1.

Enforce Password Policies

Steps:
1. Open Group Policy Management.
2. Create a new GPO (Group Policy Object) or edit an existing one.
3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password
Policy.
4. Set the following:
o Minimum password length: Set to at least 8 characters.
o Password complexity requirements: Enable (Require characters such as uppercase, lowercase, numbers,
and symbols).
o Maximum password age: Set to 30-60 days.
o Minimum password age: Set to 1-2 days.
5. Apply the policy to the necessary Organizational Unit (OU) or the whole domain.

2. Lock User Accounts After Failed Login Attempts

Steps:
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account
Lockout Policy.
2. Set the following:
o Account lockout threshold: Set to 3-5 invalid login attempts.
o Account lockout duration: Set to 15-30 minutes.
o Reset account lockout counter after: Set to 15 minutes.
3. Apply the policy to the necessary OU or domain.

3. Disable User Updates

Steps:
1. In Group Policy Management, navigate to:
o Computer Configuration > Administrative Templates > Windows Components > Windows Update.
2. Enable "No auto-restart with logged on users for scheduled automatic updates installations."
3. For Microsoft Store:
o Navigate to User Configuration > Administrative Templates > Windows Components > Store.
o Enable "Turn off the Store application".

4. Restrict Logins Based on Time/IP

Steps:
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights
Assignment.
2. Set up Log on locally or Log on through Remote Desktop Services with specific time restrictions.
3. Disable displaying the last logged-in user name:
o Navigate to Computer Configuration > Policies > Administrative Templates > System.
o Enable "Do not display last user name".

5. Enable User Account Control (UAC) for Security

Steps:
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security
Options.
2. Enable "Admin Approval Mode for the Built-in Administrator account".
3. Enable "User Account Control: Behavior of the elevation prompt for administrators" and set to "Prompt for
consent".
4. Apply the policy.

6. Link Group Policy to Organizational Unit (OU)

Steps:
1. In Group Policy Management, right-click your domain and select Create a GPO in this domain, and Link it here.
2. Name the GPO (e.g., "Security Policies") and click OK.
3. Right-click the new GPO, select Edit, and configure the security settings as described above.
4. Link the GPO to the desired OU or domain.
7. Restricting Remote Access
Steps:
A. Disable Remote Desktop Access
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Connections.
2. Enable "Allow users to connect remotely using Remote Desktop Services" and set to Disabled.
B. Require User Authentication for Remote Access
1. Navigate to:
o Computer Configuration > Policies > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Security.
2. Enable "Require user authentication for remote connections by using Network Level Authentication".
C. Restrict Remote Access via VPN
1. Navigate to:
o User Configuration > Administrative Templates > Network > Network Connections.
2. Enable "Prohibit installation of LAN adapters".

8. Secure USB Device Access

Steps:
A. Disable USB Ports
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
2. Enable "All Removable Storage classes: Deny all access".
B. Block USB Devices by Class
1. Enable "Deny write access to USB drives" under the same path.
C. Allow Access for Specific USB Devices
1. Navigate to:
o Computer Configuration > Policies > Administrative Templates > System > Device Installation > Device
Installation Restrictions.
2. Enable "Prevent installation of devices that match any of these device IDs".
D. Audit USB Device Usage
1. Navigate to:
o Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy
Configuration > Object Access > Removable Storage.
2. Enable "Audit Removable Storage".

9. Strengthen User Authentication

Steps:
A. Implement Two-Factor Authentication (2FA)
1. Use third-party solutions such as Microsoft Authenticator, Duo Security, or Okta.
2. Configure your system to require 2FA during login.
B. Set Account Lockout Policy
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account
Lockout Policy.
2. Set:
o Account lockout threshold: 3-5 failed attempts.
o Account lockout duration: 15-30 minutes.
o Reset account lockout counter after: 15 minutes.

10. Restrict Application and Software Installation

Steps:
A. Block Untrusted Applications
1. In Group Policy Management, navigate to:
o Computer Configuration > Policies > Administrative Templates > Windows Components > Windows
Defender SmartScreen.
2. Enable "Configure Windows Defender SmartScreen" and set to "Warn or Block" untrusted applications.
B. Prevent Software Installation
1. Navigate to:
o User Configuration > Administrative Templates > Windows Components > Windows Installer.
2. Enable "Disable Windows Installer".
Final Step: Apply and Update Group Policy
1. Once you’ve configured the necessary settings, Link the GPO to your domain or Organizational Unit (OU).
2. Force a Group Policy update by running gpupdate /force on target computers or wait for the next policy refresh cycle.