The 10 Windows group policy settings you need to get right

Configure these 10 group policy settings carefully, and enjoy better Windows security across the office


One of the most common methods to configure an office full of Microsoft Windows computers is with group policy. For the most part, group policies are settings pushed into a computer's registry to configure security settings and other operational behaviors. Group policies can be pushed down from Active Directory (actually, pulled down by the client) or configured locally.

I've been doing Windows computer security since 1990, so I've seen a lot of group policies. In my work with customers, I scrutinize each group policy setting within each group policy object. With Windows 8.1 and Windows Server 2012 R2, for example, there are more than 3,700 settings for the operating system alone.

I'll let you in on a little secret: I care about only 10 settings.

I'm not saying you should stop at these 10 since each properly configured group policy setting can reduce risk. I am saying that 10 settings determine most of your risk -- everything else is gravy. When I start looking at a new group policy, the first thing I do is scan these 10 settings. If they're set correctly, I know the customer is doing the right thing and my job will be easier.

Get these 10 settings right, and you'll go a long way toward making your Windows environment more secure. Each of these falls under the Computer Configuration\Windows Setting\Security Settings leaf.

1. Rename the Local Administrator Account

If the bad guys don't know the name of your Administrator account, they'll have a much harder time hacking it. Renaming the Administrator account is not automatic, so you’ll have to do it yourself.

2. Disable the Guest Account

One of the worst things you can do is to enable this account. It grants a fair amount of access on a Windows computer and has no password. Fortunately, it's disabled by default.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.