Recommended Group Policy Settings

This is by no means a definitive list. We will make some recommendations to you for your Group Policy settings. This could be considered a starter list. You should review all of the Group Policy settings to see how they fit in your business requirements.

There are three categories of group policy settings underneath two broad groups: Computer Configuration and User Configuration. Inside those are Software Settings, Windows Settings, and Administrative Templates.

best online Microsoft MCTS Training, Microsoft MCITP Certification login in to Certkingdom.com

Policies you apply within Computer Configuration apply to the whole computer (and all of its users) while settings you apply within User Configuration apply to a the specific user.

We are offering these as recommendations. You should review all group policy changes prior to implementation.

Computer Configuration: Windows Settings: Security Settings: Account Policies: Password Policy

Group Policy Objects to Set: Enforce password history; maximum password age; minimum password age, minimum password length; Password must meet complexity requirements.

By default, these policy objects are set. In our environment, password history is set to ‘6 passwords remembered’; maximum password age is set at 45 days; and minimum password length is set to 7 characters.

There are frequent questions surrounding the minimum password age of ‘1 day’ and why it is important to have a minimum password age. If a user is forced to change their password every 42 days (as in the default policy), the user could simply change their password the required number of times to get back to their original password. To prevent this security issue, a minimum password age is set
so the user can only change their passwords once a day.

Computer Configuration: Windows Settings: Security Settings: Account Policies: Account Lockout Policy

There are three policy settings in this category: account lockout duration; account lockout threshold; reset account lockout counter after. We recommend setting the Account lockout threshold to ‘5 invalid login attempts.’ This will automatically set the other two settings to 30 minutes.

This setting will lock a user account for 30 minutes if there are five invalid login attempts. This helps stop hackers from using automated password guessing software on user accounts.

Computer Configuration: Windows Settings: Security Settings: Local Policies: Audit Policy

There are several security items you can audit under the audit policy. To audit in Windows means to record the actions in the local logs. We recommend you audit the successes and failures of: account logon events, account management, logon events, policy change, and privilege use. We recommend you audit the failures of the rest of the items.

Computer Configuration: Windows Settings: Security Settings: Local Policies: Security Options

We recommend you set Accounts: Rename administrator account to enabled and rename the administrator account to something else. This will help increase security by not giving a potential hacker the username at the start.

You should also consider setting Interactive logon: Do not display last user name to Enabled. This will display a blank username field at every boot – the user will be responsible for remembering their username. If someone gains access to the workstation physically, they would need to know a username to attempt to login.

Computer Configuration: Administrative Templates: Windows Components

The Administrative Templates section of Group Policy allows you to set policies for the Windows operating system and its components.

Computer Configuration: Administrative Templates: Windows Components: Internet Explorer

If you have a proxy or ISA server, you may want to set Make proxy settings per-machine. This policy will allow you to set the policy settings for one account and then every account that logs in will receive the proxy settings.

Computer Configuration: Administrative Templates: Windows Components: Internet Information Services

If you set Prevent IIS installation, you can prevent rogue IIS servers from popping up on the network.

Computer Configuration: Administrative Templates: Windows Components: Windows Messenger

We do not like the Windows Messenger (the MSN like instant messenger application Microsoft installs by default). We enable Do not allow Windows Messenger to be run and Do not automatically start Windows Messenger initially.

Computer Configuration: Administrative Templates: Windows Components: Windows Update

If you are using SUS or want the machines to perform automatic updates, you can configure those options in this section.

User Configuration: Windows Settings: Internet Explorer Maintenance

There are several configuration options for Internet Explorer. If you want to force users to have the same homepage or options, you can configure these options.

There are hundreds of policy settings you could potentially apply. We recommend caution and to only apply policies that are absolutely necessary – leaving the rest as “Not Configured.” This will make your user community much happier.
The Microsoft 70-291 exam and study guide is design to complete knowledge, I recommend login on to
www.certkingdom.com to get the complete study solution for professional and students who are seeking to changing their
career to new level.