In this blog entry we will point out a handful of helpful Group Policy Objects to which you can apply to your Organization to ensure utmost security.
Disable AutoRun on client workstations:
In today’s workplaces saving items to portable devices is by far the easiest way to access data on the move however one may not assume that a computer outside an organizations network is as secure than one present in the office. When portable devices are attached to a computer in some cases they are setup to auto-run upon insertion, this gives infected data entries the chance to execute almost instantly.
Found Under: Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> Turn Off AutoPlay (Simply Set Switch accordingly, you can forbid all devices, alternatively only USB & CD storage)
Prevent Access to Registry Editing Functions:
Registry entries play a big part on keeping a system stable and functioning as per end-user expectations, occasionally due to ones lack of knowledge on a certain functionality in the registry, crucial system entries can go misplaced or amended causing havoc. This handy GPO disables usage of the regedit executable on client machines and can be applied to specific users seeing as it is a ‘User Configuration Policy’ as opposed to a ‘Computer Configuration Policy’.
Found Under: User Configuration -> Administrative Templates -> System -> Prevent Access to registry editing tools.
Enforce password history:
Often when passwords expire the end-user quite simply specifies the same password or uses credentials from the past. This defeats the object of specifying a new password which is why this GPO is essential.
Found Under: Computer Configuration -> Windows Settings -> Security Settings -> Password Policy -> Enforce Password History
Disable the ability to customize windows:
As standard windows offers vast methods for customizing a computers visual appearance, some can get carried away with applying wallpapers, changing theme color schemes, etc, etc. Have every computer under your organization look the same with this GPO.
Found Under: User Configuration -> Administrative Templates -> Control Panel -> Personalization
Extension: Deploy a custom company specific wallpaper across the network.
1) Create a share in windows and apply appropriate NTFS /User folder permission (Ie. Allow everyone access to this share) and app your wallpaper to the share folder.
2) Specify where the wallpaper is located on the network.
3) Force a gpupdate on client machines and have each user log off.
4) Your custom company wallpaper has now been deployed.
Track windows shutdowns:
It is often difficult to determine as to what may have caused a computer to unexpectedly shut down, tracking windows shutdowns may be somewhat annoying for the end-user however from an administrative point of view it can do the world of good!
Found Under: Computer Configuration -> Policies -> Administrative Templates -> System -> Display Shutdown Event Tracking