Group Policy Best Practice

Group Policy Basics

In part one of our discussion on Group Policy we covered some of the theory behind Group Policy and how it works. This article will cover the practical implementation of Group Policy best Practice.
Group Policy makes dealing with your operating system easier and more effective. In addition, this allows you further control over network accounts. This makes your network safer from outsiders. And it reduces the trusted insider threat.
So, what’s the best practice for Group Policy?

Group Policy Best Practice:

Below are the most common group policy best practice steps you can take:

Moderate access to the control panel: 

Limiting users from what they can see, and access, creates a safety net. For instance, blocking access around those files and folders. If they can’t see it, they can’t delete it. You can control who has access to the control panel by using the following steps:
  • Open the Group Policy Management Editor. Select “User Configuration”> “Administrative Templates” > “Control Panel”
  •  Next, select “prohibit access to Control Panel and PC settings” and open its properties.
  • From the three options select ‘Enabled’
  •  Click ‘apply’ followed by ‘Ok’

Disable the command prompt:

Command prompt offers a higher level of control to users. Disable access for those who don’t need it.

Remove access to removable hard drives, thumb drives, etc:

Thumb drives and hard drives transfer data. Often, this mean viruses. While handy, these tools are prone to infections that can put your entire network at risk. Better to be safe than sorry. Best practice is to disable these drives via the user configuration tab.

Restrict Software Installation:

You don’t need your employees downloading apps that could compromise your system. Restrict downloads and ensure every app or extension goes through an approval process.

Rid Yourself of Unwanted Guests:

The guest account is a security nightmare. Often this account allows access to your computer with no password required. Windows should disable guest accounts by default. But make sure you double-check your system mirrors.
Head to: Computer Configuration>Security Settings>Local Policies>Security Options>Accounts: Guest Accounts Status.
Next, click on “define this policy setting” and check ‘disabled’>’apply’>’ok’.

Create Harder Passwords:

Passwords around ten characters in length are the most secure. These password should include numbers and special characters. Within group policy you can create a standard value for acceptable passwords. For instance, a least character limit. To do this head to ‘Computer Configuration” > “Windows Settings” > “Account Policies” > “Password Policy”.

Reduce Password Age:

Older passwords on shared applications are one of the biggest security threats. Consider your staff turnover. This means, when you end up with staff leaving and heading out into the world you run the risk of compromise. You can set a greatest password age via computer configuration.

Disable Anonymous SID Enumeration:

SID’s are Security Identifiers. These are numbers used to identify users and groups. However, SID’s have are unsafe as hackers can exploit them. Windows has again disabled this setting by default.
To ensure your environment mirrors this, do the following: Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options. Double-click Network Access: Do not allow anonymous enumeration of SAM accounts and shares. Select Enabled>Apply>OK.
Using group policy best practice allows you to sure up your network security. However, even the right settings can still leave gaps in your security system.
To close the gaps, find a security solution designed exactly for doing that. Cogito’s Jellyfish product can compare your GP settings to best practice. Putting the C into Governance, Risk and Compliance.


Cogito Group is an award-winning cybersecurity company specialising in authentication, cloud security, identity management and data protection. Cogito Group protect the authentication methods used to access information through the use of Identity and other security technologies.