Creating a safe and secure environment is a top priority for all types of organizations. To accomplish this goal, it is essential to adhere to group policy best practices, particularly in the realm of GPO security. By configuring fundamental Group Policy Settings correctly, organizations can significantly enhance their security posture. When Group Policies are utilized effectively, they play a crucial role in safeguarding users’ computers from various threats and potential breaches. In this Group Policy Guide, we will cover:
What You Will Learn
- What is Group Policy
- What are GPO and Types
- GPO Risks and Vulnerabilities
- Policy Security Settings
- GPO Best Practices
What Is Group Policy (GPO) & Why It Matters for Security
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts.
In a well-structured Active Directory environment, a good Organizational Unit OU structure is essential for efficient management. By organizing users and computers into separate OUs, you can quickly identify and administer specific groups within your network. To enforce policies and settings effectively, Group Policy Objects (GPOs) can be linked at the OU level or even at the domain level.
User rights assignment can be configured through GPOs to ensure that the right individuals have the necessary permissions and privileges. Group Policy Preferences can also be utilized to fine-tune settings and preferences for users and computers, allowing for a more customized and streamlined management approach.
Group Policy Settings give centralized control to the administrator, which makes it easier to apply computer configurations for the admin to manage applications, operating systems, and user settings in Active Directory. Moreover, Group Policy offers several advantages, including efficient system management, strong password policy implementation, folder configuration, and file redirection.
GOP Objects
When a user logs on to a domain, that domain’s Group Policy Objects are retrieved and applied to the user’s system. Some examples of Group Policy Objects are:
- Forces the display of a specific webpage.
- Shares network printer connections
- Alter settings, such as selecting default programs, preventing users from accessing the Control Panel, modifying internet settings, and enabling the system display at a specific time.
The presence of branch offices and browsing of internet websites creates multiple potential entry points for attackers to gain access to a domain. By restricting internet access, hardening domain controllers, and using WMI filters to target policies to specific groups of computers, GPOs can help to prevent unauthorized access and protect against malware and other threats.
Types of Group Policy Objects: Local, Domain & Starter GPOs
Group Policy Objects have three main types:
Local Group Policy Objects
If policy settings need to be implemented only for one Windows computer or just for a single user, this is when this type of GPO is most useful. Local group policy objects exist by default on all Windows computers and are utilized when IT admins need to apply policy settings to a single Windows computer or user. These types of GPOs only apply to local computers and to the users who log on to that computer on-site.
Non-local Group Policy Objects
Unlike local GPOs, non-local Group Policy Objects require your Windows computers and users to be linked to Active Directory objects, sites, domains, or organizational units. This means that non-local GPOs can apply to one or more Windows computers and users.
Starter Group Policy Objects
Starter GPOs are nonlocal GPO templates for group policy settings. These templates are handy when creating a new GPO in the Active Directory. They enable IT administrators to pre-configure a group of settings that represent a baseline for any future policy.
Elevation of Privilege
Group Policy best practices recommend limiting the privilege level of users to the bare minimum and not allowing a domain user to be a member of the local administrator’s group. The reason is that a local administrator can override every group policy applied by the domain administrator, essentially rendering the GPOs ineffective in enforcing settings on a corporate network. For this particular exploit, when Group Policy improperly checks access, an attacker could run processes with elevated privileges.
Vulnerabilities
CVE-2020-1317 vulnerability allows a standard user in a domain environment to perform a file system attack, enabling malicious users to evade anti-malware solutions, bypass security hardening measures, and gain complete control over Windows systems. This vulnerability affects any Windows machine (Windows 2008 or higher) and escalates its privileges in a domain environment.
Image credit: Shimony, Eran. (2020). Group Policies Going Rogue. CyberArk
A Remote Code Execution (RCE) vulnerability can exist if the GPO is not hardened. If the GPO fails to retrieve a valid security policy, it can, in turn, apply a default group policy, which may be less secure. RCE vulnerability can range from malware execution to an attacker gaining complete control over a compromised machine.
Top GPO Settings to Strengthen Security Baselines
To prevent breaches, we have listed the top 11 most important Group Policy settings for a System Administrator. The default domain controller GPO contains predefined settings that govern the security and configuration of domain controllers in an Active Directory environment.
Domain controller server hardening reduces the attack surface available to compromise Active Directory security. The presence of branch offices and browsing of internet websites creates multiple potential entry points for attackers to gain access to a domain. To limit exposure, securing the domain controller should be a top priority.
Applying security frameworks such as the CIS Benchmark through Group Policy Objects (GPOs) locks down domain controllers to prevent unauthorized changes by compromised user accounts across Active Directory.
The CIS Benchmark for Windows Server defines the specific security baselines — including GPO-enforced controls for password policy, account lockout, and audit policy — that auditors and frameworks like NIST and PCI DSS reference. See how CIS secure configuration benchmarks map to your hardening requirements.
Be sure to apply the GPO settings to everyone in the forest and update the Group Policy Settings so that it is reflected on all the Domain Controllers in the environment
1. Moderating Access to Control Panel
Creates a GPO setting that limits access to the computers’ control panel, providing a safe organizational environment. All computer operations are controllable via the Control Panel, and by moderating access to the Control Panel, data can be made secure and inaccessible.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under User Configuration, go to Administrative Templates -> Control Panel. Then, open Prohibit Access to Control Panel and PC settings.
