Microsoft Group Policy became very useful with the launch of Windows server 2000 and as more and more businesses were moving away from the workgroup environment and into the domain environment. Group Policy gave network administrators a way to control settings on all computers and servers that exsist within there network domain. Over the years group policy has evolved and become very customizable where each OU within Active Directory can have its own group policy. So if you need to hadle the computers within the accounting department different than the computers in the maintenance department, group policy can do this. For the purposes of this article I will be discussing the newest version which is what is included in Windows Server 2008 64-bit. Although there are not a whole lot of changes (except the look) betweeen Server 2003 and Server 2008 I am willing to do a Server 2003 Group Policy article if enough people would like to see it.

First we need to know how to get into the Group Policy Editor and we can do this simply by using “Run” under the start menu and type “gpedit.msc” without the quotations and the click OK.

The window above is the Local Group Policy Editor and I have reduced the window size so it will fit on this page. But as you can see we have “Computer Configuration” and we have “User Configuration”. Alot of the options that I use when managing group policy are under the Computer Configuration.

There are two main categories that I feel should always be set for security reasons on any domain large or small and those are “Account Policies” and “Local Policies” and these are both under the Computer Configuration >> Windows Settings.

Below I will list out the most important settings and what range they should be set at:

• Account Policies
  • Password Policy
    • Enforce password history
      • This setting will not allow users to use previous passwords until after a certain number. Five is a good setting for this but I personally use 7 passwords to remember
    • Maximum password age
      • This setting will force a user to change their password after X number of days. This setting should not be set any higher than 90 days but 70 days is a much more secure option.
    • Minimum password age
      • This setting forces a user to keep their password at least X number of days. This setting will stop users from changing their password 7 times in a day to get back to their original password and defeat “Enforce Password History” setting. This setting should be set at least to 1 day and this setting does not stop an administrator from resetting the users password.
    • Minimum password length
      • This setting tells that a password can not be set to less than X number of letters. This setting should be set no less than 7 characters long. Microsoft encrypts the first 6 characters and then it encrypts the next 6 characters. So by having a password 7 characters or more you require Microsoft to encrypt the password in two seperate files.
    • Store passwords using reversible encryption
      • This setting should be set to disabled, so that your passwords are stored with non reversible encryption
  • Account Lockout Policy
    • Account lockout duration
      • This setting is the number of minutes a locked out account remains locked out before automatically becomming unlocked. This setting should remain “Not Applicable” for the highest security, which would require and administrator to unlock the account.
    • Account lockout threshold
      • This setting is the number of failed logon attempts that cause a user account to become locked out. This is a delicate balancing act. You don’t want a number to low or you will get calls from your users all the time and you don’t want a number to high because you can then be vulnerable to attacks. I like to set this number at around 7 or 10.
    • Reset account lockout counter after
      • This setting is the number of minutes from a failed logon attempt before the Account lockout threshold counter is reset back to zero. This number you want to make sure you don’t have to low because you would then be vunerable for an attack. I like to set this number at around 120 minutes.
• Local Policies
  • Audit Policy
    • This one is pretty easy, every policy under here should be recording “Success, Failure” for the best audit records. However if this is truly not possible you should at least be auditing the following.
      • Audit account logon events – “Success, Failure”
      • Audit logon events – “Success, Failure”
      • Audit privilege use – “Success, Failure”
      • Audit system events – “Success, Failure”
  • User Rights Assignment
    • There are a lot of different permissions under this policy but the difference is that these policies has specific users assigned to them for rights. I highly suggest you scan though these policies and decide which ones fit your network. I would also suggest not adding users directly but adding groups and then adding and removing users from those groups, it just makes administration so much easier.
  • Security Options
    • There are a lot of different permissions under this policy as well but I am only going to touch on the ones that I belive are the most important.
    • Accounts: Guest account status
      • This setting will enable or disable the guest account on your network. I strongly recommend that you set this to disabled.
    • Accounts: Rename administrator account
      • This option allows you to rename the defaut administrator account on the network. I highly recommend that you do this for new network setups that are not relying on an administrator account. Everyone knows that there is a default administrator account and by renaming it you make your network more secure.
    • Interactive logon: Do not display last user name
      • This setting does not allow the person logging into the computer to see the last persons username. This add another level of security should you have an unauthorized person access a physical computer they will not know the user name.
    • Interactive logon: Prompt user to change password before exiration
      • This setting allows you to set a number of days that a user will be prompted before there password expires. I also suggest at least a week or two notification.

So as you can probably see I have only touched group policy in this article and showed you some of the very basic things that you can do to configure group policy to fit your network and help you with security. I hope you have found this article informative and check some more detail videos on group policy at http://videos.mikenetpc.com