GPO's for System Hardening
-
Some of the basics
Password complexity
Password history
Idle time lock out (generally 10-15 minutes)Use security groups for access control
-
You may want to consider controlling the membership of the local administrators group through GPO.
-
@eddiejennings said in GPO's for System Hardening:
You may want to consider controlling the membership of the local administrator group through GPO.
Yes,.
Disable/Remove theAdministrator
account on the PC and domain. Use a different naming schema for Admins. -
@gjacobse Which is best disable or remove?
What's a good example naming scheme for admins?
-
@gjacobse Use security groups for access control?
-
@eleceng said in GPO's for System Hardening:
@gjacobse Which is best disable or remove?
IMHO - Remove.
What's a good example naming scheme for admins?
That is a personal / business preference. It could be a 'User Name': Derek Watterman (Dwatterman); an abbreviation: DAU-username (DAU = Domain Admin User) or anything of the like.
-
@eleceng said in GPO's for System Hardening:
What are some standard GPO's to put in place for god management and system hardening?
Don't have any printers on this network BTW
First place to start is with a Privileged Access Workstation structure as far as management.
Use a PAW whether server or desktop.
Hammer Windows Firewall down on server operating systems for services being served making sure that RDP and any other management protocols are allowed between servers and the PAW/Jump Server.
Use an OU and disposable VMs for testing. I highly suggest not mucking about with GPOs that apply to production OUs that have AD User and Computer Objects.
-
A hardened system doesn't use ADDS and Windows.
-
@obsolesce said in GPO's for System Hardening:
A hardened system doesn't use ADDS and Windows.
The subject says "GPO's ... "?
GPO = Group Policy Object
GPOs are linked to OUs.
OU = Organization Unit
Jeremy Moskowitz is one of the preeminent Group Policy folks in the world. One of the best to learn from. His books a really, really good.
ADDS and Group Policy are still very much relevant today.
EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).
-
Don't have any printers on this network BTW
What weird place do you work? I want to work there!
-
@dashrender said in GPO's for System Hardening:
Don't have any printers on this network BTW
What weird place do you work? I want to work there!
This. 100% this :P.
-
@phlipelder said in GPO's for System Hardening:
EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).
What do you mean?
-
@dashrender said in GPO's for System Hardening:
@phlipelder said in GPO's for System Hardening:
EDIT: PAW is not a part of the production domain. It's either workgroup or in a separate AD Forest (Host/Tenant type of AD structure).
What do you mean?
We treat all production environments as hostile now.
So, when we deploy a new cluster it goes into its own AD Forest with its own DCs running at the local level on a couple of cluster nodes (Hyper-V).
A dedicated PAW or Jump Server could be set up in that AD Forest.
Otherwise, it should be in a workgroup and have 2FA/MFA set up.
-
@dashrender It is a manufacturing network for equipment comms, etc. Printers are on the corporate network but both networks are isolated from each other. Very common.
-
-
@jaredbusch That is the correct way and the way it's done in most manufacturing plants in the U.S. and International. That has been best practice for the last 25-30 years. I am in 8-10 different manufacturing plants [per week as a consultant and that's how it done.
-
@eleceng said in GPO's for System Hardening:
@jaredbusch That is the correct way and the way it's done in most manufacturing plants in the U.S. and International. That has been best practice for the last 25-30 years. I am in 8-10 different manufacturing plants [per week as a consultant and that's how it done.
That's awesome that the plants you work for do it that way - but I agree with JB - it's likely not that common in reality.
Hell - the sure number of SCADA systems on the internet in mind boggling.