Tip

Configure Group Policy to prevent attacks

In a recent Windows security tip, I talked about Ten attacks you can easily avoid with Group Policy. It highlights the fact that you can keep malicious attackers like "Eddie" out of your systems. In this tip, I've outlined how you can change what I believe are the most critical Group Policy security settings I covered previously -- along with a few more tips tossed in for good measure.

You can implement many of these at the local computer level in Windows XP, 2000 and Server 2003, as well as at the domain OU level in Server 2003 and 2000. For the sake of simplicity and staying current, I'm going to outline these settings on a Windows Server 2003-based domain. Keep in mind that these are only the tip of the iceberg for GPOs you can set up in your domain, but they are the ones that can make or break Windows security in my opinion. Also, your mileage may vary with these settings, so I encourage you to research thoroughly each of these options before enabling them to make sure they're compatible with your network. If at all possible, experiment with them in a non-production fashion (if you're lucky enough to have a test environment).

If you haven't already, I recommend downloading and installing Microsoft's Group Policy Management Console (GPMC) to make these changes. This program gives you a more global view on your domain(s) by centralizing Group Policy Object (GPO) management tasks into a single interface. To start the editing process, you simply load up GPMC, expand your domain, right-click "Default Domain Policy," and select "Edit." This loads up the Group Policy Object Editor. If you want a quicker and "less enterprise" way of editing your domain GPOs, you can run gpedit.msc from the "Start" menu.

1. Ensure a default password policy that makes sense for your organization is set under "Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy."

2. Set the following under "Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy" in order to thwart automated password cracking attacks:

  • Account lockout duration (define at least 5-10 minutes)
    Give attackers more hoops to jump through in order to minimize Windows attacks
    Kevin Beaver
    CISSP
  • Account lockout threshold (define at most 5-10 invalid logon attempts)
  • Reset account lockout counter after (define at least 10-15 minutes)

3. Enable the following under "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy:"

  • Audit account management
  • Audit logon events
  • Audit policy change
  • Audit privilege use
  • Audit system events

Ideally, you'll want to enable logging for successes and failures, but it depends on what types of records you want to keep and whether you'll actually be able to manage it all. Roberta Bragg has outlined some common audit logging settings here. Just remember that each type of logging you enable requires more resources on the part of your systems processor and hard drive.

4. Set the following under "Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options" for general Windows hardening best practice, and give attackers more hoops to jump through in order to minimize Windows attacks:

  • Accounts: Rename administrator account -- not highly effective but another security layer nonetheless (define a new name)
  • Accounts: Rename guest account (define a new name)
  • Interactive logon: Do not display last user name (set to "Enabled")
  • Interactive logon: Do not require last user name (set to "Disabled")
  • Interactive logon: Message text for users attempting to log on (define banner text for users to see – something along the lines of This is a private and monitored system…you abuse this system, you're toast -- just run it by your lawyer first)
  • Interactive logon: Message title for users attempting to log on -- something along the lines of WARNING!!!
  • Network access: Do not allow enumeration of SAM accounts and shares (set to "Enabled")
  • Network access: Let "Everyone" permissions apply to anonymous users (set to "Disabled")
  • Network security: Do no store LAN Manager hash value on next password change (set to "Enabled")
  • Shutdown: Allow system to be shut down without having to log on (set to "Disabled")
  • Shutdown: Clear virtual memory pagefile (set to "Enabled")

If you don't have a Windows Server 2003 domain controller, you can find details on which local security policy settings are available for Windows XP here, and which Group Policy settings are available for Windows 2000 Server here. For more information on Windows Server 2003 group policies, check out Microsoft's dedicated page.

About the author: Kevin Beaver is founder and information security advisor with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has authored five information security-related books including Hacking For Dummies (Wiley), the brand new Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.


More information from SearchWindowsSecurity.com

  • Learning Center: Group Policy Q&As
  • Tip: XP SP2 helps control malware -- but watch out for that firewall
  • Checklist: Secure Group Policy design


  • This was first published in July 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.