CISA GPO Settings Checklist
The Cybersecurity and Infrastructure Security Agency (CISA) is a U.S. government agency tasked with enhancing the security, resilience, and reliability of the nation's infrastructure. This checklist serves as a comprehensive guide for ensuring that systems adhere to strict Group Policy Object (GPO) security configurations. While primarily designed for organizations and IT professionals managing enterprise environments, the checklist can also serve as a benchmark for individuals aiming to implement robust security measures at home. Independent IT professionals, such as those at My Tech Today, can provide expert assistance in customizing and applying these settings to lock down systems according to the highest security standards.
General System Settings
- Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
- Windows 10 information systems must use BitLocker to encrypt all disks.
- Windows 10 systems must be maintained at a supported servicing level.
- Local volumes must be formatted using NTFS.
- Accounts must be configured to require password expiration.
- Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
- Simple Network Management Protocol (SNMP) must not be installed on the system.
- Simple TCP/IP Services must not be installed on the system.
- The Telnet Client must not be installed on the system.
- The TFTP Client must not be installed on the system.
- The Windows PowerShell 2.0 feature must be disabled on the system.
- The Server Message Block (SMB) v1 protocol must be disabled on the system, server, and client.
- The Secondary Logon service must be disabled on Windows 10.
- Data Execution Prevention (DEP) must be configured to at least OptOut.
>
Account Lockout and Password Policy
- Windows 10 account lockout duration must be configured to 15 minutes or greater.
- The number of allowed bad logon attempts must be configured to 3 or less.
- The period before the bad logon counter is reset must be configured to 15 minutes.
- Password history must retain 24 passwords remembered.
- The maximum password age must be 60 days or less.
- The minimum password age must be at least 1 day.
- Passwords must be at least 14 characters long.
- Microsoft's password complexity filter must be enabled.
- Reversible password encryption must be disabled.
>
User Rights Assignments
- The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
- The "Access this computer from the network" user right must only be assigned to Administrators and Remote Desktop Users groups.
- The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
- The "Allow log on locally" user right must only be assigned to Administrators and Users groups.
- The "Back up files and directories" user right must only be assigned to the Administrators group.
- The "Change the system time" user right must only be assigned to Administrators, Local Service, and NT SERVICE\autotimesvc.
- The "Create a pagefile" user right must only be assigned to the Administrators group.
- The "Create a token object" user right must not be assigned to any groups or accounts.
- The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
- The "Create symbolic links" user right must only be assigned to the Administrators group.
- The "Debug programs" user right must only be assigned to the Administrators group.
- The "Deny access to this computer from the network" user right must prevent unauthenticated access and access from highly privileged accounts.
- The "Deny log on as a batch job" user right must prevent access from highly privileged accounts on domain systems.
- The "Deny log on as a service" user right must prevent access from highly privileged accounts on domain systems.
- The "Deny log on locally" user right must prevent access from highly privileged accounts and unauthenticated users.
- The "Deny log on through Remote Desktop Services" user right must prevent unauthenticated access and access from highly privileged accounts.
- The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
- The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
- The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
- The "Load and unload device drivers" user right must only be assigned to the Administrators group.
- The "Lock pages in memory" user right must not be assigned to any groups or accounts.
- The "Manage auditing and security log" user right must only be assigned to the Administrators group.
- The "Modify firmware environment values" user right must only be assigned to the Administrators group.
- The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
- The "Profile single process" user right must only be assigned to the Administrators group.
- The "Restore files and directories" user right must only be assigned to the Administrators group.
- The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
>
Security Options Settings
- The built-in administrator account must be disabled.
- The built-in guest account must be disabled.
- Local accounts with blank passwords must be restricted to prevent access from the network.
- The built-in administrator account must be renamed.
- The built-in guest account must be renamed.
- Audit policy using subcategories must be enabled.
- Outgoing secure channel traffic must be encrypted or signed.
- Outgoing secure channel traffic must be encrypted when possible.
- Outgoing secure channel traffic must be signed when possible.
- The computer account password must not be prevented from being reset.
- The maximum age for machine account passwords must be configured to 30 days or less.
- The system must be configured to require a strong session key.
- The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
- Caching of logon credentials must be limited.
- The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
- The Windows SMB client must be configured to always perform SMB packet signing.
- Unencrypted passwords must not be sent to third-party SMB Servers.
- The Windows SMB server must be configured to always perform SMB packet signing.
- Anonymous enumeration of SAM accounts must not be allowed.
- Anonymous enumeration of shares must be restricted.
- The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
- Anonymous access to Named Pipes and Shares must be restricted.
- Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
- NTLM must be prevented from falling back to a Null session.
- PKU2U authentication using online identities must be prevented.
- Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
- The system must be configured to prevent the storage of the LAN Manager hash of passwords.
- The LanMan authentication level must be set to send NTLMv2 response only and refuse LM and NTLM.
- The system must be configured to the required LDAP client signing level.
- The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
- The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
- The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
- The default permissions of global system objects must be increased.
- User Account Control approval mode for the built-in Administrator must be enabled.
- User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
- User Account Control must automatically deny elevation requests for standard users.
- User Account Control must be configured to detect application installations and prompt for elevation.
- User Account Control must only elevate UIAccess applications that are installed in secure locations.
- User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
- User Account Control must virtualize file and registry write failures to per-user locations.
>
Audit Policy Settings
- The system must be configured to audit Account Logon - Credential Validation failures.
- The system must be configured to audit Account Logon - Credential Validation successes.
- The system must be configured to audit Account Management - Security Group Management successes.
- The system must be configured to audit Account Management - User Account Management failures.
- The system must be configured to audit Account Management - User Account Management successes.
- The system must be configured to audit Detailed Tracking - Process Creation successes.
- The system must be configured to audit Logon/Logoff - Account Lockout failures.
- The system must be configured to audit Logon/Logoff - Logoff successes.
- The system must be configured to audit Logon/Logoff - Logon failures.
- The system must be configured to audit Logon/Logoff - Logon successes.
- The system must be configured to audit Logon/Logoff - Special Logon successes.
- Windows 10 must be configured to audit Object Access - File Share failures.
- Windows 10 must be configured to audit Object Access - File Share successes.
- Windows 10 must be configured to audit Object Access - Other Object Access Events successes.
- Windows 10 must be configured to audit Object Access - Other Object Access Events failures.
- The system must be configured to audit Policy Change - Audit Policy Change successes.
- The system must be configured to audit Policy Change - Authentication Policy Change successes.
- The system must be configured to audit Policy Change - Authorization Policy Change successes.
- The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
- The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
- The system must be configured to audit System - IPSec Driver failures.
- The system must be configured to audit System - Other System Events successes.
- The system must be configured to audit System - Other System Events failures.
- The system must be configured to audit System - Security State Change successes.
- The system must be configured to audit System - Security System Extension successes.
- The system must be configured to audit System - System Integrity failures.
- The system must be configured to audit System - System Integrity successes.
- Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.
- Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.
- Windows 10 permissions for the System event log must prevent access by non-privileged accounts.
- Windows 10 must be configured to audit Other Policy Change Events Successes.
- Windows 10 must be configured to audit Other Policy Change Events Failures.
- Windows 10 must be configured to audit other Logon/Logoff Events Successes.
- Windows 10 must be configured to audit other Logon/Logoff Events Failures.
- Windows 10 must be configured to audit Detailed File Share Failures.
- Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
- Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
>
Administrative Template Settings
- Command line data must be included in process creation events.
- Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
- Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
- Group Policy objects must be reprocessed even if they have not changed.
- Downloading print driver packages over HTTP must be prevented.
- Web publishing and online ordering wizards must be prevented from downloading a list of providers.
- Printing over HTTP must be prevented.
- Systems must at least attempt device authentication using certificates.
- The network selection user interface (UI) must not be displayed on the logon screen.
- Local users on domain-joined computers must not be enumerated.
- Users must be prompted for a password on resume from sleep (on battery).
- Solicited Remote Assistance must not be allowed.
- Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.
- The convenience PIN for Windows 10 must be disabled.
- Internet connection sharing must be disabled.
- Hardened UNC Paths must be defined to require mutual authentication and integrity for SYSVOL and NETLOGON shares.
- Simultaneous connections to the Internet or a Windows domain must be limited.
- Connections to non-domain networks when connected to a domain authenticated network must be blocked.
- Wi-Fi Sense must be disabled.
- Insecure logons to an SMB server must be disabled.
- The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
- Autoplay must be turned off for non-volume devices.
- The default autorun behavior must be configured to prevent autorun commands.
- Autoplay must be disabled for all drives.
- Enhanced anti-spoofing for facial recognition must be enabled on Windows 10.
- Microsoft consumer experiences must be turned off.
- Administrator accounts must not be enumerated during elevation.
- If Enhanced diagnostic data is enabled, it must be limited to the minimum required to support Windows Analytics.
- Windows Telemetry must not be configured to Full.
- Windows Update must not obtain updates from other PCs on the Internet.
- The Windows Defender SmartScreen for Explorer must be enabled.
- Explorer Data Execution Prevention must be enabled.
- Turning off File Explorer heap termination on corruption must be disabled.
- File Explorer shell protocol must run in protected mode.
- Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
- Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
- Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
- The password manager function in the Edge browser must be disabled.
- The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
- Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
- Windows 10 must be configured to require a minimum pin length of six characters or greater.
- Passwords must not be saved in the Remote Desktop Client.
- Local drives must be prevented from sharing with Remote Desktop Session Hosts.
- Remote Desktop Services must always prompt a client for passwords upon connection.
- The Remote Desktop Session Host must require secure RPC communications.
- Remote Desktop Services must be configured with the client connection encryption set to the required level.
- Attachments must be prevented from being downloaded from RSS feeds.
- Basic authentication for RSS feeds over HTTP must not be used.
- Indexing of encrypted files must be turned off.
- Users must be prevented from changing installation options.
- The Windows Installer Always install with elevated privileges must be disabled.
- Users must be notified if a web-based program attempts to install software.
- Automatically signing in the last interactive user after a system-initiated restart must be disabled.
- PowerShell script block logging must be enabled on Windows 10.
- PowerShell Transcription must be enabled on Windows 10.
- The Windows Remote Management (WinRM) client must not use Basic authentication.
- The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
- The Windows Remote Management (WinRM) service must not use Basic authentication.
- The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
- The Windows Remote Management (WinRM) service must not store RunAs credentials.
- The Windows Remote Management (WinRM) client must not use Digest authentication.
- Windows Ink Workspace configured but disallow access above the lock.
- The Application event log size must be configured to 32768 KB or greater.
- The Security event log size must be configured to 1024000 KB or greater.
- The System event log size must be configured to 32768 KB or greater.
>
Security Patches
- All security patches must be up-to-date.
Previous Blog Posts:
- 🔓 Unlock IT Magic: Free PowerShell Hacks!
- Ultimate Printer Hack: $130 Gem!
- Pimp My Comp: Building the Ultimate High-End Gaming Beast
- myTech.Today GitHub Repositories
- Canon Plotter Printer Troubleshooting: How We Fixed It
- Locked Out of Google Workspace? Here’s How We Fixed It
- Augment AI: Code Generation Magic
- From Prompt to Production
- Lost Recipes? Find Them Fast!
- AI‑First App Development Consulting Barrington IL
- Lock Hackers Out for Good!
- Don’t Let Tech Failures Destroy You
- Why AI-First Apps Will Rule the Future
- ✅ React Web App Development Guidelines
- Authenticator Shock: Your Data's Gone
- Outmaneuver Rivals with OODA Power
- Office Makeover: Dual Upgrade Day
- Upgrade Chaos? Kyle Rescued It!
- The Web Connector from Hell: A Lesson in Practical IT Strategy
- 10 Ways Google NotebookLM Will Blow Your Mind 🤯
- Business Search – Turbo-Charge Your B2B Growth
- How to Set Up Windows 11 Without a Microsoft Account
- The Google Ads Playbook: How to Advertise Your Business On Google
- Transform Docs with NotebookLM
- 🚨 New Meta Quest Scam Targeting Facebook Users
- Why Passwords Matter
- Quick Fix: Helping a Customer Save Her Printer
- Funnel Profit Secrets Exposed!
- How Readable Content Establishes Authority and Boosts Your SEO Ranking
- SMB Cybersecurity: Tips & Hacks
- UNLOCKING FIRST PRINCIPLES EXPOSED!
- Blogging Ignites Business Growth Today
- GPU Showdown: Mind-Blowing Secrets
- Unlock Mega Speeds: More RAM, More Power!
- Unveiling the Mystery Behind Your PC’s BIOS: What You Need to Know!
- CISA Windows GPO Settings Checklist
- Master Windows Security with GPOs
- Step-by-Step PowerShell GPO Example
- Unlocking the Secrets of Computer Registries
- Master Google Analytics Today
- Ancient Server Fails: Tech Fixes on a Budget!
- 10 NIST Secrets to Lock Down Windows PC
- Unlock Excel’s Hidden AI Powers
- Fast Same-Day On-Site IT Solutions for SMBs | My Tech on Wheels
- Don’t Let Disaster Ruin You
- Email Slow as Snail Mail? Fix It Now!
- Stop Receiving Spam Emails From Nigerian Princes
- Kaspersky’s Secret Swap: Is Your Antivirus Software Safe?
- Bitcoin’s Future $20 Million Predictions by 2040! – 08-28-2024
- 5 Essential IT Skills for Lucrative DevOps Jobs
- Understanding Agile Development
- CI/CD Tutorial for Beginners
- Boost Your CI/CD Pipeline with ESLint
- Setting Up a Heroku Deployment with Jenkins
- Setting up a Docker Pipeline in Jenkins
- Integrate GitHub with Jenkins
- Uncovering Microsoft Tracking: 5 Alarming Data Capture Practices in Windows 10 and 11
- What kind of IT service does your business deserve?
