declarative-ad-framework/gpo/servers-01/README.md

# Servers-01 GPO

Server hardening policy for domain-joined servers in the ExampleServers OU.

## Linked To

`OU=ExampleServers,DC=example,DC=internal`

## Design

Full audit, logging, and hardening baseline for servers. Compared to Workstations-01:

- **Full audit coverage** -- every category audits both success and failure, including process tracking and DS access
- **PowerShell transcription** -- complete session recording to `C:\PSlogs\Transcripts`
- **Module logging** -- all PowerShell modules logged
- **Command line in process creation** -- Event ID 4688 includes full command line
- **Larger event logs** -- 64/256 MB (matches AdminWorkstations-01)
- **Weekly updates** -- Sunday 3 AM instead of daily (minimize reboot disruption for services)

Compared to AdminWorkstations-01, this GPO does **not** include:

- `LocalAccountTokenFilterPolicy` (servers are not admin workstations)
- Defender exclusions for JetBrains (servers are not dev machines)

## WMI Filter

| Property | Value |
|---|---|
| Name | Member Servers Only |
| Query | `SELECT * FROM Win32_OperatingSystem WHERE ProductType = 3` |

Defense-in-depth: ensures this GPO only applies to member servers (ProductType 3), not domain controllers (ProductType 2) or workstations (ProductType 1).

## Restricted Groups

| Local Group | Enforced Members |
|---|---|
| BUILTIN\Administrators | Domain Admins, MasterAdmins |

Any locally-added administrator accounts are removed on next GPO refresh.

## Security Policy Settings (GptTmpl.inf)

### System Access

| Setting | Value | Effect |
|---|---|---|
| EnableGuestAccount | 0 | Local guest account disabled |

### Event Audit

| Setting | Value | Effect |
|---|---|---|
| AuditSystemEvents | 3 | Success + Failure |
| AuditLogonEvents | 3 | Success + Failure |
| AuditObjectAccess | 3 | Success + Failure |
| AuditPrivilegeUse | 3 | Success + Failure |
| AuditPolicyChange | 3 | Success + Failure |
| AuditAccountManage | 3 | Success + Failure |
| AuditProcessTracking | 3 | Success + Failure |
| AuditDSAccess | 3 | Success + Failure |
| AuditAccountLogon | 3 | Success + Failure |

### Registry Values (Security Options)

| Setting | Value | Effect |
|---|---|---|
| InactivityTimeoutSecs | 900 | Auto-lock after 15 minutes |
| DontDisplayLastUserName | 1 | Don't show last user at login screen |
| DisableCAD | 0 | Require Ctrl+Alt+Del |

## Registry Settings (Administrative Templates)

### Autorun / Autoplay

| Key | ValueName | Value | Effect |
|---|---|---|---|
| Policies\Explorer | NoDriveTypeAutoRun | 255 | Disable autorun on all drives |
| Policies\Explorer | NoAutorun | 1 | Disable autoplay |

### Windows Update

| Key | ValueName | Value | Effect |
|---|---|---|---|
| WindowsUpdate\AU | NoAutoUpdate | 0 | Enable automatic updates |
| WindowsUpdate\AU | AUOptions | 4 | Auto download + schedule install |
| WindowsUpdate\AU | ScheduledInstallDay | 1 | Sunday |
| WindowsUpdate\AU | ScheduledInstallTime | 3 | 3:00 AM |

### Logging & Auditing

| Key | ValueName | Value | Effect |
|---|---|---|---|
| PowerShell\ScriptBlockLogging | EnableScriptBlockLogging | 1 | Log all script blocks |
| PowerShell\Transcription | EnableTranscripting | 1 | Record full PS sessions |
| PowerShell\Transcription | OutputDirectory | C:\PSlogs\Transcripts | Transcript save location |
| PowerShell\Transcription | EnableInvocationHeader | 1 | Timestamp per command |
| PowerShell\ModuleLogging | EnableModuleLogging | 1 | Log all module activity |
| PowerShell\ModuleLogging\ModuleNames | * | * | All modules |
| System\Audit | ProcessCreationIncludeCmdLine_Enabled | 1 | Command line in Event 4688 |

### Event Log Sizes

| Log | Size | vs. Workstations-01 |
|---|---|---|
| Application | 64 MB | 2x |
| Security | 256 MB | ~1.3x |
| System | 64 MB | 2x |
| PowerShell | 64 MB | new |

### Remote Desktop

| Key | ValueName | Value | Effect |
|---|---|---|---|
| Terminal Services | UserAuthentication | 1 | Require NLA |