Disable access to the Control Panel
The Control Panel can become a Pandora's box of security disasters if it falls into the wrong hands. From adding unauthorized accounts to installing malicious programs, Control Panel's access can be misused. Hence, disable this access for everyone except the IT admins or the IT security team members.
Steps to restrict access to Control Panel using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2Right click on Group Policy Objects from the left panel and select New.
- 3Enter a suitable name for the new GPO created and click OK.
- 4Right click on the GPO created earlier and select Edit.
- 5In the left panel, navigate to User configuration > Administrative templates > Control Panel.
- 6Right click on the Prohibit access to Control Panel and PC settings setting and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
- 7Once the GPO is created, you can apply it by right clicking on the OU and select Link an Existing GPO. Then select the GPO and click OK.
Disable access to Command Prompt
Since command prompt can be used for executing any script, users may accidentally or intentionally execute malicious script that can compromise the entire network. Hence, it is smarter to provide access to command prompt to only for users who need it to perform their tasks.
Steps to restrict access to command prompt using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to User configuration > Policies > Administrative templates > System
- 6Right click on Prevent access to the command prompt and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Access to network registry
Since the registry can be edited from any computer on the network, enabling access to network registry only for authorized users is the commonly recommended best practice. The access to network registry can be disabled in a few simple steps,
Steps to restrict access to registry editing tools using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to User configuration > Policies > Administrative templates > System
- 6Right click on Prevent access to registry editing tools and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Restrict forced restarts
Forced restarts are often harmful in case of devices infected with ransomware. In Windows, they occur as pop-up messages that say a restart is needed to apply security updates. Experts suggest that reboots can sometimes enable the malware to affect the entire network and the users should either opt for a reboot in safe mode or reach out to the IT admin for resolution.
Steps to restrict forced restarts using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to Computer configuration > Administrative templates > Windows components > Windows Update
- 6Right click on No auto-restart with logged on users for scheduled automatic update installations and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Disable software installations
Disabling GPOs to prevent installation of other software is a smart way to protect the network against attackers. For example, help desk technicians or employees at a call center may not need access to other applications like media players. This reduces the burden on IT admins to do routine maintenance and clean up unwanted applications on all the devices.
Steps to restrict software installations using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to Computer configuration > Administrative templates > Windows components > Windows Installer
- 6Right click on Disable Windows Installer and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Restrict removable drives
USBs are the one of the most accessible removable drives available today. Since they are common, the chances of them being used in multiple devices is high and this exponentially increases the chances of it being infected by malware. Hence it is always recommended that the removable drives are kept disabled unless there is a need for it.
Steps to restrict removable storage access using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to Computer configuration > Administrative templates > System > Removable Storage Access
- 6Right click on All Removable Storage classes: Deny all access and click Edit. Select Enabled from the Policy settings window and click Apply and then click OK.
Disable Guest account
Unauthenticated users can gain access to the network through guest accounts as they do not require a password. This opens up access to any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group. Hence the suggested best practice is to always disable guest accounts.
Steps to disable guest accounts using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- 6Right click on Guest account status and click Edit. Select Disabled from the Policy settings window and click Apply and then click OK.
Password policy settings
Password policies are the first line of defense against cyber threats. It is important to ensure that the maximum password length is as high as possible and the maximum password age is as low as possible.
Steps to configure password policy settings using GPOs
- 1Launch the Group Policy Management console from the Start menu.
- 2From the left panel, right click on the OU you wish to restrict the access to command prompt for. Then select Create a GPO in this domain and Link it here... option.
- 3Enter a suitable name for the GPO and click OK.
- 4From the left panel, right click on the GPO created and select Edit.
- 5Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
- 6Double click on the password setting you wish to edit.Configure the desired settings and click Apply and then click OK.
Scope of GPO settings
Applying GPOs at a granular level offers more control over the security of the network. Always apply GPOs at an OU level and not on a domain level. In case you do not want the GPO to be inherited, it is a safe practice to group those specific users and computers under an OU and then apply the GPO.