- myTech.Today Top 5 Benefits of Managed IT Services for SMBs
- First Principles Thinking for Problem Solving: 3 Real-World Examples
- Master Computer Listings: Decode and Choose Wisely
- Stop iPhone Hotspot Issues on Windows PCs: 5 Tips
- Boost Your Career with These 5 Essential IT Skills for High-Paying DevOps Positions
- 10 Steps to Thriving as a Digital User Experience Tester
- Mastering Test Case and Test Scenario Development with Zephyr and Selenium-Java
- Master Troubleshooting Tools: GraphQL – Developer Tools – Charles Proxy and Postman
- Top 6 Online Resources for Hiring Skilled Employees Fast
- End of Petro-Dollar Agreement – June 9th 2024: Impact & Investment Strategies
- Top 5 Global Challenges for Businesses in 2024 and How to Overcome Them!
- The Benefits of Using Open Source Developer Journal Software Compared to Paid Versions
- Understanding Data Analysis: A Comprehensive Guide
- The Benefits of Using Open Source Developer Journal Software Compared to Paid Versions
- Understanding MVC in Software Development
- Reflections on My Work at Columbia Home Products
- Top 5 Cybersecurity Strategies Every SMB Should Implement
- Automation Software: Transforming Industries Beyond DevOps
- Optimizing Data Management with Relational Database Design
- Mastering Object-Oriented Design for Robust Software Solutions
- Important Information Regarding Google Workspace Folder Management
- Streamlining Software Development with CI/CD Pipelines
- Harnessing Microservices Architecture for Scalable Business Solutions
- Predictive Modeling: Driving Future Business Success for SMBs
- Harnessing the Power of Statistical Modeling for SMBs
- Leveraging Data Science Methodologies for SMB Success
- Choosing the Right Software Architecture Style for Your Business
- Driving Innovation with Design Thinking for SMBs
- 🌐 5 Ways to Enhance Your Global Business Strategy for 2024!
- Incorporating Security by Design in AI Product Development
- Implementing Core Software Architectural Principles in Your Projects
- Mastering Data Modeling: Essential Principles for SMBs
- 🌐 7 Must-Know Global Trends in E-commerce for 2024!
- Select 🌐 6 Steps to a Smarter Office: Enhance Productivity with Smart Office Technology!
- Using Big Data to Drive Small Business Growth
- Improving Customer Experience Through Technology
- Select The Future of AI in Small Business Operations
- Strategic IT Decisions: Planning for Long-Term Success
- Mobile Solutions for Business Efficiency
- Improving Customer Experience Through Technology
- 5 Revolutionary Ways IoT is Changing Small Businesses 🚀
- Transform Your Customer Service with These 6 Next-Level Chatbot Features!
- ⭐ Optimize Your Retail Strategy: 5 Tips for Maximizing In-Store Sales!
- Quantitative Data Analysis: A Brief Guide
- Top 20 Data Structures in Modern Programming
- myTech.Today Tools 2024
- Revolutionizing Web Design with ChatGPT and Modern Tools
- Understanding Database Normalization
- The Hidden Dangers of Phishing Scams: A Cautionary Tale
- Integrating Git with Visual Studio Code: A Comprehensive Guide
- Mastering Git and GitHub for Windows Users
- Unlocking the Power of Vagrant in Software Development
- Mastering Docker in Development: A Guide for Modern Developers
- Unlocking the Power of Swarms: A Comprehensive Guide
- Navigating the Maze: Escaping the Desktop Freeze Scam
- June 2023: More Apps & caution RE: .zip files
- June 2023: Exploring the New Frontier of AI Apps!
- Elevate Your IT Strategy with AI: Summer '23 Insights
- Discover 100 Top AI Tools: Weekly Tech Innovation Guide!
- 7 New Apps to Explore: Weekly Gems 💎
- Unlock 45+ AI Tools & Apps to Skyrocket Your Business Today!
- Unlock the Power of Speech-to-Text and AI Chatbots: Boost Your Productivity by 200%!
- 💥 Revealed: The Ultimate Collection of Hidden Software Gems for Business Owners! 💥
- ✨ Unlock Secret Software Gems: Boost Your Business Efficiency TODAY with Our Exclusive Weekly Newsletter! ✨
myTech.Today
My Tech On Wheels
Schedule an appointment today!
Free 15-minute phone call evaluation