How to use Local Group Policy to secure Windows 10

February 8, 2021 by

Nitesh Malviya

If one has to make any change to Windows OS setting and configuration, Group Policy is widely used and the most preferred option of all. This is due to the ease of use, simplicity and raw power. The problem is many think Group Policy is for big organisations and corporates handling multiple/massive domains. 

In simple words, the Group Policy is a feature offered by Windows for

• managing and configuring the Windows operating system, 
• user settings
• programs 

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Start Learning

This is achieved in a centralized manner from the computer which is connected to the same domain. If you are a network administrator or if you need to impose some rules or settings on the systems or users connected to the same network, Group Policies should be the most preferred option.

Now talking about Local Group Policy. It is a variant of Group Policy that facilitates managing and controlling individual computers, which means Local Group Policy can be made use of by home users and network administrators.

Group Policy Editor

Group Policy Editor (gpedit.msc) is a tool provided by Microsoft to help manage and configure User and system configuration settings on the computer.

Local Group Policy Editor being an advanced tool, it is not available for the Home or Starter editions of Windows. 

The following edition of Windows supports this feature

1. Windows 10 Pro and Windows 10 Enterprise
2. Windows 7 Professional, Windows 7 Ultimate and Windows 7 Enterprise
3. Windows 8.1 Professional and Windows 8.1 Enterprise

Sample settings which can be implemented via Group Policy Editor

1. Allow selected applications on the computer.
2. Disallow users from using USB Devices.
3. Disallow access to the Control Panel/Settings app.
4. Hide specific properties/elements from Control Panel.
5. Disallow users from changing the wallpaper.
6. Disallow users from enabling/disabling LAN connections.
7. Deny - read and/or write data from CD/DVD/USB etc.
8. Disable all the keyboard shortcuts starting from the Windows key. For instance, Windows + R and Windows + X 

Applying Group Policy settings to a particular user on Windows 10 

Following steps should be followed to apply group policy settings for a particular user

1. Open Start. Search MMC and click on the top result.

2. Select the File menu and then Add/Remove Snap-in option.

3. Under the "Available snap-ins" section, select “Group Policy Object Editor snap-in” and click on the “Add” button.

4. Click the Browse button and select users tab.

5. Choose the user/group you want to apply a specific set of configurations.

6. Click the File menu, select save as option and enter a name.

 7. Select a location and click Save.

Important Group Policy settings for avoiding security breaches

Following are the top policies that should be implemented for preventing security breaches

1. Access to Control panel
2. Now allowing windows to store LAN Manager Hash.
3. Command Prompt Access
4. Forced System Restart
5. Deny - read and/or write data from CD/DVD/USB etc.
6. Software Installation
7. Disable Guest Account
8. Set password length to higher limits
9. Set password age
10.  Disable SID enumeration

Sources

• https://www.digitalcitizen.life/simple-questions-what-local-group-policy-editor-how-use-it/ 
• https://www.windowscentral.com/how-apply-local-group-policy-settings-specific-users-windows-10 
• https://www.lepide.com/blog/top-10-most-important-group-policy-settings-for-preventing-security-breaches/ 
• https://www.tenforums.com/tutorials/79976-open-local-group-policy-editor-windows-10-a.html
• https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings