This presentation was presented at MORENet 2015 Annual Conference by Josh Rickard and focused on educating IT Professionals on using Microsoft Group Policy to secure their Windows environment. Visit http://msadministrator.com for more information.

1. Securing Windows With
Group Policy

2. Josh Rickard
• BS in Computer Information Systems
• Central Methodist University – 1 year
• University of Missouri – 4 years
• Currently a Security Analyst-Specialist
– QualysGuard, Kasperksy, incident response

3. Josh Rickard
• Microsoft Deployment Toolkit & SCCM
• Group Policy
• Digital forensics
• Incident response
• PowerShell tool making!

4. Josh Rickard
• GIAC Certified Windows Security Administrator - GCWN
• GIAC Certified Forensic Analyst – GCFA
• QualysGuard Certified Specialist – QGCS-VM
• Apple Certified Associate – Mac Integration

5. FIRST STEP TOWARDS
SECURING WINDOWS

6. START WITH MALWARE-
RESISTANT OPERATING
SYSTEMS AND SOFTWARE

7. NEXT STEPS

8. PATCH MANAGEMENT

9. Questions
• Who uses Active Directory in their environment?
• Who uses Group Policy in their environment?
– Daily?
– Weekly?
– Monthly?
– Year or more?

10. Questions
• Who has/uses two separate accounts?
– Mundane (email@emailaddress.com)
– Admin (unique account)

11. USE TWO SEPARATE ACCOUNTS

12. Two Group Policy Questions
• Where are you? (Domain, OU, Site)
• What are you? (User or Computer)

13. LSD OU!
Local • Local Group
Policy
Site
• Site or
Forest
Group
Policy
Domain
• Domain
Group
Policy
OU
• Organizational
Unit Group
Policy

14. Exceptions to the rule
• Account Policies
– Password Policy
– Enforce password history
– Maximum & Minimum password age
– Minimum password length
– Passwords must meet complexity requirements
– Store password using reversible encryption for all users in
the domain (NOOOOOOOOOO!!!!!!)
• Account Lockout Policy settings
– Account lockout duration
– Account lockout threshold
– Reset account lockout counter after
• Kerberos Policy settings
– Enforce user logon restrictions
– Maximum lifetime for service ticket
– Maximum lifetime for user ticket
– Maximum lifetime for user ticket renewal
– Maximum tolerance for computer clock synchronization
– Network Access: Allow anonymous SID/NAME translation
– Network Security: Force Logoff when Logon Hours expire
• Local Policies

15. Computer Configuration
• Computer configuration almost always wins
• Used to apply configuration changes specific to
machines
• Think, HKLM
• Exception: Loopback Processing Mode

16. User Configuration
• Really only useful if user & computer objects in same OU
• Used to apply configuration changes specific to users
• Think, HKCU or HKU

17. Policies
• No tattoo
– If GPO is out of scope, it will be removed
• Overwrite current application settings
• Policies are recognized by applications
– i.e. grayed out settings

18. Preferences
• Tattoo's
– If GPO goes out of scope, settings remain
• Item Level Targeting
– We will talk about this later

19. Block Inheritance
• Block GPOs higher in the LSD OU order
• Keep in mind that Kerberos, password, & lockout policies
will still be enforced for everyone in that domain.

20. Enforced (a.k.a., “No Override”)
• Enforce parent container GPO to all sub-containers
• This will “override” any “Block Inheritance” GPO settings
• Except: Loopback Mode GPOs

21. Loopback Processing Mode
• User configurations for computer objects
• Replace
– This will replace current user settings applied to that OU
• Merge
– This will merge both the user & computer GPO
• *NOTE: User GPO will win.

22. WMI Filtering
• Filter/configure GPO “scope”
• Filter based on specific users/computers/groups/etc.

23. Item Level Targeting
• GPO Preferences
• Target a specific machine attribute (other than WMI
Filtering)

24. Active Directory Permissions
• Enable “Advanced Features”
• Delegate control
– Always take a “least privilege” approach
• Delegate full control over an OU only

25. Morale of the Story
• We need to ask ourselves, where is the computer/user
account located in AD?

26. Now the fun stuff!
We need to ask ourselves, where is the
computer/user account located in AD?

27. Auto-Play & Auto-Run
• Disable the action taken when a thumb drive or portable
hard drive is plugged into a computer

28. Windows Firewall with Advanced Security
• Manage Network Profiles
– Domain
– Home
– Public
• Manage applications/services that should be
allowed/denied

29. Manage Group Memberships
• GPO Restricted Groups
– Manage global groups in AD
– Centrally manage all high-target groups
– “Rebuilds” the group completely every time GP is refreshed
• GPO Preferences
– Best for managing local groups on domain machines
– Create custom local groups
– Assign Customized rights and privileges
– Assign customized permission as well

