The document provides an overview of group policy in Active Directory, detailing essential concepts such as group policy objects, management consoles, and policies that control computer and user settings. It outlines important group policy settings for enhancing security, including moderating access to critical system components, preventing unauthorized software installations, and managing user accounts effectively. Additionally, the document emphasizes the significance of implementing these policies to mitigate security risks associated with user permissions and password management.

1. Group Policy

2. Overview of Group Policy
-is simply the easiest way to reach out
and configure computer and user
settings on networks based on Active
Directory Domain Services (AD DS).
-“touch once, configure many.”

3. Essential Group Policy Concepts
Group Policy Management Console

4. Group Policy objects
Accounting Security. This is a custom GPO created specifically
for Contoso, Ltd.
Default Domain Controller Policy. Installing the AD DS server
role creates this policy by default. It contains policy settings that
apply specifically to domain controllers.
Default Domain Policy. Installing the AD DS server role
creates this policy by default. It contains policy settings that
apply to all computers and users in the domain.

5. Group Policy Links
At the top level of AD DS are sites and domains.
Simple implementations will have a single site
and a single domain.
Group Policy Inheritance
-when you link a GPO to the domain, the GPO
supplies to the to the computers and users in
every OU and child OU in the domain. Likewise,
when you link a GPO to an OU, the GPO applies
to the computers and users in every child OU.

6. Group Policy inheritance and precedence
-the order in which Group Policy Applies GPOs
determines precedence. The order is site, domain,
OU, and child OUs.

7. Group Policy Settings

8. GPMC is to GPOs and OUs as Windows
Explorer is to files and folders. GPOs are the
policy documents. At some point, you are going
to have to edit one of those documents, though,
and the editor you use is the Group Policy
Management Editor (GPME), which the figure
on the previous slide shows. You open a GPO in
the GPME by right-clicking it in the GPMC and
clicking Edit. Once you are finished, you simply
close the window. The GPME saves your
changes automatically, so you do not have to
save.

9. GROUP POLICY MANAGEMENT EDITOR
-allows you to directly edit a group
policy and configure the settings that
will affect computers and users.

10. Policies.Policies contains policy settings
that Group Policy enforces.
Preferences.Preferences contains
preference settings that you can use to
change almost any registry setting, file,
folder, or other item. By using preference
settings, you can configure applications
and Windows features that are not Group
Policy–aware

11. Figure 4. Group Policy setting

12. THE DIFFERENT GROUP POLICY OBJECTS (GPO)
LOCAL GROUP POLICY OBJECT –refers to the collection of
group policy settings that only apply to the local computer
and to that computer and to the users who log on to that
computers. They are also used when policy settings need to
apply to a single windows computer or user. Local GPOs
exist by defaults on Windows computers.
NON-LOCAL GROUP POLICY OBJECTS –is used when policy
settings have to apply to one or more Windows computers
or users.
-apply to Windows computers or users once they’re linked
to active directory objects such as sites, domains, or
organization units.

13. STARTER GROUP POLICY OBJECTS
-Introduced in Windows Server 2008, starter GPOs are
templates for Group Policy settings. These objects enable
an administrator to create and have a pre-configured group
of settings that represent a baseline for any future policy to
be created.

14. GROUP POLICY REFRESH
-Group Policy is automatically refreshed when
you restart the domain member computer, or
when a user logs on to a domain member
computer. In addition, Group policy is
periodically refreshed. By default, this periodic
refresh is performed every 90 minutes with a
randomized offset of up to 30 minutes.

15. GROUP POLICY SETTING
-essentially provides a centralized place for
administrators to manage and configure
operating systems, applications, and users,
settings. Group Policies when used
correctly, can enable you to increase
security of user’s computers and help
defend against both insider threats and
external attacks.
(https://www.lepide.com>blog>..)

16. 10 Most Important Group Policy Settings for Preventing Security Breaches
1. Moderating Access to Control Panel
-setting limits on a computer’s control panel creates a safer
business environment. Through Control Panel, you can control
all aspects of your computer. So, by moderating who has
access to the computer, you can keep data and other
resources safe.
Steps:
a. In Group Policy Management Editor (opened for a user-
created GPO), navigate to “User Configuration”
“Administrative Templates” “Control Panel”.

17. b. In the right pane, double-click “Prohibit access to Control
Panel and PC settings” policy in to open its properties.
c. Select “Enabled” from the three options.
d. Click “Apply” and “OK”.

18. 2. Prevent Windows from Storing LAN Manager Hash
-Windows generates and stores user account passwords in “hashes.”
Windows generates both a LAN Manager hash (LM hash) and a
Windows NT hash (NT hash) of passwords. It stores them in the local
Security Accounts Manager (SAM) database or Active Directory.
The LM hash is weak and prone to hacking. Therefore, you
should prevent Windows from storing an LM hash of your passwords.
Perform the following steps to do so:
a. In Group Policy Management Editor window (opened for a custom
GPO), go to “Computer Configuration” “Windows Settings”
“Security Settings” “Local Policies” “Security Options”.

19. a.In the right pane, double-click “Network security: Do
not store LAN Manager hash value on next password
change” policy.
b.Select “Define this policy setting” checkbox and click
“Enabled.
c.Click “Apply” and “OK”.

