From c76835ff6aa62d71c43e5b6281d8dc245c11dddb Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 25 Apr 2024 23:34:02 -0700 Subject: [PATCH] Add additional security options Signed-off-by: Tommy --- .../Default Domain Policy/Security Options.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Group Policies Objects/Default Domain Policy/Security Options.md b/Group Policies Objects/Default Domain Policy/Security Options.md index 2872852..358b02d 100644 --- a/Group Policies Objects/Default Domain Policy/Security Options.md +++ b/Group Policies Objects/Default Domain Policy/Security Options.md @@ -6,11 +6,16 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**) +- Accounts: Block Microsoft accounts -> Users can't add or log on with Microsoft accounts +- Accounts: Guest account status -> Disabled +- Devices: Prevent users from installing printer drivers -> Enabled - Domain controller: LDAP server signing requirements: Require signing - Domain controller: LDAP server channel binding token requirements: Always - Domain member: Digitally encrypt or sign secure channel data (always) -> Enabled +- Domain member: Require strong (Windows 2000 or later) session key -> Enabled - Microsoft network client: Digitally sign communications (always) -> Enabled - Microsoft network server: Digitally sign communications (always) -> Enabled +- Network access: Allow anonymous SID/Name translation -> Disabled - Network security: LDAP client signing requirements: Require signing - Shutdown: Clear virtual memory pagefile -> Enabled - User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled