# Servers-01 GPO Server hardening policy for domain-joined servers in the ExampleServers OU. ## Linked To `OU=ExampleServers,DC=example,DC=internal` ## Design Full audit, logging, and hardening baseline for servers. Compared to Workstations-01: - **Full audit coverage** -- every category audits both success and failure, including process tracking and DS access - **PowerShell transcription** -- complete session recording to `C:\PSlogs\Transcripts` - **Module logging** -- all PowerShell modules logged - **Command line in process creation** -- Event ID 4688 includes full command line - **Larger event logs** -- 64/256 MB (matches AdminWorkstations-01) - **Weekly updates** -- Sunday 3 AM instead of daily (minimize reboot disruption for services) Compared to AdminWorkstations-01, this GPO does **not** include: - `LocalAccountTokenFilterPolicy` (servers are not admin workstations) - Defender exclusions for JetBrains (servers are not dev machines) ## WMI Filter | Property | Value | |---|---| | Name | Member Servers Only | | Query | `SELECT * FROM Win32_OperatingSystem WHERE ProductType = 3` | Defense-in-depth: ensures this GPO only applies to member servers (ProductType 3), not domain controllers (ProductType 2) or workstations (ProductType 1). ## Restricted Groups | Local Group | Enforced Members | |---|---| | BUILTIN\Administrators | Domain Admins, MasterAdmins | Any locally-added administrator accounts are removed on next GPO refresh. ## Security Policy Settings (GptTmpl.inf) ### System Access | Setting | Value | Effect | |---|---|---| | EnableGuestAccount | 0 | Local guest account disabled | ### Event Audit | Setting | Value | Effect | |---|---|---| | AuditSystemEvents | 3 | Success + Failure | | AuditLogonEvents | 3 | Success + Failure | | AuditObjectAccess | 3 | Success + Failure | | AuditPrivilegeUse | 3 | Success + Failure | | AuditPolicyChange | 3 | Success + Failure | | AuditAccountManage | 3 | Success + Failure | | AuditProcessTracking | 3 | Success + Failure | | AuditDSAccess | 3 | Success + Failure | | AuditAccountLogon | 3 | Success + Failure | ### Registry Values (Security Options) | Setting | Value | Effect | |---|---|---| | InactivityTimeoutSecs | 900 | Auto-lock after 15 minutes | | DontDisplayLastUserName | 1 | Don't show last user at login screen | | DisableCAD | 0 | Require Ctrl+Alt+Del | ## Registry Settings (Administrative Templates) ### Autorun / Autoplay | Key | ValueName | Value | Effect | |---|---|---|---| | Policies\Explorer | NoDriveTypeAutoRun | 255 | Disable autorun on all drives | | Policies\Explorer | NoAutorun | 1 | Disable autoplay | ### Windows Update | Key | ValueName | Value | Effect | |---|---|---|---| | WindowsUpdate\AU | NoAutoUpdate | 0 | Enable automatic updates | | WindowsUpdate\AU | AUOptions | 4 | Auto download + schedule install | | WindowsUpdate\AU | ScheduledInstallDay | 1 | Sunday | | WindowsUpdate\AU | ScheduledInstallTime | 3 | 3:00 AM | ### Logging & Auditing | Key | ValueName | Value | Effect | |---|---|---|---| | PowerShell\ScriptBlockLogging | EnableScriptBlockLogging | 1 | Log all script blocks | | PowerShell\Transcription | EnableTranscripting | 1 | Record full PS sessions | | PowerShell\Transcription | OutputDirectory | C:\PSlogs\Transcripts | Transcript save location | | PowerShell\Transcription | EnableInvocationHeader | 1 | Timestamp per command | | PowerShell\ModuleLogging | EnableModuleLogging | 1 | Log all module activity | | PowerShell\ModuleLogging\ModuleNames | * | * | All modules | | System\Audit | ProcessCreationIncludeCmdLine_Enabled | 1 | Command line in Event 4688 | ### Event Log Sizes | Log | Size | vs. Workstations-01 | |---|---|---| | Application | 64 MB | 2x | | Security | 256 MB | ~1.3x | | System | 64 MB | 2x | | PowerShell | 64 MB | new | ### Remote Desktop | Key | ValueName | Value | Effect | |---|---|---|---| | Terminal Services | UserAuthentication | 1 | Require NLA |