6 Group Policy Editor tweaks help improve security
Note : Group Policy Editor is not available in Windows Home edition; you will need Windows Pro or Enterprise. You can search 'group policy' in Windows search and click Edit group policy to open it. If it doesn't appear, you may have to enable Group Policy Editor.
User Account Control (UAC) security
UAC is a Windows security feature that prevents unauthorized changes to your PC. Group Policy Editor offers many tweaks that can control UAC behavior.
In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options .
Scroll down and adjust the policy settings for each item, as listed below, for better security:
- User Account Control: Admin Approval Mode for the built-in Administrator account: Enabled
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent
- User Account Control: Behavior of the elevation prompt for standard users: Prompt for credentials
- User Account Control: Detect application installations and prompt for elevation: Enabled
- User Account Control: Only elevate executable files that are signed and validated: Enabled
- User Account Control: Only elevate UIAccess applications that are installed in secure locations: Enabled
- User Account Control: Run all administrators in Admin Approval Mode: Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation: Enabled
- User Account Control: Virtualize file and registry write failures to per-user locations: Enabled
After applying the above tweaks, approve UAC prompts more frequently and may provide authentication information but it will improve overall security.
Password security
By default, the Windows user account password request is quite lenient. Using Local Group Policy Editor, you can enforce rules to ensure password security.
Go to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy in the Group Policy Editor.
Adjust the following policies:
- Enforce password history: 8 or more
- Maximum password age: About 30 - 60 days
- Minimum password length: 12 or more
- Password must meet complexity requirements: Enabled
Disable guest account
Although the Windows guest account is disabled by default, someone can enable the guest account using different methods and gain access to your sensitive data. Guest accounts give people free access to their PC. Although it provides limited access, it can still be exploited by malware, or you could accidentally share data with the Everyone group . It's better to completely disable it in Group Editor Policy.
Move to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and disable Accounts: Guest account status .
Activate account checking policy
Enable account auditing in the Group Policy Editor to record important security information, such as file modifications, security settings changes, login attempts, etc. You can use this information to monitor Monitor changes to your PC to ensure there are no unauthorized access or non-user configurations.
In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy . For all these options here, enable Success and Failure checks .
You can view the generated logs in Windows Event Viewer. Type 'event viewer' in Windows search and click Event Viewer . Go to Windows Logs -> Security to view the logs.
Clear virtual memory when shutting down
Pagefile (virtual memory) is needed for the PC to operate smoothly. However, it keeps a fragmented record of data and can be stolen by someone with the right access and tools. If you don't want to take any risks, delete it automatically whenever you turn off your PC.
Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable policy Shutdown: Clear virtual memory pagefile .
Remember that activating this policy will slow down the shutdown process a bit.
Manage account lockout settings
To prevent unauthorized access attempts, Windows has an account lockout policy that locks the account after many incorrect login attempts. However, you may want to adjust the relevant Group Policy Editor policies according to your security needs.
To access lockout policies, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy .
You will find 4 policy keys to adjust. Fine-tune them as needed. The recommended values below strive to strike a balance between strong protection and a smooth user experience:
- Account lockout duration: 30 minutes
- Account lockout threshold: 3 invalid logon attempts
- Allow Administrator account lockout: Enabled
- Reset account lockout counter after: 30 minutes
While all of these group policy settings may cause some additional confirmations (like the UAC prompt to open Task Manager), the increased security outweighs the minor inconvenience. If you don't like the changes, reset Group Policy Editor.
You should read it
- 4 tips to open Local Group Policy Editor on Windows 8 / 8.1
- How to use Local Group Policy Editor to tweak your computer
- Cannot open Local Group Policy Editor, quick fix
- How to reset Local Group Policy settings on Windows 10
- What is GPEdit.Msc (Group Policy Editor)? How to use GPEdit to configure a computer
- Configure App-V with Group Policy Objects
- How to install the Microsoft Edge Group Policy template on Windows 10
- How to install Group Policy Editor (GPEdit.Msc) on Windows 10 Home Edition
- How to view all applied Group Policies in Group Policy Editor
- 8 'tweak' Windows Group Policy any Admin should know
- Fixed an issue that could not replace Windows 10 desktop wallpaper with Group Policy
- Use Group Policy Filtering to create a NAP DHCP enforcement policy - Part 1
Maybe you are interested
How to sign out of your Google account on another device
Instructions for verifying Facebook account identity
Stolen iPhone? Don't Delete It From Your Apple Account!
How to retrieve Facebook password, recover latest account
How to contact Facebook account support
390,000 WordPress Accounts Stolen in Large-Scale Attack