The Group Policy Editor is a Windows administration tool that allows users to configure many important settings on their computers or networks. Administrators can configure password requirements, startup programs, and define what applications or settings users can change.
These settings are called Group Policy Objects (GPOs). Attackers use GPO’s to turn off Windows Defender. System Administrators use GPOs to deal with locked out users.
This blog will deal with the Windows 10 version of Group Policy Editor (also known as gpedit), but you can find it in Windows 7, 8, and Windows Server 2003 and later.
This piece will cover how to open and use Group Policy Editor, some important security settings in GPOs, and some alternatives to gpedit.
There are several ways to open Group Policy Editor. Choose your favorite!
A better question would be, what can’t you do with Group Policy Editor! You can do anything from set a desktop wallpaper to disable services and remove Explorer from the default start menu. Group policies control what version of network protocols are available and enforce password rules. A corporate IT security team benefits significantly by setting up and maintaining a strict Group Policy. Here are a few examples of good IT security group policies:
Those are just a few examples of how an IT security team could use Group Policies. If the goal is a more secure and hardened environment for your organization, use group policies to enforce good security habits.
The Group Policy Editor window is a list view on the left and a contextual view on the right. When you click an item on the left side, it changes the focus of the right to show you details about that thing you clicked.
The top-level nodes on the left are “Computer Configuration” and “User Configuration.” If you open the tree for Computer Configuration, you can explore the options you have to manage different system behavior aspects.
For example, under Computer Configuration -> Administrative Templates -> Control Panel -> Personalization, you will see things like “Do not display the lock screen” on the right side.
You can edit the setting by double-clicking.
There are hundreds of different settings like this in Group Policy Editor. Click around or view the Microsoft documentation for a list of all of them.
Once you have an idea of what you GPOs you want to set, using Group Policy Editor to make the changes is pretty simple.
Let’s look at a quick password setting we can change:
Many sysadmins are moving to PowerShell instead of the UI to manage group policies. Here are a few of the PowerShell GroupPolicy cmdlets to get you started.
The gpedit application is very simplistic for a tool that is supposed to help secure your entire enterprise. GPO updates occur at some time interval on computers throughout the network differently or on a reboot. Therefore, the time between your changes and all computers on the network receiving this change is unknown.
Attackers can change local group policies using the same gpedit, or PowerShell, which can undo any protections you have enabled on that system.
Several companies provide alternative group policy editing tools, and you can learn how to make all the changes with PowerShell to make your job simpler. However, gpedit does not have any native auditing built-in, so you need to have a rock-solid change management plan and audit all GPO changes independently to ensure your enterprise remains secure.
It’s crucial to monitor Active Directory for any changes made to Group Policy – often, these changes are the first signals in APT attacks, where hackers intend to be in your network for a while, and they want to remain hidden. Varonis detects threats by monitoring and correlating current activity against normalized behavior and advanced data security threat models to detect APT attacks, malware infections, brute-force attacks, including attempts to change GPOs.
Check out this PowerShell course by Adam Bertram, where he teaches you how to use PowerShell to manage Active Directory. Once you learn the basics, you can start managing GPOs with PowerShell, and it’s worth 3 CPE credits!