20. 3. Control Access to Command Prompt
-Command Prompts can be used to run commands that give high-level access to
users and evade other restrictions on the system. So, to ensure system resources’
security, it’s wise to disable Command Prompt.
After you have disabled Command Prompt and someone tries to open a command
window, the system will display a message stating that some settings are
preventing this action. Perform the following steps:
a. In the window of Group Policy Management Editor (opened for a custom GPO),
go to “User Configuration” “Windows Settings” “Policies” “Administrative
Templates” “System”.

21. a. In the right pane, double-click “Prevent access to the command
prompt” policy.
b. Click “Enabled” to apply the policy.
c. Click “Apply” and “OK”.

22. 4. Disable Forced System Restarts
-Forced system restarts are common. For example, you may face a situation where
you were working on your computer and Windows displays a message stating that
your system needs to restart because of a security update.
In many cases, if you fail to notice the message or take some time to respond, the
computer restarts automatically, and you lose important, unsaved work. To disable
forced restart through GPO, perform the following steps:
a. In “Group Policy Management Editor” window (opened for a custom
GPO), go to “Computer Configuration” “Administrative Templates”
“Windows Component” “Windows Update”.

23. b. In the right pane, double-click “No auto-restart with
logged on users for scheduled automatic updates
installations” policy.
c. Click “Enabled” to enable the policy.
d. Click “Apply” and “OK”.

24. 5. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
Removable media drives are very prone to infection, and they may also
contain a virus or malware. If a user plugs an infected drive to a network
computer, it can affect the entire network. Similarly, DVDs, CDs and Floppy
Drives are prone to infection.
It is therefore best to disable all these drives entirely. Perform the following
steps to do so:
a. In Group Policy Management Editor window (opened for a
custom GPO), go to “User Configuration” “Policies” “Administrative
Templates” “System” “Removable Storage Access”.

25. b. In the right pane, double-click “All removable storage
classes: Deny all accesses” policy.
c. Click “Enabled” to enable the policy.
d. Click “Apply” and “OK”.

26. 6. Restrict Software Installations
When you give users the freedom to install software, they may
install unwanted apps that compromise your system. System
admins will usually have to routinely do maintenance and cleaning
of such systems. To be on the safe side, it’s advisable to prevent
software installations through Group Policy:
a. In Group Policy Management Editor (opened for a custom GPO),
go to “Computer Configuration” “Administrative Templates”
“Windows Component” “Windows Installer”.

27. a.In the right pane, double-click “Prohibit User Install”
policy.
b.Click “Enabled” to enable the policy.
c.Click “Apply” and “OK”.

28. 7. Disable Guest Account
Through a Guest Account, users can get access to sensitive data.
Such accounts grant access to a Windows computer and do not
require a password. Enabling this account means anyone can
misuse and abuse access to your system
- these accounts are disabled by default. It’s best to check that this
is the case in your IT environment as, if this account is enabled in
your domain, disabling it will prevent people from abusing access:

29. a. In Group Policy Management Editor (opened for a
custom GPO), go to “Computer Configuration” “Windows
Settings” “Security Settings” “Local Policies” “Security
Options”.
b. In the right pane, double-click “Accounts: Guest Account
Status” policy.
c. Select “Define this policy setting” checkbox and click
“Disabled”.
d. Click “Apply” and “OK”.

30. 8. Set Minimum Password Length to Higher Limits
Set the minimum password length to higher limits. For example, for
elevated accounts, passwords should be set to at least 15 characters,
and for regular accounts at least 12 characters. Setting a lower value
for minimum password length creates unnecessary risk. The default
setting is “zero” characters, so you will have to specify a number:
a. In Group Policy Management Editor window (opened for a custom
GPO), go to “Computer Configuration” “Windows Settings” “Security
Settings” “Account Policies” “Password Policy”.

31. b. In the right pane, double-click “Minimum password length”
policy, select “Define this policy setting” checkbox.
c. Specify a value for the password length.
d. Click “Apply” and “OK”.

32. 9. Set Maximum Password Age to Lower Limits
If you set the password expiration age to a lengthy period of time,
users will not have to change it very frequently, which means it’s
more likely a password could get stolen. Shorter password
expiration periods are always preferred.
Windows’ default maximum password age is set to 42 days. The
following screenshot shows the policy setting used for configuring
“Maximum Password Age”. Perform the following steps:

33. a.In Group Policy Management Editor window (opened
for a custom GPO), go to “Computer Configuration”
“Windows Settings” “Security Settings” “Account
Policies” “Password Policy”.
b.In the right pane, double-click “Maximum password
age” policy.
c.Select “Define this policy setting” checkbox and
specify a value.
d.Click “Apply” and “OK”.

34. 10. Disable Anonymous SID Enumeration
Active Directory assigns a unique number to all security objects in
Active Directory; including Users, Groups and others, called Security
Identifiers (SID) numbers. In older Windows versions, users could
query the SIDs to identify important users and groups. This
provision can be exploited by hackers to get unauthorized access to
data. By default, this setting is disabled, ensure that it remains that
way. Perform the following steps:

35. a. In Group Policy Management Editor window, go to
“Computer Configuration” “Policies” “Windows
Settings” “Security Settings” “Local Policies” “Security
Options”.
b. In the right pane, double-click “Network Access:
Do not allow anonymous enumeration of SAM
accounts and shares” policy setting.
d. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to
save your settings.