The 10 Windows group policy settings you need to get right

One of the most common methods to configure an office full of Microsoft Windows computers is with group policy. For the most part, group policies are settings pushed into a computer’s registry to configure security settings and other operational behaviors. Group policies can be pushed down from Active Directory (actually, pulled down by the client) or configured locally.

I’ve been doing Windows computer security since 1990, so I’ve seen a lot of group policies. In my work with customers, I scrutinize each group policy setting within each group policy object. With Windows 8.1 and Windows Server 2012 R2, for example, there are more than 3,700 settings for the operating system alone.

I’ll let you in on a little secret: I care about only 10 settings.

I’m not saying you should stop at these 10 since each properly configured group policy setting can reduce risk. I am saying that 10 settings determine most of your risk — everything else is gravy. When I start looking at a new group policy, the first thing I do is scan these 10 settings. If they’re set correctly, I know the customer is doing the right thing and my job will be easier.

Get these 10 settings right, and you’ll go a long way toward making your Windows environment more secure. Each of these falls under the Computer ConfigurationWindows SettingSecurity Settings leaf.

1. Rename the Local Administrator Account

If the bad guys don’t know the name of your Administrator account, they’ll have a much harder time hacking it. Renaming the Administrator account is not automatic, so you’ll have to do it yourself.

2. Disable the Guest Account

One of the worst things you can do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Fortunately, it’s disabled by default.

3. Disable LM and NTLM v1

The LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities. Force the use of NTLMv2 and Kerberos. By default, most Windows systems will accept all four protocols. Unless you have ancient (that is, more than 10 years old), unpatched systems, there’s rarely a reason to use the older protocols. They’re disabled by default.

4. Disable LM hash storage

LM password hashes are easily convertible to their plaintext password equivalents. Don’t allow Windows to store them on disk, where a hacker hash dump tool would find them. It is disabled by default.

5. Minimum password length

Your minimum password length for regular users should be at least 12 characters — 15 characters or longer for elevated user accounts. Windows passwords aren’t even close to secure until they are 12 characters long. To be truly secure, 15 characters is the magic number in the Windows authentication world. Get there, and it closes all sorts of backdoors. Anything else is accepting unnecessary risk. (It’s zero characters by default, so you’ll have to specify this requirement.)

Unfortunately, traditional group policy settings accept a maximum value of only 14 characters when setting the minimum password size. Use the newer Fine-Grained Password Policies instead. It’s not so easy to set and configure in Windows Server 2008 R2 (and earlier), but it’s really easy to set — with a GUI — in Windows Server 2012 and later.

6. Maximum password age

Passwords 14 or fewer characters long should be used no longer than 90 days. Windows’ default maximum password expiration period is 42 days, so you can either accept the default or increase it to 90 days if you like. Some security experts think it’s fine to use the same password for up to one year if it’s 15 characters or more in length. Be aware, though, that extending a password expiration period increases the risk that someone could steal and reuse it to access other accounts owned by the same person. Shorter password expiration periods are always better.

7. Event logs

The vast majority of attack victims would have detected the breach sooner if their event logs had been turned on and they made a habit of checking them. Make sure you’re using the settings recommended in the Microsoft Security Compliance Manager tool and use the audit subcategories instead of the legacy category settings.

8. Disable anonymous SID enumeration

Security Identifiers (SIDs) are numbers assigned to each user, group, and other security subject in Windows or Active Directory. In early Windows versions, non-authenticated users could query these numbers to identify important users (such as Administrators) and groups, a fact that hackers loved to exploit. Fortunately, enumeration is disabled by default.

9. Don’t let the anonymous account reside in the everyone group

This setting and the previous one, when set incorrectly, could allow an anonymous (or null) hacker far more access on a system than should be given. Both settings have been enabled by default (disabling anonymous access) since 2000. Make sure they stay that way.

10. Enable User Account Control

Lastly, ever since Windows Vista, UAC has been the No. 1 protection tool for people browsing the Web. I find that many clients turn it off due to old information about application compatibility problems. Most of those problems have gone away, and many of the remaining ones can be solved with Microsoft’s free application compatibility troubleshooting utility. If you disable UAC, you’re far closer to Windows NT security than you are to that of a modern operating system. UAC is enabled by default.

If you’ve been paying attention, you’ll note that seven of the 10 settings are adjusted correctly by default in Windows Vista, Windows Server 2008, and later versions. Most of my Windows security books addressed the settings I wanted you to more securely harden. These days, my best advice is to change only what you have to and don’t muck the majority of the defaults. When I see problems, it’s usually because people go out of their way to weaken the defaults. That’s never good.

There are a handful of more important things to do before you begin worrying about group policy, such as perfect patching and preventing your users from installing Trojan horse programs. Once you have those efforts under control, correctly configuring your group policy is a great next step.

I’m also a huge fan of enabling BitLocker (in Windows Vista/2008 and later). But be aware that planning the implementation of BitLocker takes time and heavy thinking, though you can implement it using group policy.

Whatever you do, don’t waste your life studying all 3,700 settings. Instead, make sure you get the top 10 right and you’re most of the way there.