Windows > Server Security & Hardening

Windows Group Policy - Security Options part -1

(1/1)

Jithin:
Hi Guys,

The given configuration is one of the best security options policy settings for Windows server.

Group Policy - Security Options
Administrator Account Status -Disabled
    Guest Account Status - Disabled
    Limit Local Account Use of Blank Passwords to Console Logon Only - Enabled
    Rename Administrator Account – Must be set to something other than Administrator
    Rename Guest Account - Must be set to something other than Guest
    Audit the Access of Global System Objects -Disabled
    Audit the use of Backup and Restore Privilege - Enabled
    Force Audit Policy Subcategory Settings to Override Audit Policy Category Settings – Enabled
    Shut Down System Immediately if Unable to Log Security Audits - Enabled
    Prevent Users from Installing Printer Drivers when connecting to Shared Printers – Enabled
    Machine Access Restrictions in Security Descriptor Definition Language (SDDL) – Bespoke for each environment
    Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) – Bespoke for each environment
    Allowed to Format and Eject Removable Media – Administrators
    Prevent Users from Installing Printer Drivers – Enabled
    Allow Server Operators to Schedule Tasks - Disabled
    Digitally Encrypt or Sign Secure Channel Data (Always) - Enabled
    Digitally Encrypt or Sign Secure Channel Data (when possible) - Enabled
    Disable Machine Account Password Changes - Disabled
    Maximum Machine Account Password Age - 30 days
    Require Strong (Windows 2000 or later) Session Key – Enabled
    Interactive Logon: Display User Information when the Session is Locked - Enabled
    interactive logon: Do Not Display Last User Name - Enabled
    Interactive logon: Do Not Require CTRL+ALT+DEL - Disabled
    Interactive logon: Message Text for Users Attempting to Log On – For example, ‘By using this computer system you are subject to the 'Computer Systems Policy' of New Net Technologies. The policy is available on the NNT Intranet and should be checked regularly for any updates’
    Interactive logon: Message Title for Users Attempting to Log on- For example ‘Warning – Authorized Users Only – Disconnect now if you are not unauthorized to use this system’
    Number of Previous Logons to Cache (in case domain controller is not available) – 0
    Interactive Logon: Prompt User to Change Password before Expiration – 14 days
    Interactive Logon: Require Domain Controller Authentication to Unlock Workstation - Enabled
    Microsoft Network Client: Digitally Sign Communications (always) – Enabled
    Microsoft Network Server: Digitally Sign Communications (always) - Enabled
    Microsoft Network Client: Digitally Sign Communications (if server agrees) - Enabled
    Microsoft Network Server: Digitally Sign Communications (if client agrees) – Enabled

Feel free to tune it the way you want.

Thank you,

Navigation

[0] Message Index

Go to full version