Active Directory GPO best practices

I wanted to write these tips to make all Microsoft system administrators aware of ten “tips” immediately applicable on their infrastructures to increase the security level in Active Directory.
The list is obviously not exhaustive, the idea is to shed light on those less implemented but – in my opinion – important policies.
Happy reading.

1. Prevent Windows from Storing LAN Manager Hash

Windows generates and stores user account passwords in “hashes”. Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of passwords. It stores them in the local Security Accounts Manager (SAM) database or Active Directory.

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”
  2. In the right pane, double-click “Network security: Do not store LAN Manager hash value on next password change” policy
  3. Select “Define this policy setting” checkbox and click “Enabled
  4. Click “Apply” and “OK”

2. Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives

Removable media drives are very prone to infection, and they may also contain a virus or malware. If a user plugs an infected drive to a network computer, it can affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to infection. It is therefore best to disable all these drives entirely. Perform the following steps to do so:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “User Configuration” “Policies” “Administrative Templates” “System” “Removable Storage Access”.
  2. In the right pane, double-click “All removable storage classes: Deny all accesses” policy
  3. Click “Enabled” to enable the policy.
  4. Click “Apply” and “OK”.

3. Moderating Access to Control Panel

Setting limits on a computers’ Control Panel creates a safer business environment. Through Control Panel, you can control all aspects of your computer. So, by moderating who has access to the computer, you can keep data and other resources safe.
Perform the following steps:

  1. In Group Policy Management Editor (opened for a user-created GPO), navigate to “User Configuration” “Administrative Templates” “Control Panel”.
  2. In the right pane, double-click “Prohibit access to Control Panel and PC settings” policy in to open its properties.
  3. Select “Enabled” from the three options.
  4. Click “Apply” and “OK”.

4. Restrict Software Installations

When you give users the freedom to install software, they may install unwanted apps that compromise your system. System admins will usually have to routinely do maintenance and cleaning of such systems. To be on the safe side, it’s advisable to prevent software installations through Group Policy:

  1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Administrative Templates” “Windows Component” “Windows Installer”.
  2. In the right pane, double-click “Prohibit User Install” policy.
  3. Click “Enabled” to enable the policy
  4. Click “Apply” and “OK”.

5. Disable Guest Account

Through a Guest Account, users can get access to sensitive data. Such accounts grant access to a Windows computer and do not require a password. Enabling this account means anyone can misuse and abuse access to your systems. Thankfully, these accounts are disabled by default. It’s best to check that this is the case in your IT environment as, if this account is enabled in your domain, disabling it will prevent people from abusing access:

  1. In Group Policy Management Editor (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
  2. In the right pane, double-click “Accounts: Guest Account Status” policy.
  3. Select “Define this policy setting” checkbox and click “Disabled”.
  4. Click “Apply” and “OK”.

6. Set Minimum Password Length to Higher Limits

Set the minimum password length to higher limits. For example, for elevated accounts, passwords should be set to at least 15 characters, and for regular accounts at least 12 characters. Setting a lower value for minimum password length creates unnecessary risk. The default setting is “zero” characters, so you will have to specify a number:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”
  2. In the right pane, double-click “Minimum password length” policy, select “Define this policy setting” checkbox
  3. Specify a value for the password length
  4. Click “Apply” and “OK”

7. Set Maximum Password Age to Lower Limits

If you set the password expiration age to a lengthy period of time, users will not have to change it very frequently, which means it’s more likely a password could get stolen. Shorter password expiration periods are always preferred. Windows’ default maximum password age is set to 42 days. The following screenshot shows the policy setting used for configuring “Maximum Password Age”. Perform the following steps:

  1. In Group Policy Management Editor window (opened for a custom GPO), go to “Computer Configuration” “Windows Settings” “Security Settings” “Account Policies” “Password Policy”.
  2. In the right pane, double-click “Maximum password age” policy.
  3. Select “Define this policy setting” checkbox and specify a value.
  4. Click “Apply” and “OK”.

8. Disable Anonymous SID Enumeration

Active Directory assigns a unique number to all security objects in Active Directory; including Users, Groups and others, called Security Identifiers (SID) numbers. In older Windows versions, users could query the SIDs to identify important users and groups. This provision can be exploited by hackers to get unauthorized access to data. By default, this setting is disabled, ensure that it remains that way. Perform the following steps:

  1. In Group Policy Management Editor window, go to “Computer Configuration” “Policies” “Windows Settings” “Security Settings” “Local Policies” “Security Options”.
  2. In the right pane, double-click “Network Access: Do not allow anonymous enumeration of SAM accounts and shares” policy setting.
  3. Choose “Enabled” and then click “Apply” and “OK” to save your settings.

9. Turn off multicast name resolution

Link-local multicast name resolution (LLMNR) is a secondary name resolution protocol that uses multicast over a local network. An attacker can listen to such requests (on UDP ports 5355 and 137) and respond to them, tricking the client. This is called local name resolution poisoning.

  1. In Group Policy Management Editor window, go to “Computer Policy” “Computer Configuration” “Administrative Templates” “Network” “DNS Client”.
  2. Click Turn Off “Multicast Name Resolution” and set the value to “Enabled”.

10. Disable NTLM in your network infrastructure

NTLM is used for computers that are members of a workgroup and local authentication. In an Active Directory environment, Kerberos authentication has to be used instead of NTLM, because it is stronger authentication protocol that uses mutual authentication rather than the NTLM challenge/response method. NTLM has a lot of known vulnerabilities and uses weaker cryptography, so it is very vulnerable to brute-force attacks. You should disable NTLM authentication in your network using Group Policy to allow only Kerberos authentication, but first ensure that both Microsoft and third-party applications in your network do not require NTLM authentication.

  1. In Group Policy Management Editor window, go to “Computer Configurations” “Policies” “Windows Settings” “Security Settings” “Local Policies” “Security Options”
  2. find “Network Security: LAN Manager authentication level”

There are 6 options in the policy settings:

  • Send LM & NTLM responses
  • Send LM & NTLM responses – use NTLMv2 session security if negotiated
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only. Refuse LM
  • Send NTLMv2 response only. Refuse LM& NTLM.

The policies of using NTLM authentication are given in the order of their security improvement. By default, Windows 7 and newer OSs use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM and NTLMv2 requests.

EOF

Rispondi