Damien Coles
f172d00514
Infrastructure-as-code framework for Active Directory objects and Group Policy. Sanitized from production deployment for public sharing.
97 lines
3.1 KiB
Markdown
97 lines
3.1 KiB
Markdown
# Workstations-01 GPO
|
|
|
|
**GUID:** Auto-created on first `Apply-GPOBaseline.ps1` run
|
|
**Linked to:** `OU=ExampleWorkstations,DC=example,DC=internal`
|
|
**Scope:** Computer Configuration (HKLM) -- Security Policy + Administrative Templates
|
|
|
|
This GPO applies to all computer objects in the ExampleWorkstations OU. It uses both SecurityPolicy (GptTmpl.inf) and RegistrySettings (Set-GPRegistryValue).
|
|
|
|
## Settings
|
|
|
|
### Security Policy (GptTmpl.inf)
|
|
|
|
#### System Access
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| EnableGuestAccount | 0 | Disables the local guest account |
|
|
|
|
#### Event Audit
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| AuditSystemEvents | 1 | Success |
|
|
| AuditLogonEvents | 3 | Success + Failure |
|
|
| AuditObjectAccess | 2 | Failure |
|
|
| AuditPrivilegeUse | 2 | Failure |
|
|
| AuditPolicyChange | 1 | Success |
|
|
| AuditAccountManage | 3 | Success + Failure |
|
|
| AuditProcessTracking | 0 | No auditing |
|
|
| AuditDSAccess | 0 | No auditing (irrelevant for workstations) |
|
|
| AuditAccountLogon | 3 | Success + Failure |
|
|
|
|
#### Security Options (Registry Values in GptTmpl.inf)
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| InactivityTimeoutSecs | 900 | Lock screen after 15 minutes idle |
|
|
| DontDisplayLastUserName | 1 | Login screen does not reveal usernames |
|
|
| DisableCAD | 0 | Ctrl+Alt+Del required at login |
|
|
|
|
### Administrative Templates (Registry-based)
|
|
|
|
#### Autorun / Autoplay
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| NoDriveTypeAutoRun | 255 | Disable autorun on all drive types |
|
|
| NoAutorun | 1 | Disable autoplay entirely |
|
|
|
|
#### Windows Update
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| NoAutoUpdate | 0 | Automatic updates enabled |
|
|
| AUOptions | 4 | Auto download + scheduled install |
|
|
| ScheduledInstallDay | 0 | Every day |
|
|
| ScheduledInstallTime | 3 | 3:00 AM |
|
|
|
|
#### Logging & Auditing
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| EnableScriptBlockLogging | 1 | PowerShell script block logging enabled |
|
|
| Application MaxSize | 32768 KB | 32 MB application event log |
|
|
| Security MaxSize | 196608 KB | 192 MB security event log |
|
|
| System MaxSize | 32768 KB | 32 MB system event log |
|
|
|
|
#### Remote Desktop
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| UserAuthentication | 1 | Network Level Authentication required for RDP |
|
|
|
|
## WMI Filter
|
|
|
|
| Property | Value |
|
|
|---|---|
|
|
| Name | Workstations Only |
|
|
| Query | `SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1` |
|
|
|
|
Defense-in-depth: ensures this GPO only applies to workstation operating systems, even if a server object lands in the ExampleWorkstations OU by mistake.
|
|
|
|
## Restricted Groups
|
|
|
|
| Local Group | Enforced Members |
|
|
|---|---|
|
|
| BUILTIN\Administrators | Domain Admins, MasterAdmins |
|
|
|
|
Any locally-added administrator accounts are removed on next GPO refresh. This prevents local admin creep on workstations.
|
|
|
|
## Notes
|
|
|
|
- First GPO in this repo to use both SecurityPolicy and RegistrySettings together
|
|
- Audit policy uses legacy categories (not Advanced Audit Policy Configuration subcategories)
|
|
- Event log sizes are generous -- 192 MB security log supports forensic investigation
|
|
- Windows Update schedule assumes workstations are powered on overnight or use wake timers
|