How to create a group policy?
1. Go to "Server Manager" --> "Tools" --> "Group Policy Management"
2. Right click on Group Policy Object (GPO) and create a new GPO.
3. Right click on your newly created GPO and select edit to set a group policy
How to apply a group policy?
1.Right click where you need to apply policy on domain tree
and select "Link existing GPO" to select the GPO
01. Password Policy
Password Policy is for change some attributes of domain
users passwords to force users to apply good secure password to gain high security. Refer the following image to find the policy location.
There are 5 attributes under password policy.
Enforce password
history – Determine the no of passwords, user account can use before it
reuse its old password.
Maximum Password age
– Valid period for users’ current password. User need to renew the password
after exceeding this value.
Minimum Password age
– Minimum days need to use password after changing it before change it
again.
Password must meet
complexity requirements – Password should met following requirements.
Not contain the user's account name or parts of the
user's full name that exceed two consecutive characters.
Be at least six characters in length.
Contain characters from three of the following four
categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Store passwords using
reversible encryption - This security setting
determines whether the operating system stores passwords using reversible
encryption. This policy provides support for applications that use protocols
that require knowledge of the user's password for authentication purposes. This
is same as keeping password in plain text
02. Account Lock Policy
This policy prevents malicious
user access by locking the user account for period of time after particular no
of attempts of unsuccessful passwords. This will prevent attempts of
burst force attacks.
Account Lock Down Duration – Period of time
account keep lock after unsuccessful attempts
Account lockout threshold – No times user
can try password before account get lock
Reset account lockout counter after – Period of time need to reset, lock out counter to 0
03. Rename Administrator Account
This policy use to rename the local administrator accounts
in domain computers. Keeping default local administrator account may vulnerable
for attacks because everyone know the username.
04. Guest account statues
This policy is use to enable or disable local guest account.
Accessing through a guest account will also reveal considerable amount of data
about domain computer. So disabling it will increase the security level.
05. All Removable Storage classes: Deny all access
This policy will disable mounting all removable disks. This
will prevent stealing sensitive data out from computer and virus attacks which
come though removable disks.
No comments:
Post a Comment