will.brien + grouppolicy   2

Securing Windows Workstations: Developing a Secure Baseline – Active Directory Security
Securing Windows Workstation:

Deploying Free/Near-Free Microsoft Tools to Improve Windows Security
Deploy Microsoft AppLocker to lock down what can run on the system.

Deploy current version of EMET with recommended software settings.

Deploy LAPS to manage the local Administrator (RID 500) password.
Force Group Policy to reapply settings during “refresh”
Disable Windows Legacy & Typically Unused Features

Disable Net Session Enumeration (NetCease)

Disable WPAD
Disable LLMNR

Disable Windows Browser Protocol

Disable NetBIOS

Disable Windows Scripting Host (WSH) & Control Scripting File Extensions

Deploy security back-port patch (KB2871997).

Prevent local Administrator (RID 500) accounts from authenticating over the network

Ensure WDigest is disabled
Remove SMB v1 support

Windows 10 & Windows 2016

Windows 10 & 2016 System Image Configuration
Block Untrusted Fonts
Enable Credential Guard
Configure Device Guard
Application Security Settings

Disable Microsoft Office Macros

Disable Microsoft Office OLE
Additional Group Policy Security Settings
Configure Lanman Authentication to a secure setting
Configure restrictions for unauthenticated RPC clients
Configure NTLM session security
security  windows  sysadmin  work  grouppolicy  @read 
september 2017 by will.brien
Ransomware Prevention Kit
In 2013 we created the first set of Group Policies to combat Cryptolocker. Since then we’ve continued to expand and improve our IT Best Practices approach to Ransomware Prevention. It now includes documents, policies, recovery keys, and instruction sets for other tools native to Windows Server and Desktop OS’s. We also include suggestions of how you can modernize your network configuration best practices a build a great solution for your clients.
sysadmin  windows  grouppolicy  reference  software  <todo> 
july 2016 by will.brien

Copy this bookmark: