AdminWorkstations-01 GPO
Privileged Access Workstation (PAW) policy for admin endpoints in the ExampleAdminWorkstations OU.
Linked To
OU=ExampleAdminWorkstations,DC=example,DC=internal
Design
Builds on the same foundation as Workstations-01 but with:
- Full audit coverage -- every category audits both success and failure (including process tracking)
- PowerShell transcription -- complete session recording to
C:\PSlogs\Transcripts for forensics
- Module logging -- all PowerShell modules logged
- Command line in process creation -- Event ID 4688 includes full command line
- Larger event logs -- 2x workstation sizes to accommodate heavier admin activity
- Tighter inactivity timeout -- 10 min vs 15 min for workstations
WMI Filter
| Property |
Value |
| Name |
Workstations Only |
| Query |
SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1 |
Defense-in-depth: ensures this GPO only applies to workstation operating systems.
Restricted Groups
| Local Group |
Enforced Members |
| BUILTIN\Administrators |
Domain Admins, MasterAdmins |
Any locally-added administrator accounts are removed on next GPO refresh.
Security Policy Settings (GptTmpl.inf)
System Access
| Setting |
Value |
Effect |
| EnableGuestAccount |
0 |
Local guest account disabled |
Event Audit
| Setting |
Value |
Effect |
| AuditSystemEvents |
3 |
Success + Failure |
| AuditLogonEvents |
3 |
Success + Failure |
| AuditObjectAccess |
3 |
Success + Failure |
| AuditPrivilegeUse |
3 |
Success + Failure |
| AuditPolicyChange |
3 |
Success + Failure |
| AuditAccountManage |
3 |
Success + Failure |
| AuditProcessTracking |
1 |
Success |
| AuditDSAccess |
0 |
None (not a DC) |
| AuditAccountLogon |
3 |
Success + Failure |
Registry Values (Security Options)
| Setting |
Value |
Effect |
| InactivityTimeoutSecs |
600 |
Auto-lock after 10 minutes |
| DontDisplayLastUserName |
1 |
Don't show last user at login screen |
| DisableCAD |
0 |
Require Ctrl+Alt+Del |
| LocalAccountTokenFilterPolicy |
1 |
Allow unfiltered admin tokens over WinRM (enables remote GPO/AD management without RDP) |
Registry Settings (Administrative Templates)
Autorun / Autoplay
| Key |
ValueName |
Value |
Effect |
| Policies\Explorer |
NoDriveTypeAutoRun |
255 |
Disable autorun on all drives |
| Policies\Explorer |
NoAutorun |
1 |
Disable autoplay |
Windows Update
| Key |
ValueName |
Value |
Effect |
| WindowsUpdate\AU |
NoAutoUpdate |
0 |
Enable automatic updates |
| WindowsUpdate\AU |
AUOptions |
4 |
Auto download + schedule install |
| WindowsUpdate\AU |
ScheduledInstallDay |
0 |
Every day |
| WindowsUpdate\AU |
ScheduledInstallTime |
3 |
3:00 AM |
Logging & Auditing
| Key |
ValueName |
Value |
Effect |
| PowerShell\ScriptBlockLogging |
EnableScriptBlockLogging |
1 |
Log all script blocks |
| PowerShell\Transcription |
EnableTranscripting |
1 |
Record full PS sessions |
| PowerShell\Transcription |
OutputDirectory |
C:\PSlogs\Transcripts |
Transcript save location |
| PowerShell\Transcription |
EnableInvocationHeader |
1 |
Timestamp per command |
| PowerShell\ModuleLogging |
EnableModuleLogging |
1 |
Log all module activity |
| PowerShell\ModuleLogging\ModuleNames |
* |
* |
All modules |
| System\Audit |
ProcessCreationIncludeCmdLine_Enabled |
1 |
Command line in Event 4688 |
Event Log Sizes
| Log |
Size |
vs. Workstations-01 |
| Application |
64 MB |
2x |
| Security |
256 MB |
~1.3x |
| System |
64 MB |
2x |
| PowerShell |
64 MB |
new |
Remote Desktop
| Key |
ValueName |
Value |
Effect |
| Terminal Services |
UserAuthentication |
1 |
Require NLA |
Damien Coles
f172d00514