In the enterprise, one of the most common ways to configure Microsoft Windows computers is with group policy. For the most part, group policies are settings pushed into a computer's registry to configure security settings and other operational behaviors. Group policies can be pushed down from Active Directory (actually, they're pulled down by the client) or by configuring local group policy.
The ability to set and configure security settings using group policy is one of the big advantages of working with Windows computers. Yes, many operating systems today have comparable management systems, but Windows has had group policies since Windows NT 4.0 Service Pack 4, released in October 1998. Ah, I can still remember using secedit.exe to configure local group policies. Active Directory-based group policies didn't come until Windows 2000 in February 2000. Still, that's well over a decade of experience in "managing" computer security in an enterprise way.
[ InfoWorld's PCI Compliance and Log Analysis Deep Dive reports will get you up to speed on how to implement and make the most of these security standards. Download the PDFs today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
I've been doing Windows computer security since about 1990. Let's just say that I've seen a lot of group policies. In the work I do for customers, I most often get paid to scrutinize each group policy setting within each group policy object. With Windows 8.1 and Windows Server 2012R2, there are more than 3,700 settings for the operating system alone. I'm not counting the many hundreds that might be set for Internet Explorer or all the ones that might be set for applications like Microsoft Office.
Let me let you in on a little secret: I care about only 10 of the settings.
I'm not saying you should stop at these 10, since each properly configured group policy setting can reduce risk. I'm just sharing with you the fact that 10 settings determine most of your risk -- everything else is gravy. When I start looking at a new group policy I've never seen before, the first thing I do is scan these 10 settings. If they're set correctly, I know the customer is basically doing the right thing and my job is going to be easier.
The top 10 Windows group policy settings
Get these 10 settings right, and you'll go a long way toward making your Windows environment more secure. Each of these falls under the Computer Configuration\Windows Setting\Security Settings leaf.
Rename the Local Administrator Account: If the bad guy doesn't know the name of your Administrator account, he'll have a much harder time hacking it.
Disable the Guest Account: One of the worst things you can do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Enough said!
Disable LM and NTLM v1: The LM (LAN Manager) and NTLMv1 authentication protocols have vulnerabilities. Force the use of NTLMv2 and Kerberos. By default, most Windows systems will accept all four protocols. Unless you have really old, unpatched systems (that is, more than 10 years old), there's rarely a reason to use the older protocols.
Disable LM hash storage: LM password hashes are easily convertible to their plaintext password equivalents. Don't allow Windows to store them on disk, where a hacker hash dump tool would find them.