In enterprises using Microsoft technology, Windows security can be largely ensured through Group Policy Objects (GPO). Although, the security settings can be implemented at the system level as well using Local Security Settings, GPO is considered a preferred option as you can centrally enforce security settings for the entire network as per the organisation’s security policy.
However, when it comes to configuring GPO settings, the important consideration is which one to configure and which one to leave as there are thousands of GPO settings related to the operating system alone. Taking all components into account such as browser, apps like MS Office, removable devices etc, the total number of settings could be overwhelming.
But we can certainly focus on some settings that can be considered more important than the others. Though there is no hard and fast rule to determine the importance of one setting over the other, based on the advice of Windows Security experts we can certainly keep some of the GPO settings at higher priority:
- Deny local administrator access to the end user as it gives ultimate control to the end user of their system. This setting is found under User Configuration\Preferences\Control Panel.
- Configure appropriate Windows Firewall with Advanced Security if you are relying solely on Windows security. This settings falls under Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security.
- Disable Guest Account access to disable random users from accessing any system. The settings can be found under: Computer Configuration\Windows Setting\Security Settings.
- Set the minimum password length and maximum password age to higher and lower values respectively. These settings will protect you from password related risks and are found under: Computer Configuration\Windows Setting\Security Settings.
- Configure WSUS update settings to let system obtain automatic updates from Windows Server Update Services (WSUS). Of course, this should be done if your organisational data bandwidth can afford.
- Configure secure User Account Controls settings. A typical example where this setting is relevant is when you run an application setup file.
The settings discussed above, as already mentioned, are only a few of thousands that are available in GPO. These settings may not secure you from most of the threats that a Windows network can be exposed to but should be looked at on higher priority than other settings.
GPO settings are one of the most effective ways to ensure Windows security. In the their latest release Windows Server 2012 and Windows 8, Microsoft has introduced some new GPO setting making the total count of manageable system policies through Active Directory Group Policy to over three and half thousand. If you could master them as per as your requirements you can certainly create a secure Windows environment controlling all computers (servers and clients) and User Account accesses in the network.