Windows Server 2016/2019 Group Policy security settings

Group Policy administrative templates let you configure hundreds of system settings, either computer or user based. Today I will introduce computer settings that directly affect system security and attack surface.

Over the last few months, I wrote several articles related to Windows Server security best practices. All were based on recommendations from the Center for Internet Security (CIS) organization. The latest one focused on audit policy configuration.

Administrative templates help configure system component behavior, like Internet Explorer, or end-user experience, like Start menu layout. However, some also affect system behavior, which may present security risks. In this post, I have picked important settings you should consider adding to your security baseline policy.

As usual, the format is as follows:

Name of the setting: Recommended value

Regional and Language Options ^

Allow input personalization: Disabled

Allow online tips: Disabled

Input personalization allows speech learning, inking, and typing. It is required for the use of Cortana. Online tips enable retrieval of tips and help for the Settings app. Both settings, when enabled, could lead to storage of sensitive data in users' OneDrive, Microsoft, or third-party servers.

MS Security Guide ^

This section is not included in Group Policy by default; you have to download it from the Microsoft website. After downloading it, you can find the SecGuide.admx and SecGuide.adml files in the Templates folder. To import the files, copy the .admx file to the %SystemRoot%\PolicyDefinitions folder and the .adml file to the %SystemRoot%\PolicyDefinitions\locale (in my case en-US) folder. Reopen Group Policy Editor, and you will find the new section we just imported.

MS Security Guide settings

MS Security Guide settings

Configure SMB v1 server: Disabled

Configure SMB v1 client driver: Enabled: Disable driver

Both settings control the Server Message Block v1 (SMBv1) client and server behavior. SMBv1 is roughly a 30-year-old protocol and as such is much more vulnerable than SMBv2 and SMBv3. Therefore, Microsoft recommends completely disabling SMBv1 on your network. Be careful with the client driver setting—do not set it to Disabled because this will cause issues with the system. The correct setting is Enabled: Disable driver.

Note: In case you have an older device on your network, like a network printer, make sure it supports SMBv2 or higher before disabling SMBv1. Recently we had this issue where scanning to a shared folder didn't work because the printer only supported SMBv1.

Apply UAC restrictions to local accounts on network logons: Enabled

Local accounts are a high risk, especially when configured with the same password on multiple servers. This setting controls whether you can use a local account to connect to a remote server, for example, to a C$ share. When enabled, User Account Control (UAC) removes the privileges from the resulting token, denying access. This is the default behavior.

Lanman Workstation ^

Enable insecure guest logons: Disabled

By default, a Windows SMB client will allow insecure guest logons, which network-attached storage (NAS) devices acting as file servers often use. Because these are unauthenticated logons, features like SMB signing and SMB encryption are disabled. This makes such communications vulnerable to man-in-the-middle attacks. Windows file servers require SMB authentication by default.

DNS Client ^

Turn off multicast name resolution: Enabled

Link-local multicast name resolution (LLMNR) is a secondary name resolution protocol that uses multicast over a local network. An attacker can listen to such requests (on UDP ports 5355 and 137) and respond to them, tricking the client. This is called local name resolution poisoning.

Fonts ^

Enable font providers: Disabled

This disables Windows from downloading fonts from online font providers. The IT department should first test and approve all system changes.

Network Connections ^

Prohibit installation and configuration of Network Bridge on your DNS domain network: Enabled

Network Bridge could let users connect two or more physical networks together and allow data sharing between them. This could lead to unauthorized data upload or malicious activity from the bridged network.

Prohibit use of Internet Connection Sharing on your DNS domain network: Enabled

This setting applies in Windows 10 and Windows Server 2016/2019 to the Mobile Hotspot feature. Standard users should not be able to open internet connectivity via enterprise devices.

Require domain users to elevate when setting a network's location: Enabled

A network location setting, also known as a network profile, controls which firewall profile to apply to the system. With this setting enabled, such a change would require administrative elevation. Standard users should not change these settings.

