Securing Computers On Your Domain

Why Harden Windows Security On Your Network

Having a secure environment can significantly reduce the amount of break/fix work that you need to do. Things that securing your computers can help prevent are:

  • Viruses
  • Bloatware
  • Securing files and company data
  • Protecting against accidental data loss

This article will discuss how to secure Windows computers that are members of Active Directory and we will discuss securing these workstations using group policy settings. We will also discuss ideas on educating users so they have some awareness of computer security concepts.

I am not saying that you need to do every single item on this list, you can just pick what is right for your domain and what your users will accept. I am also not saying that doing these things will protect you 100% from security breaches but doing them will keep your network more secure than what it is without any of these domain security tips.

How To Secure Windows On Your Domain

Not Allowing Local Administrator Rights

By not allowing users to have local administrator rights this will not only stop them from installing unwanted software on their computers but it will also stop any websites that are compromised using the local user account to install malware or viruses.

Remove The Control Panel

You can remove users from having access to the control panel. This will stop users trying to customise their workstations or changing settings that they just shouldn’t be messing with.

You can disable users to have access to the control panel or you can just allow the users to have access to specific parts using group policy. To change these settings you need to go to the group policy editor and edit the policy (Or create a group policy object and deploy it to users that you want to restrict) that is for the users that you want to restrict.

Under the policy node:

User Configuration\Administrative Templates\Control Panel

There will be 4 options:

  • Always open All Control Panel items: This setting allows users full access to the control panel
  • Hide specified Control Panel items: This setting will hide control panel items that you specify in this setting.
  • Show only specified Control Panel items: This will hide all control panel items except the ones that you specify.
  • Prohibit access to the Control Panel: This will remove users rights completely to the control panel. They will not even see the option to open the control panel in the start menu.

Anti-Virus

Use a good Anti-Virus software. Make sure the software is kept up to date and that users do cannot disable or edit any of the settings in the Anti-Virus.

Spam Filter

Using a good spam filter is very important. Lots of malicious attacks are done using email, some are phishing scams and some are links to viruses or malware. If you have exchange there are many different spam filters available that will link directly on your exchange server, if you are using a hosted email solution than most email hosts will have a spam filtering service.

Firewall

Make sure the Standard Windows Firewall is enabled and that users do not have permissions to edit the firewall settings. This will stop users from making their own firewall rules to allow programs through. You can disable users access to the firewall and specify domain wide firewall rules in group policy.

I also recommenced using a hardware firewall on the edge of your network to protect the whole network from outside attack sources.

UAC – User Account Control

Make sure users have UAC enabled. If on a domain environment you can enable UAC through group policy. The settings to do this are under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Internet Explorer Security Zones

Internet Explorer is often used as an attack vector. You can set up domain wide Internet Explorer security zones under “User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security“, in the security zones. Be sure to add any sites that you want to trust.

You can specify the home page under “User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\URLs“, this will stop users being able to use different sites for their homepage. This also stops other software hijacking your users homepage and setting it to a fake search engine.

Set Up Software Restriction Policies

A software restriction policy only allows users on your domain to run software that is approved or it can be used to disable software from running in a specific folder. This can help to:

  • Fight viruses
  • Regulate which ActiveX controls can be downloaded
  • Run only digitally signed scripts
  • Enforce that only approved software is installed on system computers
  • Lockdown a machine

Read here for an in depth description of software policies.

Disabling users from running programs from the %appdata% folder in the users profile is a good step and can help prevent viruses like cryptolocker( See here for how to defend against cryptolocker) and malicious software running from emails. You can find the settings for software restriction policies in group policy under “Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies”.

Only  Allow Users To Log Onto Specific Computers

In Active Directory you can specify users to only be allowed to log on to certain computers. You can lock this down to specific users on specific computers or you can only allow certain groups to log onto the computers.
Example: You only allow Accountants to log onto computer in the finance department.

Keeping Third Party Software Up To Date

Alot of commonly used software have security holes in them. Software like java, acrobat reader and adobe flash should all be kept up to date. This can be done though group policy. However you cannot install EXE files through group policy, but luckily most commonly used software is available as an MSI package which can be installed via group policy.

To do this:

  • Put the MSI package in a shared folder.
  • Create a GPO that is linked to the computers that you want the package deployed to.
  • Then edit the GPO and navigate to “Computer Configuration\Policies\Software Setting\Software installations“.
  • Right click inside the empty space and select “New>Software Package
  • Select your MSI package and check assigned
  • Close the group policy editor