Professional Documents
Culture Documents
In this article, you will learn why these Group Policy settings simply cannot be
ignored.
Through Control Panel, you can control all aspects of your computer. So, by
moderating who has access to the computer, you can keep data and other resources
generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash)
of passwords. It stores them in the local Security Accounts Manager (SAM) database
or Active Directory.
The LM hash is weak and prone to hacking. Therefore, you should prevent Windows
from storing an LM hash of your passwords. Perform the following steps to do so:
1. In Group Policy Management Editor window (opened for a custom GPO), go to
“Computer Configuration” “Windows Settings” “Security Settings” “Local
Policies” “Security Options”.
2. In the right pane, double-click “Network security: Do not store LAN Manager
hash value on next password change” policy.
3. Select “Define this policy setting” checkbox and click “Enabled.
4. Click “Apply” and “OK”.
Figure 2: Configuring policy to not store LAN Manager hash value policy
Command Prompts can be used to run commands that give high-level access to
users and evade other restrictions on the system. So, to ensure system resources’
After you have disabled Command Prompt and someone tries to open a command
window, the system will display a message stating that some settings are preventing
Forced system restarts are common. For example, you may face a situation where
you were working on your computer and Windows displays a message stating that
In many cases, if you fail to notice the message or take some time to respond, the
computer restarts automatically, and you lose important, unsaved work. To disable
Removable media drives are very prone to infection, and they may also contain a
affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to
infection.
It is therefore best to disable all these drives entirely. Perform the following steps to
do so:
1. In Group Policy Management Editor window (opened for a custom GPO), go to
“User Configuration” “Policies” “Administrative Templates” “System”
“Removable Storage Access”.
2. In the right pane, double-click “All removable storage classes: Deny all
accesses” policy
3. Click “Enabled” to enable the policy.
4. Click “Apply” and “OK”.
Figure 5: Deny access to all removable storage classes
When you give users the freedom to install software, they may install unwanted apps
that compromise your system. System admins will usually have to routinely do
maintenance and cleaning of such systems. To be on the safe side, it’s advisable to
Through a Guest Account, users can get access to sensitive data. Such accounts
grant access to a Windows computer and do not require a password. Enabling this
account means anyone can misuse and abuse access to your systems.
Thankfully, these accounts are disabled by default. It’s best to check that this is the
case in your IT environment as, if this account is enabled in your domain, disabling it
Set the minimum password length to higher limits. For example, for elevated
accounts at least 12 characters. Setting a lower value for minimum password length
creates unnecessary risk. The default setting is “zero” characters, so you will have to
specify a number:
1. In Group Policy Management Editor window (opened for a custom GPO), go to
“Computer Configuration” “Windows Settings” “Security Settings” “Account
Policies” “Password Policy”.
2. In the right pane, double-click “Minimum password length” policy, select “Define
this policy setting” checkbox.
3. Specify a value for the password length.
4. Click “Apply” and “OK”.
Figure 8: Configuring minimum password age policy setting
If you set the password expiration age to a lengthy period of time, users will not have
to change it very frequently, which means it’s more likely a password could get
screenshot shows the policy setting used for configuring “Maximum Password Age”.
Active Directory assigns a unique number to all security objects in Active Directory;
including Users, Groups and others, called Security Identifiers (SID) numbers. In
older Windows versions, users could query the SIDs to identify important users and
data. By default, this setting is disabled, ensure that it remains that way. Perform the
following steps:
1. In Group Policy Management Editor window, go to “Computer Configuration”
“Policies” “Windows Settings” “Security Settings” “Local Policies” “Security
Options”.
2. In the right pane, double-click “Network Access: Do not allow anonymous
enumeration of SAM accounts and shares” policy setting.
3. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.
If you get these Group Policy settings correct, your organization’s security will
automatically be in a better state. Please make sure to apply the modified Group
Policy Object to everyone and update the Group Policies to reflect them on all