In-Depth

Ten Group Policy Settings To Ensure Consistent Windows Security

Some of Windows' settings affect domain controllers, where others affect all computers. To ensure that your security foundation is properly established, use Group Policy objects to deploy and configure your security settings.

• By Derek Melber
• 01/12/2005

Group Policy objects (GPOs) are extremely powerful and capable of touching all computers associated with your Windows Active Directory domain. With security one of the primary concerns for most IT administrators, it's nice to know that GPOs can also help you control security on all computers in your domain.

With so many vulnerabilities and potential areas for attack, it's hard to find which security settings should be managed. Many essential areas of a Windows computer and network that rise to the top. These security settings deal with initial authentication, password protection, computer privileges, anonymous access, and ensuring that security settings are persistent.

Setting #1: Minimum Password Length

Location: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum Password Length

The minimum password length is essential to protect all user accounts in the domain. If this setting is left at 0, user accounts could be left open to allow anyone access to user accounts and network resources as long as they know the user name. Until Windows Server 2003, this was the case on all Windows operating systems.

The minimum password length is also essential to protect against applications that are designed to crack passwords. A common password length for many companies is 6 to 8 characters. However, if you were to use pass-phrases and increase the length to 14 or more characters, security would be increased greatly.

Setting #2: Maximum Password Age

Location: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum Password Age

Along the same lines as increasing the password length to help protect against applications that crack passwords, the maximum password age can help, too. The longer a password is active, the more likely it will be compromised or be cracked. The frequency should be as often as possible while still allowing the end user to cope with password changes. It is common and reasonable to have this setting set to an age between 30 and 60 days.

Setting #3: Password Complexity

Location: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements

One of the historical methods to protect passwords from crack tools is to make the password more complex. This entails adding more than just alpha characters to the password. This setting does that—and more. When this setting is enabled, all passwords must meet the following complexity requirements:

• Minimum 6 characters
  
• Three of the four types of characters (lower case alpha, upper case alpha, numeric, special)
  
• Not contain all or part of the user’s account name

Setting #4: Last Logged-On User Name

Location: Computer Configuration\Windows Settings\Local Policies\Security Options\Interactive logon: Do not display last user name

All Windows computers are designed to do you a favor by remembering your username for the next time you log on. This is great for convenience, but does pose as a security threat.

Ideally, you should never offer up user names, since this gives an attacker half of the information they need to logon as a real user account in the domain. This setting will remove the last user that logged on to the computer, forcing all users to input both their user name and password at each logon.

Setting #5: LAN Manager Authentication Level

Location: Computer Configuration\Windows Settings\Local Policies\Security Options\Network Security: LAN Manager authentication level

Windows 2000, XP, and Server 2003 computers all use Kerberos to authenticate to Active Directory. However, when these computers authenticate to the local SAM or to a down-level client, they use LAN Manager authentication of some level.

For convenience, your computer can (and in some cases will) use both weak and strong LAN Manager authentication levels. LAN Manager (LM) is the weakest and oldest authentication protocol; NTLMv2 is the newest and strongest. Since only the oldest operating systems and applications use LM, it is desirable to remove the ability for your computer to use this protocol so as to increase security. Ideally, you should only allow your computers to use NTLMv2 for both initiating communicating and responding to authentication requests.

Setting #6: Storage of LM Hash

Location: Computer Configuration\Windows Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change

Similar to support for the older authentication protocols, your computers store the older authentication protocol hashes. The LM hash is very insecure, but is stored whether you use it or not. This provides an easy way for someone to crack passwords if they gain access to the stored hash. Enabling this setting will remove the ability for the computer to store the insecure LM hash.

Setting #7: User Rights Assignment

Location: Computer Configuration\Windows Settings\Local Policies\User Rights Assignment

User rights control what a user or group of users can do on a computer. User rights are unique per computer, but can be controlled via GPOs. User rights are important to configure, since they can bypass the security access control list that is configured on a resource on a computer.

Setting #8: Anonymous Access to SAM Accounts

Location: Computer Configuration\Windows Settings\Local Policies\Security Options\Network Access: Do not allow anonymous enumeration of SAM accounts

In the past, Windows computers have allowed other computers and applications to access the SAM accounts for reference and authentication. For a while, attackers have exploited this access, taking advantage of anonymous access to user account names and password hashes. This setting will deny anonymous access to the SAM account.

Setting #9: Everyone Group Permissions and Anonymous Users

Location: Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users

This setting provides the anonymous user the same access as the Everyone group when accessing resources. This is a very insecure setting, considering all of the resources that the Everyone group has access to. Therefore, you should not allow the Everyone group also affect the anonymous user account when accessing resources.

Setting #10: Process GPO Security Settings at Every Refresh

Location: Computer Configuration\Administrative Templates\System\Group Policy\Security policy processing

Within this GPO setting you will find a checkbox labeled “Process even if the Group Policy objects have not changed.” This setting will force all GPO settings to reapply, even if the GPO has not changed. This is essential because local administrators can change the Registry values related to security settings applied by GPOs. This setting will force all security settings to reapply at the GPO refresh interval.

Summary

The ten settings above will help ensure security has a good start in your Active Directory. Other settings are close to our Top Ten list and should be considered as you continue to configure security in the domain and on your computers. There are more settings related to anonymous access, password controls (lockout), auditing, and an array of security specific settings. Taking the first step to ensure the foundation security is in place will give you the confidence and power to continue to change the other settings to make your network more secure.