Security settings you need to change right away for 2022

Often times we think of security solutions as just an antivirus and you are done. At least that’s what most business owners assume it takes to secure their systems.

But outside of only installing and running an antivirus solution there are policy that windows by default allows.

Depending on the environment, I like to make sure that our client’s systems are as secure as they can be without breaking their software and work flow.

Sometimes locking down certain aspects does in fact break other things, but this is part of setting up a secure environment. There’s a learning and testing phase, during which policies are applied to the greatest possible level. Then certain things are permitted and prohibited in order to balance functionality with security.

What security settings should I look for to secure my systems? This is a question that I am often asked and one of the first things that comes to mind when discussing security.

I think many people would have different answers because it really depends on what you consider security settings and your actual goals.

Of course you can enable everything imaginable where using a computer would become a chore, but let’s face it, that’s not practical in real world. What we want is a balance between proper functionality, which allows only what a user needs to perform their job and makes sure that when they do access what they need, its done in the most secure way possible.

Although there are hundreds of policies to consider when it comes to locking down permissions, let’s start with some basic end user ones that everyone can setup for their computers in order to greatly limit their exposure.

The policies below are some of the security settings you can enable on your machine in order to greatly improve security for you and your staff.

 

Store Domain Credentials

Checks if the passwords and credentials used for network authentication are stored on the local computer. Do not allow the storage of passwords and credentials as this allows an attacker that gains access to one user account be able to roam the rest of the network.

Server & Client Digitally Sign Communications

Verifies that the Microsoft network client option is enabled: Digitally sign communications (always). This security setting determines whether packet signing is necessary for the Server Message Block (SMB) client component. The SMB protocol, which underpins Microsoft file and print sharing as well as many other network operations such as remote Windows administration, uses digital signatures to secure SMB packets in transit. Its recommended to enable this policy.

Turn off Autoplay feature

Verifies the local group policy Turn off Autoplay, located in Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies.

This policy setting lets you disable Autoplay (reading from a drive as soon as media is inserted in the drive). The setup file of applications and music on audio media starts immediately after they are inserted into the device. Enable this policy for all Drives to prevent a malware infected USB drive from auto executing in your machine upon plugin it in.

Enable Non Domain Network Connections

Verifies the local group policy Prohibit connection to non-domain networks when connected to domain authenticated network, located in Computer Configuration\Administrative Templates\Network\Windows Connection Manager.

This prevents the computer from connecting to both domain and non domain based networks. Only allowing one ensures that another connection is not created to an external source without breaking the current domain connection effectively disconnecting the machine from the current domain network.

Minimum Startup Pin

By default the pin in 4 digits long. You can have a maximum of 20, but thats probably impossible for anyone to memorize. We recommend setting this to 7 digits (but be smart and don’t use your phone number…)

You can check on this policy here:

Configure minimum PIN length for startup, located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives.

Drive Redirection

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). This means that if you connect via Remote Desktop to the machine, you won’t be able to map the drives and effectively prevents file transfers between computers. Its important to enable this policy to prevent the drive redirection.

Verifies the local group policy Do not allow drive redirection, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection.

Secure RPC communication

Defines whether a Remote Desktop Session Host server accepts unsecured or secure RPC connections from all users. You may use this option to improve the security of RPC connection with clients by allowing only authenticated and encrypted requests. Enabling this policy ensures secure requests only and does not allow untrusted clients from obtaining unsecured communication.

Verifies the local group policy Require secure RPC communication, located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Automatic sign in after Windows Update/ Restart

This policy setting determines whether a device will automatically sign-in the previous interactive user after a system restart via Windows Update. If you Disable this the user will be brought to a screen where they will need to input their username and password.

Verifies the local group policy Sign-in last interactive user automatically after a system-initiated restart, located in Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options.

Security Zones add/delete/modify sites

-This policy prevents users from adding or removing websites from security zones. A security zone is a collection of webpages with the same level of security. – The site management settings for security zones are disabled if you enable this policy. (To access the site management settings for security zones, go to the Internet Options dialog box and select the Security tab and then click the Sites button.

Enable this policy to prevent users/threat actors and scripts from modifying this.

Verifies the local group policy Security Zones: Do not allow users to add/delete sites, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

Enable Do not allow users to change policies policy.

Enable Security zones: Use only machine settings policy.

Certificate Errors

This Registry item disables the user from ignoring SSL/TLS certificate errors that stop surfing in Internet Explorer. Enable this policy to prevent browsing to unsecure websites.

Verifies the local group policy Prevent ignoring certificate errors, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.

Enable this policy.

Server Certificate Revocation

This policy setting allows you to control whether Internet Explorer checks the revocation status of servers’ certificates. When a certificate is revoked or becomes invalid, it is replaced with a new one that has not yet been used. This option helps customers avoid revealing confidential data to a website that may be fraudulent or insecure.

Verifies the local group policy Check for server certificate revocation, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

Enable this policy.

Browser Encryption Support.

You may disable support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser by enabling this policy setting. TLS and SSL are encryption technologies that protect communication between the browser and the target server.

Verifies the local group policy Turn off encryption support, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page.

It is recommended to Enable Use 1.1 and TLS 1.2

Certificate Address Mismatch Warning

The certificate address mismatch security warning is turned on by enabling this policy setting. When you use Secure HTTP (HTTPS) to access a website, the user is alerted if the certificate was issued for a different website address and requests that he or she confirm the site’s identity. This warning aids in preventing phishing attempts.

Verifies the local group policy Turn on certificate address mismatch warning, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.

Set this policy to Enabled.

Remove Run this time button for outdated ActiveX Controls in Internet Explorer

This policy setting allows preventing users from seeing the Run this time button and from running specific outdated ActiveX controls in Internet Explorer. ActiveX has been known to be one of the easiest ways that hackers can execute malicious code on your machine.

Verifies the local group policy Remove Run this time button for outdated ActiveX controls in Internet Explorer, located in Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.

Set this policy to Enabled.

Enable Structured Exception Handling Overwrite Protection (SEHOP)

Microsoft recommends enabling Structured Exception Handling Overwrite Protection (SEHOP) to help mitigate the effects of memory corruption vulnerabilities. If you enable this policy setting, structured exception handling overwrite protection is turned on.

Verifies the local group policy Enable Structured Exception Handling Overwrite Protection (SEHOP), located in Computer Configuration\Administrative Templates

WinRM Service

WinRM (Windows Remote Management) allows a user to interact with a remote system, execute an application, change the registry, or modify services. It may be triggered by various programs, such as PowerShell, using the winrm command.

Its recommended to disable this unless its needed.

 

If all of this seems overwhelming to do for every computer on the network reach out a Managed Cyber Security Company or a Managed Services Provider in Metro Atlanta area that specializes in Security such as AlphaCIS. They can fix all the misconfiguration on your systems and provide you with a health report where you can see the status of all of your systems.