ZEDA.nl

ZEDA.nl

Tips & Tweaks for Windows

User Rating:  / 1
PoorBest 

Security Quick Wins

Today, I want to focus on some easy ways to increase the security of your Windows infrastructure. You might have setup some advanced firewalls, a good patch management system, maybe even encrypted network traffic. Even so, did you remember the low effort settings.

This article gives you a top 5 of quick wins to do or think about.

1. Secure service accounts

Some applications will need a service account. To prevent misuse of these accounts remember the following:

  • Make sure service accounts only have those permissions they need. There is probably no need for any of them to be member of the administrators group at all.
  • Have groups available that deny user rights like Logon Locally and groups that deny access to user data. Make the service accounts member of these deny groups.
  • Passwords of service accounts are probably never changed and sporadically entered. So no reason not to choose a ridiculously strong password (and store it in a safe place).
  • Use Managed Service Accounts when possible.
  • Be aware that when using domain accounts as a service account, services will fail to start when the computer is offline. Knowing this, you might want to prevent domain accounts to authenticated your laptop’s Anti-virus service.

2. Prevent Permissions to Domain Users or Everyone

Create dedicated groups for rights and permissions and prevent the use of the build-in groups Domain Users or Everyone. You might need No Access Users someday.

3. GPO: Firewall Settings

Make sure the Windows Firewall on all clients is enabled and that remote access to the computers is only available when it is connected to the domain network. Especially on laptops.

In group policy editor, go to:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security

Read detailed instructions on configuring Firewall Policies in the article Windows Firewall GPO´s.

4. GPO: Replace the Local Administrator

The local administrator account is the most favourite to attack, because it is always there and always has the same SID. Therefore I created a Group Policy that defines 3 settings:

Disable the Administrator Account

In group policy editor, go to:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Administrator account status

Rename Administrator Account

In group policy editor, go to:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Accounts: Rename administrator account

Create emergency administrator account

As you probable at one moment in time will regret not having a local administrator at all, I create an emergency administrator.

In group policy editor, go to:

Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups

The newly created EMAD user will be added to the local Administrators group using restricted groups as explained in the next Quick Win.

5. GPO: Restricted Groups

Even though every Windows host has it’s own local build-in groups, it’s easy to control them all by using restricted groups in Group Policy’s.

You will find these settings in your Group Policy Editor in:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups

This example shows the restricted groups GPO I assigned to all client workstations.

Note that I make sure that most groups are empty. The groups Administrators and Remote Desktop Users are restricted to Domain Admins and one dedicated Domain group. This way I can assign the rights on the domain level. I also add the local user EMAD to the local Administrators group.

This post applies to: Windows 2008, Windows 2008 R2, Windows 7.

ZEDA.nl

Tips & Tweaks for Windows

Most read:

Ad:

Tools:

EU e-Privacy Directive

This site uses cookies for analytics, advertising and functional purposes. Please accept or decline the use of coockies on this site.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.