Whether you are an IT administrator or a regular user looking to secure your Windows PC further, these Group Policy Editor tweaks will supercharge your PC’s security.
Note: Group Policy Editor isn’t available in the Windows Home version; you’ll need Windows Pro or Enterprise. You can search for “group policy” in Windows search and click on Edit group policy to open it. If it’s not present, you may have to enable Group Policy Editor.
Secure User Account Control (UAC)
UAC is a Windows security feature to prevent unauthorized changes to your PC. Group Policy Editor offers many tweaks that can control UAC behavior.
In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
Scroll down to the bottom and adjust the policy setting for each, as listed below, for greater security:
- User Account Control: Admin Approval Mode for the built-in Administrator account: Enabled
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop: Disabled
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent
- User Account Control: Behavior of the elevation prompt for standard users: Prompt for credentials
- User Account Control: Detect application installations and prompt for elevation: Enabled
- User Account Control: Only elevate executable files that are signed and validated: Enabled
- User Account Control: Only elevate UIAccess applications that are installed in secure locations: Enabled
- User Account Control: Run all administrators in Admin Approval Mode: Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation: Enabled
- User Account Control: Virtualize file and registry write failures to per-user locations: Enabled
After applying the above tweaks, approve UAC prompts more often and possibly provide credentials as well, but it will improve overall security.
Secure Passwords
By default, Windows user account password requirements are quite lenient. Using Local Group Policy Editor, you can enforce rules that will ensure password security.
Go to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy in Group Policy Editor.
Adjust the following policies, as follows:
- Enforce password history: 8 or above
- Maximum password age: between 30-60 days
- Minimum password length: 12 or more
- Password must meet complexity requirements: Enabled
Disable Guest Account
Although the Windows guest account is disabled by default, someone can turn on the guest account using different methods and get access to your sensitive data. The guest account gives anyone free access to your PC. Even though it offers restricted access, it can still be exploited by malware, or you may accidentally share data with the Everyone group. It’s better to completely disable it in the Group Editor Policy.
Move to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, and disable Accounts: Guest account status policy.
Enable Account Audit Policies
Enable account audits in Group Policy Editor to record important security information, like file modification, changes to security settings, login attempts, etc. You can use this information to track changes to your PC to ensure there is no unauthorized access or non-user configuration.
In Group Policy Editor, go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy. For all these options here, enable Success and Failure audits.
You can view the generated logs in the Windows Event Viewer. Type “event viewer” in Windows search, and click Event Viewer. Go to Windows Logs -> Security to view the logs.
Clear Virtual Memory on Shutdown
Pagefile (virtual memory) is necessary for your PC to work smoothly. However, it keeps a fragmented record of your data that can be stolen by someone with the right access and tools. If you don’t want to take any risks, automatically delete it whenever you shut down the PC.
Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, and enable Shutdown: Clear virtual memory pagefile policy.
Keep in mind that enabling this policy will add a bit of delay to the shutdown process.
Manage Account Lockout Settings
To prevent unauthorized access attempts, Windows has an account lockout policy that locks your account after multiple incorrect login attempts. However, it’s a bit lenient, so you might want to adjust related Group Policy Editor policies according to your security needs.
To access the lockout policies, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy.
You’ll find four lockout policies to tweak. Tweak them according to your needs. The suggested values below try to strike a balance between strong protection and a smooth user experience:
- Account lockout duration: 30 minutes
- Account lockout threshold: 3 invalid logon attempts
- Allow Administrator account lockout: Enabled
- Reset account lockout counter after: 30 minutes
While all of these Group Policy settings may cause some extra confirmations (like the UAC prompt for opening Task Manager), the security boost outweighs the minor inconvenience. If you don’t like the changes, reset Group Policy Editor.
Image credit: DALL-E. All screenshots by Karrar Haider.
Our latest tutorials delivered straight to your inbox