Network Connections settings

Network Connections settings

Group Policy ^

Configure registry policy processing: Do not apply during periodic background processing: Enabled: FALSE (unchecked)

Configure registry policy processing: Process even if the Group Policy objects have not changed: Enabled: TRUE (checked)

These two settings control how to process Group Policy. The first one should be unchecked so that the system refreshes Group Policy Objects (GPOs) in the background and does not wait for user logon or a reboot. The second should be checked to reapply each GPO setting during every refresh. This will override any unauthorized changes done locally on the system.

Configure registry policy processing

Configure registry policy processing

Logon ^

Turn off app notifications on the lock screen: Enabled

Application notification could expose sensitive data to unauthorized users, for example, confidential email notifications. Enable this setting to turn off such notifications.

Turn off picture password sign-in: Enabled

Turn on convenience PIN sign-in: Disabled

The Windows Hello feature allows users to sign in with a picture gesture or a PIN code similar to a credit card. Both options are relatively easy for a person standing behind a user to observe (called shoulder surfing). The recommended approach is to use complex passwords instead.

Autoplay Policies ^

Disallow Autoplay for non-volume devices: Enabled

This disables autoplay for external devices, like cameras or phones, which an attacker could use to launch a program or damage the system.

Set the default behavior for AutoRun: Enabled: Do not execute any autorun commands

The autorun.inf file located on a DVD or USB media stores autorun commands that often launch software installation or other commands. Even though a pop-up window displays for the user, malicious code might run unintentionally, and the recommended approach is to disable any autorun actions.

Turn off Autoplay: Enabled: All drives

Similar to autorun, autoplay starts to read data from external media, which causes setup files or audio media to start immediately. Autoplay is disabled by default, but not on DVD drives.

Microsoft account ^

Block all consumer Microsoft account user authentication: Enabled

In an organization, the IT department should firmly manage user authentication. Users should not be able to use their own Microsoft online IDs in any applications or services such as OneDrive.

OneDrive ^

Prevent the usage of OneDrive for file storage: Enabled

This policy setting lets you prevent apps and features from working with files on OneDrive, so users cannot upload any sensitive working data to OneDrive. Note that if your organization uses Office 365, this setting would prevent users from saving data to your company OneDrive.

Conclusion ^

Group Policy administrative templates offer great possibilities for system and end-user experience customizations. Literally hundreds of settings are available by default, and you can add more by downloading the .admx files from Microsoft and other vendors. In this post, we have covered the important security-related settings.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

4+
avataravataravatar
Share
6 Comments
  1. Thank you Leos for your interesting article!

    1+

  2. Paul Bendall 7 months ago

    A good introduction to central control of settings through GPO from a security framework CIS, especially like the information around additional downloads (caught me out the first time):

    "This section is not included in Group Policy by default; you have to download it from the Microsoft website. After downloading it, you can find the SecGuide.admx and SecGuide.adml files in the Templates folder"

    Maybe consider adding links to CIS benchmarks - and Windows Server baselines for further reading?

    Direct Link to CIS Benchmarks for Windows Server (free to download once you provide contact details)https://www.cisecurity.org/benchmark/microsoft_windows_server/

    Windows (Generic)
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines

    Windows Server 2019
    https://docs.microsoft.com/en-gb/archive/blogs/secguide/security-baseline-final-for-windows-10-v1809-and-windows-server-2019

    Paul

    0

  3. Teresa 6 months ago

    Thank you Leos for the well written article! I finally figured out how my ex was getting into my computer.  I would close a hole not realizing that the Group Policy held the keys so to speak. I did major housekeeping this evening and kicked him off for good and anyone else who cares to try.  I have plenty to learn but living is learning. 

    0

    • Mark 1 month ago

      Group policy applies to machines managed by a domain controller. If it's not, your Ex would simply need to disable the settings you made. He's probably got an additional account on there you don't know about.

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account