Windows Server 2016/2019 Group Policy security settings

Windows Server 2016/2019 Group Policy security settings
Group Policy administrative design templates let you set up numerous system settings, either computer system or user based. Today I will present computer system settings that straight impact system security and attack surface area.
5a4643edb8ede bpfull
Latest posts by Leos Marek ( see all)

Over the last couple of months, I composed numerous posts associated with Windows Server security finest practices All were based upon suggestions from the Center for Internet Security (CIS) company. The most recent one concentrated on audit policy setup.

Administrative design templates assist set up system part habits, like Internet Explorer, or end-user experience, like Start menu design. Some likewise impact system habits, which might provide security threats. In this post, I have actually selected crucial settings you need to think about contributing to your security standard policy.

As typical, the format is as follows:

Name of the setting: Recommended worth

Regional and Language Options ^

Allow input customization: Disabled

Allow online ideas: Disabled

Input customization enables speech knowing, inking, and typing. It is needed for using Cortana. Online suggestions make it possible for retrieval of ideas and assist for the Settings app. Both settings, when made it possible for, might result in storage of delicate information in users’ OneDrive, Microsoft, or third-party servers.

MS Security Guide ^

This area is not consisted of in Group Policy by default; you need to download it from the Microsoft site After downloading it, you can discover the SecGuide.admx and SecGuide.adml files in the Templates folder. To import the files, copy the.admx file to the %SystemRoot% PolicyDefinitions folder and the.adml file to the %SystemRoot% PolicyDefinitions area (in my case en-US) folder. Resume Group Policy Editor, and you will discover the brand-new area we simply imported.

MS Security Guide settings

MS Security Guide settings

Configure SMB v1 server: Disabled

Configure SMB v1 customer chauffeur: Enabled: Disable motorist

Both settings manage the Server Message Block v1 (SMBv1) customer and server habits. SMBv1 is approximately a 30- year-old procedure and as such is far more susceptible than SMBv2 and SMBv3. Microsoft suggests entirely disabling SMBv1 on your network. Take care with the customer motorist setting– do not set it to Disabled due to the fact that this will trigger problems with the system. The right setting is Enabled: Disable chauffeur.

Note: In case you have an older gadget on your network, like a network printer, make certain it supports SMBv2 or greater prior to disabling SMBv1. Just recently we had this problem where scanning to a shared folder didn’t work since the printer just supported SMBv1.

Apply UAC constraints to regional accounts on network logons: Enabled

Local accounts are a high threat, specifically when set up with the exact same password on numerous servers. This setting manages whether you can utilize a regional account to link to a remote server, for instance, to a C$ share. When made it possible for, User Account Control (UAC) gets rid of the opportunities from the resulting token, rejecting gain access to. This is the default habits.

Lanman Workstation ^

Enable insecure visitor logons: Disabled

By default, a Windows SMB customer will permit insecure visitor logons, which network-attached storage (NAS) gadgets functioning as file servers frequently utilize. Due to the fact that these are unauthenticated logons, functions like SMB finalizing and SMB file encryption are handicapped. This makes such interactions susceptible to man-in-the-middle attacks. Windows file servers need SMB authentication by default.

DNS Client ^

Turn off multicast name resolution: Enabled

Link-local multicast name resolution (LLMNR) is a secondary name resolution procedure that utilizes multicast over a regional network. An opponent can listen to such demands (on UDP ports 5355 and 137) and react to them, deceiving the customer. This is called regional name resolution poisoning.

Fonts ^

Enable font style suppliers: Disabled

This disables Windows from downloading typefaces from online typeface suppliers. The IT department must initially check and authorize all system modifications.

Network Connections ^

Prohibit setup and setup of Network Bridge on your DNS domain network: Enabled

Network Bridge might let users link 2 or more physical networks together and permit information sharing in between them. This might cause unapproved information upload or destructive activity from the bridged network.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: