Today we are reviewing Group Policy in Windows.  One thing to keep in mind is that if you are on a computer that is connected to a domain, then you need to be aware of how both Local and Domain settings are configured.  Configuring settings in both can have unintended consequences or conflicts, and so it’s best to manage as much from the domain level as possible.

Since we are focused on business environments with domains, we will be working with Group Policy on a test server with Active Directory installed and configured already.  To open the Group Policy Manager you can either select it from the Tools menu in the Server Manager, or by going to the Administrative Tools in the control panel.  For reference, if you need to access a system’s Local Policy you should open the Run command and type gpedit.msc

The first thing you might have noticed is that there are a number of objects created in addition to the defaults.  This is the best way to handle the organization of Group Policy.  If you just go in and edit the default template then you can end up forgetting where a particular setting was configured, and this can also complicate applying policies to multiple objects in different ways.  For example, if you want all domain admins to have specific drives mapped that users don’t have access to, then create separate objects for each and configure the settings accordingly.  Then you can assign the policies separately and very easily.  If you have remote access configured in some manner, don’t include this in the default or mapped drive configurations.  Create a separate object for that and apply it as needed.  This way you can easily locate specific settings any time you need to manage your domain.

So, let’s look at a few settings that should ALWAYS be configured as follows.  First, let’s create a Group Policy Object and call it “Global-Security.”  Make sure to link it properly for your configuration, but in a simple environment the default setting is best. Now right-click the object and choose Edit to open the Group Policy editor.

Drill down to the User Rights Assignment section, and you will see a setting called “Allow log on locally.”  Double-click it to open the editor, select “Enabled,” and add the built-in Administrators group and click “OK.”  Next, select “Deny log on locally” and add the Guest account and the Guests group.  This configuration adds a little extra security to your domain because you are explicitly excluding the Guest account’s log in permissions.

Next, choose Security Options on the left.  Look for the Administrator account status, double-click to open the editor, and set it to “Disabled.”  You should already have another account that is designated with the necessary privileges to manage your domains and servers, even if they aren’t the same account.  You should also first verify that none of the services running are using the Administrator account.  Locking down this account is a standard requirement for any level of security.  Next, do the same thing for the Guest account setting.

The last setting we’re going to cover is the UNC Hardened Access setting.  Microsoft released bulletin MS15-011 in February 2015 with instructions for configuring this policy that includes an explanation of the issue.  You can Google the bulletin number if you’re interested in learning more about it.  If you have a complex environment you should read the bulletin before doing this so that you understand the settings involved, but if you only have one server with a handful of workstations the following settings are the best choice.

Drill down on the left to the Network Provider section, and you will see the Hardened UNC Paths setting.  Double-click this to open the editor, and click Enable.  Scroll down so that you can see the Show button.  Click the Show button and enter in the Value Name field:

\\your domain name\*

In the Value field you need to enter three settings separated by a comma as follows:

RequireMutualAuthentication=1

RequireIntegrity=1

RequirePrivacy=1

Click OK twice to save the settings. 

The last thing we need to do is ensure that our settings won’t be ignored in the event of a conflict with other policies.  Close the Group Policy editor so that you are back at the Group Policy Manager.  Right-click the object you just configured and choose Enforce.  This will prevent any other policies that you configure from overwriting these settings during the boot and logon processes.

Thank you for watching!  I hope this helps you better understand how to interact with Group Policy, and now that you’re familiar with this be sure to look through all the settings you can set.  Knowing how to use Group Policy properly will help you better manage your networks and keep them more secure.
© 2018 - Allora Consulting