6 Group Policy Editor tweaks help improve security

Note : Group Policy Editor is not available in Windows Home edition; you will need Windows Pro or Enterprise. You can search 'group policy' in Windows search and click Edit group policy to open it. If it doesn't appear, you may have to enable Group Policy Editor.

User Account Control (UAC) security

UAC is a Windows security feature that prevents unauthorized changes to your PC. Group Policy Editor offers many tweaks that can control UAC behavior.

In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options .

Scroll down and adjust the policy settings for each item, as listed below, for better security:

1. User Account Control: Admin Approval Mode for the built-in Administrator account: Enabled
2. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled
3. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent
4. User Account Control: Behavior of the elevation prompt for standard users: Prompt for credentials
5. User Account Control: Detect application installations and prompt for elevation: Enabled
6. User Account Control: Only elevate executable files that are signed and validated: Enabled
7. User Account Control: Only elevate UIAccess applications that are installed in secure locations: Enabled
8. User Account Control: Run all administrators in Admin Approval Mode: Enabled
9. User Account Control: Switch to the secure desktop when prompting for elevation: Enabled
10. User Account Control: Virtualize file and registry write failures to per-user locations: Enabled

6 Group Policy Editor tweaks help improve security Picture 1

After applying the above tweaks, approve UAC prompts more frequently and may provide authentication information but it will improve overall security.

Password security

By default, the Windows user account password request is quite lenient. Using Local Group Policy Editor, you can enforce rules to ensure password security.

Go to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy  in the Group Policy Editor.

Adjust the following policies:

1. Enforce password history: 8 or more
2. Maximum password age: About 30 - 60 days
3. Minimum password length: 12 or more
4. Password must meet complexity requirements: Enabled

6 Group Policy Editor tweaks help improve security Picture 2

Disable guest account

Although the Windows guest account is disabled by default, someone can enable the guest account using different methods and gain access to your sensitive data. Guest accounts give people free access to their PC. Although it provides limited access, it can still be exploited by malware, or you could accidentally share data with the Everyone group . It's better to completely disable it in Group Editor Policy.

Move to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and disable Accounts: Guest account status .

6 Group Policy Editor tweaks help improve security Picture 3

Activate account checking policy

Enable account auditing in the Group Policy Editor to record important security information, such as file modifications, security settings changes, login attempts, etc. You can use this information to monitor Monitor changes to your PC to ensure there are no unauthorized access or non-user configurations.

In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy . For all these options here, enable Success and Failure checks .

6 Group Policy Editor tweaks help improve security Picture 4

You can view the generated logs in Windows Event Viewer. Type 'event viewer' in Windows search and click Event Viewer . Go to Windows Logs -> Security  to view the logs.

Clear virtual memory when shutting down

Pagefile (virtual memory) is needed for the PC to operate smoothly. However, it keeps a fragmented record of data and can be stolen by someone with the right access and tools. If you don't want to take any risks, delete it automatically whenever you turn off your PC.

Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable policy Shutdown: Clear virtual memory pagefile .

6 Group Policy Editor tweaks help improve security Picture 5

Remember that activating this policy will slow down the shutdown process a bit.

Manage account lockout settings

To prevent unauthorized access attempts, Windows has an account lockout policy that locks the account after many incorrect login attempts. However, you may want to adjust the relevant Group Policy Editor policies according to your security needs.

To access lockout policies, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy .

You will find 4 policy keys to adjust. Fine-tune them as needed. The recommended values ​​below strive to strike a balance between strong protection and a smooth user experience:

1. Account lockout duration: 30 minutes
2. Account lockout threshold: 3 invalid logon attempts
3. Allow Administrator account lockout: Enabled
4. Reset account lockout counter after: 30 minutes

6 Group Policy Editor tweaks help improve security Picture 6

While all of these group policy settings may cause some additional confirmations (like the UAC prompt to open Task Manager), the increased security outweighs the minor inconvenience. If you don't like the changes, reset Group Policy Editor.

Kareem Winters

Update 28 May 2024