What group policies need to be set

What group policies do I definitely need to set other than passwords in a company environment?
TomBallaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Typically what you are going to want to enable on the default domain policy is the following...
Enforce Password History
Max Password Age
Min Password Age
Password Complexity Requirements
Store password using reversible encryption (Disabled)

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth_zinCommented:
What is your goal overall? There are 1000s of them. Maybe you want to force computer to autolock after X amount of time so they cant disable it. Maybe you want to force password requirements (like the guy above posted). Windows updates on computer OUs but different ones on servers and download only on DC (all my recommendations). Etc Etc
0
Seth_zinCommented:
Here is a snipit of some of what I would do

TAKEN FROM ABOVE ^^^
Enforce Password History
 Max Password Age
 Min Password Age
 Password Complexity Requirements
 Store password using reversible encryption (Disable)

WSUS (or windows updates if you don't use them)
Autolock computer after x inactivity
Logon message
disable USB (unless needed, but disable as many as you can)
No auto run
Use to pass out packages for software installs / updates

Theres many many more...
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

tigermattCommented:
What group policies do I definitely need to set other than passwords in a company environment?
This is an impossible question to answer.

The requirements will be dictated first by organizational policy which dictates functionality you must enable/disable (e.g. should desktops lock automatically after 10 minutes?), what your patch management cycle is, what security policy you must enforce, etc.
Secondary to that is enforcement of "user preferences", which you may elect to undertake if you wish to disable aspects of the user interface for all or a subset of your users to simplify the interface, remove confusing features, disable undesirable aspects which could be a data protection risk, etc.. Again, policy should ultimately determine what is done here to enhance the user experience, and remember you can only have limited control if a user is granted local administrator rights on their workstation.

The IT department should not operate in a silo but under the full guise of management / the board; operating otherwise typically will not deliver the optimal service to support the goals and needs of the company (and hence users will find their own workarounds / won't understand why IT does what it does). This is harder in small organisations where management have no idea, and the outside consultant is expected to both set and implement policy; in such circumstances, one should still have some idea in mind, even if not formally written up, as to what policy one seeks to enforce before heading into GPO and actually creating that policy.
0
TomBallaAuthor Commented:
May be a dumb question but when you disable usb does that affect keyboard/mouse or just jump drives?
0
TomBallaAuthor Commented:
Also, I am a one man IT dept. so I don't really have anything to off of, I am just looking to make the place a little more secure.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Typically when you are looking for tighter security you will want to enable the password settings i have outlined in my first post. These settings are configurable to your business needs but should definitely be enabled and enforced.

If you are using AD 2008 and above you can also use PSO (Fine Grain Password Policies) as well to have multiple password policies in a single domain. This way you can provide a stronger password policies for something like Services Accounts or Executives or whatever the case may be.

You are reference the link below for more details.
https://technet.microsoft.com/en-ca/library/cc770842%28v=ws.10%29.aspx

Also FGPP for 2008 is all done via powershell, and not done with the UI.

Will.
0
tigermattCommented:
May be a dumb question but when you disable usb does that affect keyboard/mouse or just jump drives?
This typically refers to disabling USB mass storage devices to avoid a common vector for information loss via uncontrolled means. Disabling autoplay of such devices for a start is a good idea to avoid malware which likes to hide in autorun files.

Also, I am a one man IT dept. so I don't really have anything to off of, I am just looking to make the place a little more secure.
Apologies if my comment above sounded a little flippant in that respect, but regardless of size, jumping straight into GPO without at least having a vague idea of what you are trying "to secure" is problematic because there are an impossible number of combinations of policies which all interact in complex ways with each other. I've been in your position where I have had no guidance in what policies to configure and users who know next to nothing, so I appreciate how bamboozling the GPO interface is when there's no document to indicate what policies are to be configured and there's no end goal in mind.

Remember: security is a continual process. Identify flaws, configure GPOs, iterate. This typically has a trade-off with user requirements, since users typically don't understand why the restrictions are applied. An account lockout policy is a very good place to start to avoid brute force dictionary attacks on passwords. (There's also strong evidence that, contrary to popular belief, configuring password policies which force passwords to be changed every X days leads to LESS SECURE passwords overall, so think carefully in that regard. I can point you to relevant literature if interested.)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.