Direct Inward Dialing: +1 408 916 9892
Managing a huge IT infrastructure while also ensuring security, productivity, and a uniform user experience is a challenge for organizations. With Group Policy, network administrators have an integrated tool to specify managed configurations for your Active Directory (AD) users and computers. A few tweaks to your Group Policy settings can help you regulate a user's work environment, and seamlessly manage your operating systems and applications.
Users can make extensive changes to their system settings using the control panel, and these changes can lead to security issues. For a safer business environment, limit control panel access to privileged users only. Access to the control panel can be limited by enabling the Prohibit access to Control Panel and PC settings policy.
User Configuration > Administrative Templates > Control PanelThe command prompt, in Windows, is used to run commands that perform advanced administrative functions. However, in the hands of malicious users, the command prompt can be used to compromise the integrity of the system. To prevent any harm to your network, restrict access to the command prompt using the Prevent access to the command prompt policy.
User Configuration > Administrative Templates > SystemRemovable devices are susceptible to viruses and malware, and enabling users to plug them into their computers can infect your entire network. Removable devices also allow bad actors to remove large amounts of data in a short time. You can prohibit the use of removable devices by enabling the All Removable Storage classes: Deny all access policy.
User Configuration > Administrative Templates > System > Removable Storage AccessWhen users install unwanted software on their systems, cleanup and a complicated maintenance process for IT admins result. To disallow users from installing software, enable the Prohibit User Install policy.
Computer Configuration > Administrative Templates > Windows Components > Windows InstallerBuilt-in guest account enables users to login to a Windows system without requiring a password for authentication. This allows bad actors to login to your servers and domain controllers as a guest to access your resources. Even though guest accounts are disabled by default, hackers can easily override the default settings to wreak havoc in your network. Configuring the Accounts: Guest Account Status policy ensures the attempts of bad actors are blocked.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security OptionsWindows stores LAN Manager (LM) password hashes in the local Security Accounts Manager (SAM) database. These LM hashes are weak and can be easily decrypted to their clear-text format by attackers. To avoid this, prevent Windows from storing LM hashes by enabling the Network security: Do not store LAN Manager hash value on next password change policy.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security OptionsForced system restarts can be a pain during Windows updates. Restarts interrupt your work and can cause unsaved items to be lost. Enable the No auto-restart with logged on users for scheduled automatic updates installations policy to prevent Windows from restarting automatically.
Computer Configuration > Administrative Templates > Windows Component > Windows UpdateGroup Policy Object (GPO) settings should only be accessed by IT admins. Any unauthorized changes to these settings indicate a security breach. Tracking all changes to your GPO settings by defining the Audit Directory Service Access and Audit Directory Service Changes policies results in a more secure network.
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies/DS AccessUsing native tools to monitor and document changes made to your OUs while keeping track of the delegated permissions can be a time-consuming process. ADAudit Plus, a UBA-driven AD auditing solution from ManageEngine, provides customizable change audit reports that keep you informed of all changes made to your OUs, GPOs, and permissions.
Download a 30-day free trial.
