Administrative Tools | Active Directory Users and Computers.
  2. Right-click the domain node in the left pane and click Properties.
  3. Choose the Group Policy tab.
  4. Select the Default Domain Policy and click Edit.

Which Group Policy has the highest precedence? ›

GPOs linked to organizational units have the highest precedence, followed by those linked to domains. GPOs linked to sites always take the least precedence. To understand which GPOs are linked to a domain or OU, click the domain or OU in GPMC and select the Linked Group Policy Objects tab.

What is Group Policy and why is it important? ›

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy is primarily a security tool, and can be used to apply security settings to users and computers.

How do you apply security policies to a domain account? ›

Select Default Domain Policy, and then click Edit. Click Computer Configuration, expand Windows Settings, Security Settings, Account Policies, and then expand Account Lockout Policy. Right-click the account lockout policy that you want to implement and then select Properties from the shortcut menu.

How often should Group Policy update? ›

Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes.

What is the default GPO refresh interval? ›

Windows periodically refreshes group policy settings throughout the network. On client computers, this is done by default every 90 minutes, with a randomized offset of plus or minus 30 minutes.

How often is Group Policy applied? ›

By default, policy is reapplied every 90 minutes. To set the interval at which policy will be reapplied, use the Group Policy Object Editor. Policy can also be reapplied on demand.

Videos

1. Windows Server (Group Policy Objects)
(Telifox)
2. Group Policy tutorial in Tamil [Part - 01]
(IT Support knowledge sharing)
3. top 10 group policies to secure computer system
(pathak media)
4. Health and Care Data Breaches 6 Oct 2022
(Mills & Reeve)
5. Top 10 Ways to Improve Active Directory Security Quickly
(Trimarc Security)
6. 50- Important Policies (Software Restriction Policies)
(Kamel IT Courses)
Top Articles
Latest Posts
Article information

Author: Edwin Metz

Last Updated: 04/02/2023

Views: 6261

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Edwin Metz

Birthday: 1997-04-16

Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

Phone: +639107620957

Job: Corporate Banking Technician

Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.