We help IT Professionals succeed at work.

What group policies need to be set

What group policies do I definitely need to set other than passwords in a company environment?
Comment
Watch Question

Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
Typically what you are going to want to enable on the default domain policy is the following...
Enforce Password History
Max Password Age
Min Password Age
Password Complexity Requirements
Store password using reversible encryption (Disabled)

Will.

Commented:
What is your goal overall? There are 1000s of them. Maybe you want to force computer to autolock after X amount of time so they cant disable it. Maybe you want to force password requirements (like the guy above posted). Windows updates on computer OUs but different ones on servers and download only on DC (all my recommendations). Etc Etc
Commented:
Here is a snipit of some of what I would do

TAKEN FROM ABOVE ^^^
Enforce Password History
 Max Password Age
 Min Password Age
 Password Complexity Requirements
 Store password using reversible encryption (Disable)

WSUS (or windows updates if you don't use them)
Autolock computer after x inactivity
Logon message
disable USB (unless needed, but disable as many as you can)
No auto run
Use to pass out packages for software installs / updates

Theres many many more...
tigermattSite Reliability Engineer
Most Valuable Expert 2011

Commented:
What group policies do I definitely need to set other than passwords in a company environment?
This is an impossible question to answer.

The requirements will be dictated first by organizational policy which dictates functionality you must enable/disable (e.g. should desktops lock automatically after 10 minutes?), what your patch management cycle is, what security policy you must enforce, etc.
Secondary to that is enforcement of "user preferences", which you may elect to undertake if you wish to disable aspects of the user interface for all or a subset of your users to simplify the interface, remove confusing features, disable undesirable aspects which could be a data protection risk, etc.. Again, policy should ultimately determine what is done here to enhance the user experience, and remember you can only have limited control if a user is granted local administrator rights on their workstation.

The IT department should not operate in a silo but under the full guise of management / the board; operating otherwise typically will not deliver the optimal service to support the goals and needs of the company (and hence users will find their own workarounds / won't understand why IT does what it does). This is harder in small organisations where management have no idea, and the outside consultant is expected to both set and implement policy; in such circumstances, one should still have some idea in mind, even if not formally written up, as to what policy one seeks to enforce before heading into GPO and actually creating that policy.

Author

Commented:
May be a dumb question but when you disable usb does that affect keyboard/mouse or just jump drives?

Author

Commented:
Also, I am a one man IT dept. so I don't really have anything to off of, I am just looking to make the place a little more secure.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Typically when you are looking for tighter security you will want to enable the password settings i have outlined in my first post. These settings are configurable to your business needs but should definitely be enabled and enforced.

If you are using AD 2008 and above you can also use PSO (Fine Grain Password Policies) as well to have multiple password policies in a single domain. This way you can provide a stronger password policies for something like Services Accounts or Executives or whatever the case may be.

You are reference the link below for more details.
https://technet.microsoft.com/en-ca/library/cc770842%28v=ws.10%29.aspx

Also FGPP for 2008 is all done via powershell, and not done with the UI.

Will.
tigermattSite Reliability Engineer
Most Valuable Expert 2011
Commented:
May be a dumb question but when you disable usb does that affect keyboard/mouse or just jump drives?
This typically refers to disabling USB mass storage devices to avoid a common vector for information loss via uncontrolled means. Disabling autoplay of such devices for a start is a good idea to avoid malware which likes to hide in autorun files.

Also, I am a one man IT dept. so I don't really have anything to off of, I am just looking to make the place a little more secure.
Apologies if my comment above sounded a little flippant in that respect, but regardless of size, jumping straight into GPO without at least having a vague idea of what you are trying "to secure" is problematic because there are an impossible number of combinations of policies which all interact in complex ways with each other. I've been in your position where I have had no guidance in what policies to configure and users who know next to nothing, so I appreciate how bamboozling the GPO interface is when there's no document to indicate what policies are to be configured and there's no end goal in mind.

Remember: security is a continual process. Identify flaws, configure GPOs, iterate. This typically has a trade-off with user requirements, since users typically don't understand why the restrictions are applied. An account lockout policy is a very good place to start to avoid brute force dictionary attacks on passwords. (There's also strong evidence that, contrary to popular belief, configuring password policies which force passwords to be changed every X days leads to LESS SECURE passwords overall, so think carefully in that regard. I can point you to relevant literature if interested.)