Securing Windows with Group Policy

Securing Windows With
Group Policy
Josh Rickard
• BS in Computer Information Systems
• Central Methodist University – 1 year
• University of Missouri – 4 years
• Currently a Security Analyst-Specialist
– QualysGuard, Kasperksy, incident response
Josh Rickard
• Microsoft Deployment Toolkit & SCCM
• Group Policy
• Digital forensics
• Incident response
• PowerShell tool making!
Josh Rickard
• GIAC Certified Windows Security Administrator - GCWN
• GIAC Certified Forensic Analyst – GCFA
• QualysGuard Certified Specialist – QGCS-VM
• Apple Certified Associate – Mac Integration
• Who uses Active Directory in their environment?
• Who uses Group Policy in their environment?
– Daily?
– Weekly?
– Monthly?
– Year or more?
• Who has/uses two separate accounts?
– Mundane (
– Admin (unique account)
Two Group Policy Questions
• Where are you? (Domain, OU, Site)
• What are you? (User or Computer)
• Local Group
• Site or
• Domain
• Organizational
Unit Group
Exceptions to the rule
Account Policies
Kerberos Policy settings
Password Policy
Enforce user logon restrictions
Enforce password history
Maximum lifetime for service ticket
Maximum & Minimum password age
Maximum lifetime for user ticket
Minimum password length
Maximum lifetime for user ticket renewal
Passwords must meet complexity requirements
Maximum tolerance for computer clock synchronization
Store password using reversible encryption for all users in
the domain (NOOOOOOOOOO!!!!!!)
Network Access: Allow anonymous SID/NAME translation
Network Security: Force Logoff when Logon Hours expire
Account Lockout Policy settings
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Local Policies
Computer Configuration
• Computer configuration almost always wins
• Used to apply configuration changes specific to
• Think, HKLM
• Exception: Loopback Processing Mode
User Configuration
• Really only useful if user & computer objects in same OU
• Used to apply configuration changes specific to users
• Think, HKCU or HKU
• No tattoo
– If GPO is out of scope, it will be removed
• Overwrite current application settings
• Policies are recognized by applications
– i.e. grayed out settings
• Tattoo's
– If GPO goes out of scope, settings remain
• Item Level Targeting
– We will talk about this later
Block Inheritance
• Block GPOs higher in the LSD OU order
• Keep in mind that Kerberos, password, & lockout policies
will still be enforced for everyone in that domain.
Enforced (a.k.a., “No Override”)
• Enforce parent container GPO to all sub-containers
• This will “override” any “Block Inheritance” GPO settings
• Except: Loopback Mode GPOs
Loopback Processing Mode
• User configurations for computer objects
• Replace
– This will replace current user settings applied to that OU
• Merge
– This will merge both the user & computer GPO
• *NOTE: User GPO will win.
WMI Filtering
• Filter/configure GPO “scope”
• Filter based on specific users/computers/groups/etc.
Item Level Targeting
• GPO Preferences
• Target a specific machine attribute (other than WMI
Active Directory Permissions
• Enable “Advanced Features”
• Delegate control
– Always take a “least privilege” approach
• Delegate full control over an OU only
Morale of the Story
• We need to ask ourselves, where is the computer/user
account located in AD?
Now the fun stuff!
We need to ask ourselves, where is the
computer/user account located in AD?
Auto-Play & Auto-Run
• Disable the action taken when a thumb drive or portable
hard drive is plugged into a computer
Windows Firewall with Advanced Security
• Manage Network Profiles
– Domain
– Home
– Public
• Manage applications/services that should be
Manage Group Memberships
GPO Restricted Groups
Manage global groups in AD
Centrally manage all high-target groups
“Rebuilds” the group completely every time GP is refreshed
GPO Preferences
Best for managing local groups on domain machines
Create custom local groups
Assign Customized rights and privileges
Assign customized permission as well
Manage User Rights
• Allow/Deny Log On Locally
– Why does someone need to log on locally to a server/computer?
