10 Windows Group Policy Settings – Must Get Them Right

If you are responsible for ensuring Windows 10 security in your organization, here are some of the lesser-known group security policy settings you need to be aware of. Ensure you get them right, always.

1. Use Kerberos and NTLMv2 instead of NTLMv1 and LM protocols

Kerberos and NTLMv2 authentication protocols are much more secure than the legacy NTLMv1 and LM (LAN Manager) authentication protocols. Keep your Windows patched up, and use the latest protocols to stay safe.
ntml keberos

2. Change the Admin Account Name

Guess what’s the default name for the administrator account for Windows 10? Yes – Admin. So, when you’re making attempts to prevent communication of other users’ account names, why let yours be such a publically known fact. Change the administrator account name, and you’ll be leaps ahead of amateur hackers who bank on being able to access machines with the basic default security settings.

3. Guest Account – Strict NO

A guest account is a pretty spacious crack in the security wall of your Windows 10 system because it enables violators to identify and access a whole lot of information you’d otherwise not want to go out. The best solution – don’t enable guest accounts (which don’t require a password). By default, the guest account is turned off, which is a sigh of relief.

4. Leverage Fine-Grained Password Policies

On Windows, anything less than 12 characters is a risky password, that’s what the world has agreed to over the years. For elevated user accounts, make it at least 15 characters. With a 15 character password, you can be as much as totally sure that the password won’t be hacked through bots.
However, with group policy settings, the minimum password length you can enforce is only 14 characters. Here, Fine-Grained Password Policies come to the fore. From Windows Server 2012 onwards, the Fine-Grained Password settings are accessible via GUI, and hence, more conveniently usable.
Fine-Grained Password policies can be used to specify more than one password policy in a single domain. Different users on a domain can be governed by different account lockout and password lockout policies. Make it a point to apply the strictest settings to privileged accounts. Consider applying special password policies for accounts that have passwords in sync with other sources of data.

5. Password Expiration

The job of anybody on an organizational system and data security team is to strike a balance between security best practices and user experience with access and passwords. If you are able to implement the ‘minimum 15 character password’ rule, you can consider extending the default password expiration duration from the default 42 days. Something around 90 days is a safe option for 15 character passwords. Anything lower, and you need to go strict on the password expiration; we suggest you keep it set to default 42 for 13 and 14 character password setting.

6. Don’t store LM password hash strings on disk

Did you know – LM password hash strings are stored on the disk. Also, hackers can access these strings, and construct the plaintext passwords from them. Imagine the kind of security threat this can translate into for your Windows 10. As a safeguard, disable the storage of LM password hashes on the disk.

7. Use Event Logs for Immediate Recognition of Security Breaches

It’s surprising how even seasoned Windows system administrators forget or ignore using this super beneficial option. Not only do event logs enable swift identification of security breaches, but they also help you to channel your actions towards resolving the root cause of the violation. Microsoft Security Compliance Manager recommends a set of settings relevant for event logs to help you keep your Windows OS setup safe. Also, make it a point to use audit subcategories, and not the legacy category settings.

8. Wi-Fi Settings You Need to be Careful With

Windows 10 pulls off some surprises in terms of Wi-Fi settings. Go to Settings > Network & Internet > Manage Wi-Fi Settings. Here, we recommend that you switch off access to public hotspots since they are a known method used by hackers to attack Windows systems. Also, keep network sharing disabled, so that there are no inadvertent events such as a user sharing network access with social media friends.

9. User Account Control

User Account Control is among the most noteworthy protection tools in Windows, especially for users with web access. However, it’s commonplace for users to turn off the UAC, mostly because of the compatibility problem messages that they keep on being pestered with. Whereas Windows 10 eliminates these compatibility issues, you can also consciously use Microsoft’s free application compatibility utility to overcome compatibility issues. By default, User Account Control is enabled in Windows 10; make sure you don’t turn it off. Without UAC, you’re as good as using a primitive operating system.

10. Restrict Sharing of Account Information with Apps

Windows 10 gives you a pretty useful setting that you can use to restrict users from allowing applications to access their account details such as user name and profile picture. Some applications can even access domain information, which makes them a headache for Windows 10 security teams. Go to Computer Configuration. In the Administrative Templates option, you will see System > User Profiles. This is where you can restrict the sharing of account details with applications, keeping firmer control over what’s communicated to external apps.

A bonus tip – Remember the days when anybody could query the Security Identifiers for important users, groups, and security objects to unveil a lot of important information about Windows? Well, Windows 10 comes with SID enumeration turned off by default. Also, anonymous access to an ‘everyone’ group is, by default, disabled. It’s a conscious step from Microsoft to foil hacking attempts made by hackers who know of this known issue with legacy systems. So, if you plan to play around with this setting, do so after acknowledging the risks.

Author: Rahul Sharma