30. Manage User Rights
• Allow/Deny Log On Locally
– Why does someone need to log on locally to a server/computer?
• Allow/Deny Access to Computer From the Network
– Limit this to either specific user or just admins/IT Pro’s
• Allow/Deny Log On Remote Desktop Services
– Normal users do not need RDP

31. Manage High Target Accounts
• Restrict Logon Hours and Workstations
– Enterprise, Schema, and Domain Admins should be restricted as
tightly as possible.
• Remote Desktop logon
• Remote Control logon
• Etc.
• Why would Domain/Enterprise/Schema Admins be RDPing?
– Answer: They wouldn’t!

32. AppLocker
• Requirements:
– Application Identity Service must be running (Automatic)
• Three different conditions can be use
– Hash Condition Rules
– Path Condition Rules
– Publisher Condition Rules

33. AppLocker – Hash Condition
• Every file has a unique hash value
• Positive
– Unique hash for every executable
– Secure!
• Negative
– Every update has a new hash

34. AppLocker – Path Condition
• Positive
– Select an entire suite of products
– You can use wildcards (*)
• Negative
– You must know all paths the application uses
• C:ProgramData
• C:UsersusernameAppDataLocal**.zip*

35. AppLocker – Publisher Condition
• Positive
– Select an entire path to allow a suite of applications
– You can use wildcards (*)
• Negative
– Only works for applications that are digitally signed

37. Additional Security Measures
• Require screensavers with passwords
• Use LAPS – do not keep the same local admin password
on all machines
– If possible, disable the ability to logon with a local account
– If you set passwords using GP, then they are stored unencrypted
in domain.comSYSVOL
• Hashed does not mean encrypted. 

38. Additional Security Measures
• Disable Guest Account
– Option: Network Access: Sharing and Security Model for Local
Accounts
• Automatically demotes any remote user who authenticates to guest
status
– If you disable the guest account and this setting is enabled, then no
one will be able to long using a local account (good thing!)

39. Additional Security Measures
• Display a Logon Banner with Legal Notice
This system is for use of authorized users only and is not public. Individuals
using this computer system without authority or in excess of their authority are
subject to having all of their activities on this system monitored and recorded,
including their keystrokes and mouseclicks. Anyone using this system
expressly consents to such monitoring and is advised that if this monitoring
reveals possible evidence of criminal activity, this evidence may be provided to
law enforcement officials with the intent to prosecute.

40. Block Unsigned Scripts
• PowerShell
• WSH
• VBScript
• Jscript
• Perl
• Python
• This does NOT protect you
from advanced users &
Malware
• PowerShell is not a
security mechanism

41. Advanced Protection
• DEP – Data Execution Prevention
– Prevents execution of code in memory that are not marked as
executable
• ASLR – Address Space Layout Randomization
– Random address spaces make exploits more difficult. No way to
hard code memory locations
• EMET – Enhanced Mitigation Experience Toolkit

42. Scheduled Tasks for GPO Scripts
• Schedule tasks to run under the identity with the least
privilege
– Local Services
– Network Services
– Local System (if needed)
• Do NOT use passwords in scripts

43. 7 Deadly Sins (for Malware)
• Act As Part of the Operating System
• Create a Token Object
• Debug Programs
• Load and Unload Device Drivers
• Restore Files and Directories
• Take Ownership
• Impersonate a Client After Authentication

44. Impersonate A Client Privilege
• Primary Security Access Token (SAT)
– Basically, impersonate a user’s SAT for other running processes
• Used by network services to impersonate clients
• Token stealing
– Steal SATs for network authentication

45. Debug Programs Privilege
• Grants read/write access to user & kernel-mode memory
• Malware uses it for:
– New thread injected into any process
– Passwords, hashes, encryption keys and other data can be read out of kernel space memory
without DLL injection.
• Pass-The-Hash Attacks
– Once malware has your password hash they can:
• Extract password hashes of local accounts
• Extract password hashes of interactive users with AD accounts
• Plus others

46. Disable IPv6 – Until You Need It
• Why Disable IPv6?
– We want to shrink our attack surface
• Why Not Disable IPv6?
– Microsoft DirectAccess requires it (kind of)
– Microsoft doesn’t test their patches on systems with IPv6
disabled

47. JUST REMEMBER
Group Policy is basically a large enterprise scale registry editor!

48. Contact Info
• Name: Josh Rickard
• E-Mail: rickardj@Missouri.edu
• Blog: http://MSAdministrator.com
• Twitter: @MS_dministrator