• Allow/Deny Access to Computer From the Network
– Limit this to either specific user or just admins/IT Pro’s
• Allow/Deny Log On Remote Desktop Services
– Normal users do not need RDP
Manage High Target Accounts
• Restrict Logon Hours and Workstations
– Enterprise, Schema, and Domain Admins should be restricted as
tightly as possible.
• Remote Desktop logon
• Remote Control logon
• Etc.
• Why would Domain/Enterprise/Schema Admins be RDPing?
– Answer: They wouldn’t!
• Requirements:
– Application Identity Service must be running (Automatic)
• Three different conditions can be use
– Hash Condition Rules
– Path Condition Rules
– Publisher Condition Rules
AppLocker – Hash Condition
• Every file has a unique hash value
• Positive
– Unique hash for every executable
– Secure!
• Negative
– Every update has a new hash
AppLocker – Path Condition
• Positive
– Select an entire suite of products
– You can use wildcards (*)
• Negative
– You must know all paths the application uses
• C:\ProgramData
• C:\Users\username\AppData\Local\*\*.zip\*
AppLocker – Publisher Condition
• Positive
– Select an entire path to allow a suite of applications
– You can use wildcards (*)
• Negative
– Only works for applications that are digitally signed
Additional Security Measures
• Require screensavers with passwords
• Use LAPS – do not keep the same local admin password
on all machines
– If possible, disable the ability to logon with a local account
– If you set passwords using GP, then they are stored unencrypted
in \\\SYSVOL
• Hashed does not mean encrypted. 
Additional Security Measures
• Disable Guest Account
– Option: Network Access: Sharing and Security Model for Local
• Automatically demotes any remote user who authenticates to guest
– If you disable the guest account and this setting is enabled, then no
one will be able to long using a local account (good thing!)
Additional Security Measures
• Display a Logon Banner with Legal Notice
This system is for use of authorized users only and is not public. Individuals
using this computer system without authority or in excess of their authority are
subject to having all of their activities on this system monitored and recorded,
including their keystrokes and mouseclicks. Anyone using this system
expressly consents to such monitoring and is advised that if this monitoring
reveals possible evidence of criminal activity, this evidence may be provided to
law enforcement officials with the intent to prosecute.
Block Unsigned Scripts
• PowerShell
• VBScript
• Jscript
• Perl
• Python
• This does NOT protect you
from advanced users &
• PowerShell is not a
security mechanism
Advanced Protection
• DEP – Data Execution Prevention
– Prevents execution of code in memory that are not marked as
• ASLR – Address Space Layout Randomization
– Random address spaces make exploits more difficult. No way to
hard code memory locations
• EMET – Enhanced Mitigation Experience Toolkit
Scheduled Tasks for GPO Scripts
• Schedule tasks to run under the identity with the least
– Local Services
– Network Services
– Local System (if needed)
• Do NOT use passwords in scripts
7 Deadly Sins (for Malware)
• Act As Part of the Operating System
• Create a Token Object
• Debug Programs
• Load and Unload Device Drivers
• Restore Files and Directories
• Take Ownership
• Impersonate a Client After Authentication
Impersonate A Client Privilege
• Primary Security Access Token (SAT)
– Basically, impersonate a user’s SAT for other running processes
• Used by network services to impersonate clients
• Token stealing
– Steal SATs for network authentication
Debug Programs Privilege
Grants read/write access to user & kernel-mode memory
Malware uses it for:
New thread injected into any process
Passwords, hashes, encryption keys and other data can be read out of kernel space memory
without DLL injection.
Pass-The-Hash Attacks
Once malware has your password hash they can:
Extract password hashes of local accounts
Extract password hashes of interactive users with AD accounts
Plus others
Disable IPv6 – Until You Need It
• Why Disable IPv6?
– We want to shrink our attack surface
• Why Not Disable IPv6?
– Microsoft DirectAccess requires it (kind of)
– Microsoft doesn’t test their patches on systems with IPv6
Group Policy is basically a large enterprise scale registry editor!
Contact Info
• Name: Josh Rickard
• E-Mail:
• Blog:
• Twitter: @MS_dministrator