Support
 
Phone Live Chat
 
Support
 
US: +1 888 720 9500
US: +1 800 443 6694
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9393

 
 
 
 
 

How to prevent security breaches with group policy settings

 
  • Whatis a Group Policy Object?

    A group policy object (GPO) is a set of policies that lets you control how certain Windows features for a specified set of users or computers in a network. For example, with Group Policies you can control what applications are available for use in a specific computer or configure what should be the homepage for a specific user.

  • Whyare GPOs important?

    GPOs are a way of ensuring centralized control over the users and computers in a network. Additionally, they are the building blocks of well-structured security practices. If you are smart with GPO configurations you can fend off a lot of security breaches, as you will learn later in this article.

  • Howdo i configure GPOs?

    GPOs can be created or edited from the Group Policy Object Editor (or) Group Policy management console (GPMC) , an in-built Microsoft Management Console (MMC) snap-in. Once GPOs are created, they can be linked to a container (domain, site or OU) with the users or computers for the settings to be applied.

  Installing the GPMC on

Windows Server 2012 and later

  • 1Navigate to Start > Control Panel > Programs and Features > Turn Windows features on or off.
  • 2In the Add Roles and Features Wizard window, click the Features tab in the left pane, and then select Group Policy Management.
  • 3Click Next, then click Install.

Windows 8 and later

  • 1Download and install Remote Server Administration Tools here for Windows 8,Windows 8.1, and Windows 10.
  • 2Navigate to Start > Control Panel > Programs and Features > Turn Windows features on or off.
  • 3Navigate to Remote Server Administration Tools > Feature Administration Tools and select Group Policy Management Tools.
  • 4Click Install.

IT security best practices for GPO settings

As much as GPOs enhances network security, if not configured and managed properly, they also leave vulnerabilities for hackers to exploit. Not changing the default settings and allowing open access to critical functionalities can lead to a security disaster. Below are some of the GPO best practices that help you fortify your IT security and strategize for a safer network.

Disable access to the Control Panel

The Control Panel can become a Pandora's box of security disasters if it falls into the wrong hands. From adding unauthorized accounts to installing malicious programs, Control Panel's access can be misused. Hence, disable this access for everyone except the IT admins or the IT security team members.

Steps to restrict access to Control Panel using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2Right click on Group Policy Objects from the left panel and select New.
  • 3Enter a suitable name for the new GPO created and click OK.
  • 4Right click on the GPO created earlier and select Edit.
  • 5In the left panel, navigate to User configuration > Administrative templates > Control Panel.
  • 6Right click on the Prohibit access to Control Panel and PC settings setting and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
  • 7Once the GPO is created, you can apply it by right clicking on the OU and select Link an Existing GPO. Then select the GPO and click OK.
Disable access to Command Prompt

Since command prompt can be used for executing any script, users may accidentally or intentionally execute malicious script that can compromise the entire network. Hence, it is smarter to provide access to command prompt to only for users who need it to perform their tasks.

Steps to restrict access to command prompt using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to User configuration > Policies > Administrative templates > System
  • 6Right click on Prevent access to the command prompt and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Access to network registry

Since the registry can be edited from any computer on the network, enabling access to network registry only for authorized users is the commonly recommended best practice. The access to network registry can be disabled in a few simple steps,

Steps to restrict access to registry editing tools using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to User configuration > Policies > Administrative templates > System
  • 6Right click on Prevent access to registry editing tools and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Restrict forced restarts

Forced restarts are often harmful in case of devices infected with ransomware. In Windows, they occur as pop-up messages that say a restart is needed to apply security updates. Experts suggest that reboots can sometimes enable the malware to affect the entire network and the users should either opt for a reboot in safe mode or reach out to the IT admin for resolution.

Steps to restrict forced restarts using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to Computer configuration > Administrative templates > Windows components > Windows Update
  • 6Right click on No auto-restart with logged on users for scheduled automatic update installations and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Disable software installations

Disabling GPOs to prevent installation of other software is a smart way to protect the network against attackers. For example, help desk technicians or employees at a call center may not need access to other applications like media players. This reduces the burden on IT admins to do routine maintenance and clean up unwanted applications on all the devices.

Steps to restrict software installations using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to Computer configuration > Administrative templates > Windows components > Windows Installer
  • 6Right click on Disable Windows Installer and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Restrict removable drives

USBs are the one of the most accessible removable drives available today. Since they are common, the chances of them being used in multiple devices is high and this exponentially increases the chances of it being infected by malware. Hence it is always recommended that the removable drives are kept disabled unless there is a need for it.

Steps to restrict removable storage access using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to Computer configuration > Administrative templates > System > Removable Storage Access
  • 6Right click on All Removable Storage classes: Deny all access and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Disable Guest account

Unauthenticated users can gain access to the network through guest accounts as they do not require a password. This opens up access to any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group. Hence the suggested best practice is to always disable guest accounts.

Steps to disable guest accounts using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
  • 6Right click on Guest account status and click Edit. Select Disabled from the Policy settings window and click Apply and then click OK.
Password policy settings

Password policies are the first line of defense against cyber threats. It is important to ensure that the maximum password length is as high as possible and the maximum password age is as low as possible.

Steps to configure password policy settings using GPOs
  • 1Launch the Group Policy Management console from the Start menu.
  • 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
  • 3Enter a suitable name for the GPO and click OK.
  • 4From the left panel, right click on the GPO created and select Edit.
  • 5Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
  • 6Double click on the password setting you wish to edit.Configure the desired settings and click Apply and then click OK.
Scope of GPO settings

Applying GPOs at a granular level offers more control over the security of the network. Always apply GPOs at an OU level and not on a domain level. In case you do not want the GPO to be inherited, it is a safe practice to group those specific users and computers under an OU and then apply the GPO.

An easier alternative to secure GPO management

ADManager Plus offers a one-stop solution for all things identity and access management and cuts down the need to toggle between multiple tools and struggling with archaic tools. With bulk management, reports on GPOs and password status with on-the-fly management, custom automations, ADManager Plus can help you manage GPOs effectively and securely.

Start free trial

The one-stop solution to Active Directory Management and Reporting

Free Trial Get Quote
Email Download Link