Eight Important Group Policies to Secure your Environment

1. Software Restriction policySoftware restriction policy is another critical Group Policy used to restrict the users from accessing any pre-installed or newly installed application. Using this policy you can restrict user to run a specific software on their desktops. Users would not be able to run the Software that would you restrict for them. It is important for the Organization where you don’t want users to use any unauthorized software on their desktops.

2. Disable USB portsUSB is one of the most common methods of connecting media devices like hard disks, pen drives and cameras to computers through USB ports. Most of the organizations are continuous under threat of stealing their critical data. Therefore, they want to disable USB ports to prevent copying of their confidential data or injecting of harmful viruses in their network. This is very important policy that Organizations are deploying to secure their environment.

3. Folder Redirection: Folder redirection is another important Group Policy to be deployed in Organizations. It can be used to redirect Domain User data to the network location. It not only helps in keeping track of user data but it also helps in taking backup of critical data. Some of the special folder redirection policies that can be deployed are Application Data, Desktop, My Documents, Picture, Start menu, etc.

4. Install software remotely: Install Software remotely is another critical Group Policy that most of the Organizations are using to automate the process of deploying Softwares using the single console. Using this GPO, you can deploy software packages e.g. MSI packages on all the Domain Computers. This prevents the manual intervention required to install Software packages on large number of Desktops and Laptops.

5. Item Level Targeting: Another critical Group Policy that can be used to target certain set of users. In item level targeting, we target the group policy to be deployed on the certain set of users. The Group policy is linked to an OU, but the policy is deployed only to the targeted users that are the members of the security group and not to the entire population. It is crucial for the environments in which you don’t want GPOs to be executed to certain set of users.

6. Hide Drives: Hide drives using group policy is very important requirement coming from many organizations, primarily from the Organizations who wants their environment to be secure. This policy allows us to remove or hide the hard drive icons from “my computer” and file explorer. Through this policy, we can only remove the icons of hard drives, but we still access it through different methods. In every organization, there is some important documents or file which are in particular drive but we want to restrict the users to access them, then this policy helps a lot to secure the organization documents.

7. Disable shutdown: Another critical Group Policy is to disable the icons of the Shutdown, Restart, Hibernate from the start menu. The only option left to the user regarding power options are logoff and switch user. After enabling this policy all the power options except logoff and switch user would be disabled from the start menu as well as from the Ctrl+Alt+Del option.

8. Password Policy: The most simple and easy technique of authenticating user’s identity is using a password. Users should always keep strong passwords for enhancing their security. A network is said secured only when all the users use strong passwords to prevent the security lapse. Sometimes, users keep passwords that are easy to guess or not change passwords frequently. It is a negligence in security.

To prevent all security issues related to user’s password, some password policies are pre-defined. These pre-defined group policies are configured in the GPO naming “Default Domain Policy”  and is linked with the domain. The path of password policy in GPME console is “Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy “. Here, settings are pre-defined with its default values but we can change these values as per our requirements.

  1. Enforce password history:                                      24 passwords
  2. Maximum password age:                                        42 days
  3. Minimum password age:                                         1 day
  4. Minimum password length:                                    7 characters
  5. Password must meet complexity requirements: Enabled
  6. Store passwords using reversible encryption:     Disabled

Enforce password history record last 24 unique passwords of the users so that they cannot repeat passwords frequently. This will enhance the security of user accounts and administrators can ensure that old passwords cannot be used continuously.

Maximum password age setting determines the time period in days that a single password can be used for. The default value of this policy is 42 days but we can set any value between 1 to 999 days. If we set the value to 0 then password will never expire.

Minimum password age setting determines the minimum age of the password. Users can change a password again only after this period. The default value of this policy is 1 day and we can set any value between 1 to 998 days. The minimum password age must be less than maximum password age.

Minimum password length setting determines the least number of characters that must contain in password set by users. The default value is 7 but we can change the value between 1 to 14 characters.

Password must meet complexity requirements setting determines that the password should meet minimum requirements like should have minimum 6 characters in length, should have both uppercase and lowercase alphabets and have special characters (!, @, #, $ etc).

Store passwords using reversible encryption determines whether the Operating System stores passwords using reversible encryption. By default it is disabled.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: