Secure and customize Local Windows account using GPO

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,626
Many of the security settings are already set to default values but those which are not are here.

Adjusting these additional settings will have the following privacy or security effects:
1. No user logon image to log into PC
2. Enforce secure password to log into Windows
3. Harder for malware to fake logon screen
4. Prevent running software that is not digitally signed
5. Requires you to explicitly type username of any account

To adjust these settings you need non "Home" edition of Windows and you must have Administrative privileges on your system.

1. Click Windows button
2. Type: gpedit.msc
3. Right click on gpedit.msc and Run as Administrator
4. If prompted for password, enter administrator password and click "Yes" to continue

On the left side is navigation tree, depending on which entry is clicked, the setting will be shown and is updated on the right side.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
1. Interactive logon: don't display username at sign in (Enabled)
2. Interactive logon: Do not require CTRL+ALT+DEL (Disabled)
3. Interactive logon: don't display last signed-in (Enabled)
4. Interactive logon: Display user information when the session is locked (Do no display user information)
5. User Account Control: Behavior of the elevation prompt for standard users (Prompt for credentials on the secure desktop)
6. User Account Control: Only elevate executable files that are signed and validated (Enabled)

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
1. Password must meet complexity requirements (Enabled)
2. Maximum password age (42)
3. Minimum password length (10)

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
Enumerate administrator accounts on elevation (Disabled)

Computer Configuration\Administrative Templates\Control Panel\Personalization
Do not display the lock screen (Disabled)

NOTE:
1. If you find these settings to be too rigorous for normal use of computer feel free to revert all or specific adjustments to default values.
You can find which is the default value by looking at "Explain" tab or by setting the setting to "Not Configured" (depends on setting)
2. To also remove lock screen background image, Windows Server, Enterprise or Education is needed so these settings are omitted here.
3. The minimum password length and complexity will have effect next time you change your password, make sure you don't forget it.
4. If you attempt to run unsigned programs you'll get an error and the application won't run.
 
Joined
Sep 21, 2007
Messages
13,230
Hi,

I use all the same settings except:
5. User Account Control: Behavior of the elevation prompt for standard users Deny elevation. Just log on to the admin account to do admin stuff. A bit strict I know. But I hope that makes malware attempts at persistence a little harder. Although the attackers know more registry keys to do that, more than I do anyways.
 

zebanovich

Thread Starter
Joined
Mar 2, 2019
Messages
1,626
Not bad idea at all, you actually made me think about it :)

I'm not sure if I find this too strict for me or counterproductive, because I need elevation every now and then sometimes this would result in way too often use of admin account.

On another side if we do use admin account a lot then we also need to ensure that admin is blocked from access to internet, which I already have in place but it's not really worth relying on this, since sooner or later you logged in as administrator will need internet ex. to:
a) look for something on the web
b) let unsigned executable access to net

problem with a) is that it's easy to make a mistake and problem with b) is that system can no longer be perfectly trusted (not an issue in standard account).
And switching from one account to another every now and then is not productive.

It looks like this depends on how often we need to elevate things and for what purpose, if too often then probably better solution would be to create completely new account with specialized privileges. ex: backup Admin or network admin but I'm afraid of anything higher than standard user 😬
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top