Servers-01 GPO
Server hardening policy for domain-joined servers in the ExampleServers OU.
Linked To
OU=ExampleServers,DC=example,DC=internal
Design
Full audit, logging, and hardening baseline for servers. Compared to Workstations-01:
- Full audit coverage -- every category audits both success and failure, including process tracking and DS access
- PowerShell transcription -- complete session recording to
C:\PSlogs\Transcripts
- Module logging -- all PowerShell modules logged
- Command line in process creation -- Event ID 4688 includes full command line
- Larger event logs -- 64/256 MB (matches AdminWorkstations-01)
- Weekly updates -- Sunday 3 AM instead of daily (minimize reboot disruption for services)
Compared to AdminWorkstations-01, this GPO does not include:
LocalAccountTokenFilterPolicy (servers are not admin workstations)- Defender exclusions for JetBrains (servers are not dev machines)
WMI Filter
| Property |
Value |
| Name |
Member Servers Only |
| Query |
SELECT * FROM Win32_OperatingSystem WHERE ProductType = 3 |
Defense-in-depth: ensures this GPO only applies to member servers (ProductType 3), not domain controllers (ProductType 2) or workstations (ProductType 1).
Restricted Groups
| Local Group |
Enforced Members |
| BUILTIN\Administrators |
Domain Admins, MasterAdmins |
Any locally-added administrator accounts are removed on next GPO refresh.
Security Policy Settings (GptTmpl.inf)
System Access
| Setting |
Value |
Effect |
| EnableGuestAccount |
0 |
Local guest account disabled |
Event Audit
| Setting |
Value |
Effect |
| AuditSystemEvents |
3 |
Success + Failure |
| AuditLogonEvents |
3 |
Success + Failure |
| AuditObjectAccess |
3 |
Success + Failure |
| AuditPrivilegeUse |
3 |
Success + Failure |
| AuditPolicyChange |
3 |
Success + Failure |
| AuditAccountManage |
3 |
Success + Failure |
| AuditProcessTracking |
3 |
Success + Failure |
| AuditDSAccess |
3 |
Success + Failure |
| AuditAccountLogon |
3 |
Success + Failure |
Registry Values (Security Options)
| Setting |
Value |
Effect |
| InactivityTimeoutSecs |
900 |
Auto-lock after 15 minutes |
| DontDisplayLastUserName |
1 |
Don't show last user at login screen |
| DisableCAD |
0 |
Require Ctrl+Alt+Del |
Registry Settings (Administrative Templates)
Autorun / Autoplay
| Key |
ValueName |
Value |
Effect |
| Policies\Explorer |
NoDriveTypeAutoRun |
255 |
Disable autorun on all drives |
| Policies\Explorer |
NoAutorun |
1 |
Disable autoplay |
Windows Update
| Key |
ValueName |
Value |
Effect |
| WindowsUpdate\AU |
NoAutoUpdate |
0 |
Enable automatic updates |
| WindowsUpdate\AU |
AUOptions |
4 |
Auto download + schedule install |
| WindowsUpdate\AU |
ScheduledInstallDay |
1 |
Sunday |
| WindowsUpdate\AU |
ScheduledInstallTime |
3 |
3:00 AM |
Logging & Auditing
| Key |
ValueName |
Value |
Effect |
| PowerShell\ScriptBlockLogging |
EnableScriptBlockLogging |
1 |
Log all script blocks |
| PowerShell\Transcription |
EnableTranscripting |
1 |
Record full PS sessions |
| PowerShell\Transcription |
OutputDirectory |
C:\PSlogs\Transcripts |
Transcript save location |
| PowerShell\Transcription |
EnableInvocationHeader |
1 |
Timestamp per command |
| PowerShell\ModuleLogging |
EnableModuleLogging |
1 |
Log all module activity |
| PowerShell\ModuleLogging\ModuleNames |
* |
* |
All modules |
| System\Audit |
ProcessCreationIncludeCmdLine_Enabled |
1 |
Command line in Event 4688 |
Event Log Sizes
| Log |
Size |
vs. Workstations-01 |
| Application |
64 MB |
2x |
| Security |
256 MB |
~1.3x |
| System |
64 MB |
2x |
| PowerShell |
64 MB |
new |
Remote Desktop
| Key |
ValueName |
Value |
Effect |
| Terminal Services |
UserAuthentication |
1 |
Require NLA |
Damien Coles
f172d00514