3. Select Enabled from the given options.
2. Control Access to Command Prompt
Controlling user access to Command Prompt (cmd.exe), to secure system resources in vital. Because with access to cmd.exe, a user can pass commands to authorize high-level access to user accounts. Disabling access to cmd.exe helps secure system resources.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it“gpedit.msc” and click “ok”
2. Under User Configuration, go to Administrative Templates -> System. Then, open Prevent access to the command prompt
3. Select Enabled from the given options.
4. Click on Apply and OK.
3. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
Removable media drives are often vulnerable, making them an easy medium for transferring viruses and malware. So, by disallowing the connection of these removable devices, a system can be protected.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under User Configuration, go to Administrative Templates -> System -> Removable Storage Access. Then, open All Removable Storage classes: Deny all access.
3. Select Enabled from the given options.
4. Click on Apply and OK.
4. Disable Guest Account
With a Guest Account, a user can access Windows, and a password is not required for a Guest Account. Therefore, a user account can access sensitive data, which can be disastrous at times. By default, guest accounts are disabled; however, checking this policy setting should be a priority.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Windows Settings -> Security settings -> Security Options. Then, open Accounts: Guest account status.
5. Prevent Windows from Storing LAN Manager Hash
User account credentials are generated in Windows and are stored in the Security Accounts Manager (SAM) database. Windows stores the passwords in both Lan Manager hash (LM hash) and Windows New Technology hash (NT hash). It is preferred that passwords not be stored in the LM hash, as it is a conventional and weak method that can be easily hacked.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Windows Settings -> Security settings -> Security Options. Then, open Network Security: Do not store the LAN Manager hash value on the following password change.
4. Click on Apply and OK.
6. Disable Forced System Restarts
This is a common problem and needs to be solved if you don’t want to lose your crucial unsaved work. Sometimes, systems display a message that your system needs to restart due to an update, and if this pop-up is missed, your system tends to go into a forced restart. So, forced system restart must be disabled.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Administrative Templates -> Windows Components -> Windows Update -> Legacy Policies. Then, open ‘No auto-restart with logged-on users’ for scheduled automatic updates installation.
3. Select Enabled from the given options.
4. Click on Apply and OK.
7. Restrict Software Installations
Restricting the installation of unwanted software that may compromise your system is essential. If installation is allowed, system administrators must perform a routine checkup of the systems. The best-case solution for this is to restrict software installations via group policy.
8. Set Minimum Password Lengths to Higher Limits
Setting the minimum password length to higher limits lowers unnecessary risks. By default, the value for this setting is “0”. You must specify a number to set the minimum password length.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Windows Settings -> Security Settings -> Account Policies -> Password Policy. Then, open Minimum Password Length.
9. Set Maximum Password Age to Lower Limits
Password maximum age must be set to a lower limit. Therefore, users will need to change their passwords frequently, which will protect them in the event of a password breach or stolen password.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Windows Settings -> Security Settings -> Account Policies -> Password Policy. Then, open Maximum password age.
3. Enter the numeric value (preferably 30 days).
4. Click on Apply and OK.
10. Disable Anonymous SID Enumeration
All security objects, Users, Groups, and others are assigned unique Security Identifier (SID) numbers. This is vulnerable to hacking by attackers, and essential data can be compromised. By default, this policy setting is disabled, but ensure that it remains this way.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
2. Under Computer Configuration, go to Windows Settings -> Security Settings -> Local Policies -> Security options. Then, open Network Access: Do not allow anonymous enumeration of SAM accounts and shares.
3. Select Enabled from the given options.
4. Click on Apply and OK.
11. Disable SID/Name Translation
This Group Policy Setting determines whether an anonymous user can access the system or not by requesting Security Identifiers (SIDs). If enabled, this setting allows a user to anonymously submit the SID of the Administrator account, making it vulnerable to data breaches. The preferred state for this group policy setting is “Disabled”.
1. Open Group Policy Management Editor. You can do so by searching for Group Policy Management or by using “Windows + R” to open Run and write in it “gpedit.msc” and click “ok”.
GPO Best Practices – Do’s and Don’ts
An attacker who successfully exploited the GPO vulnerability could run processes in an elevated context. Not having a system that automatically monitors vulnerabilities can provide an attacker with full access and control over a compromised device.
It is essential to adhere to best practices for Group Policy Settings to prevent breaches and minimize the attack surface. Ensuring security standards and policies remain in effect requires IT teams to repeat the hardening process on a regular basis and manually monitor their operations if they do not have an automated remediation process in place.
Why automate baseline hardening?
Managing a vast IT infrastructure while ensuring security, productivity, and a consistent user experience is a significant challenge for organizations. Fine-tuning your Group Policy settings can help regulate a user’s work environment and manage your operating systems and applications seamlessly.
To maintain complete control over your IT infrastructure, ensure that no unwanted changes are made to these policies and other Group Policies. Manual auditing is time-consuming and challenging to keep a continuous track of changes made.
Managing GPO-based hardening at scale requires more than a one-time configuration pass. Download the Server Hardening Planning Guide for a structured framework covering policy scoping, change control, rollback procedures, and maintaining a hardened baseline across production environments.
Key Takeaways
- Group Policy is a central tool for enforcing consistent security baselines
- Baseline hardening through Group Policy strengthens defense against common attack vectors.
- Manual configuration is prone to errors.
- Compliance frameworks (CIS, NIST, PCI DSS, HIPAA) recommend applying baseline hardening via Group Policy.
- CalCom CHS enhances Group Policy management.
CalCom’s Automated GPO Harding Solution
CalCom’s Automate Hardening Suite (CHS) allows you to audit every change made to Group Policies in real time and rollback any unwanted or unplanned Group Policy change quickly. CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services; and ensures a resilient, constantly hardened and monitored operations environment.
