Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Group Policy settings as an extra layer of security?

14 Mar 2017   #1
Win7fuser

The one I am using to register is my Windows 7 Professional x64 one.
 
 
Group Policy settings as an extra layer of security?

Hi, I would like to *correctly* implement group policy on my computers as an added layer of huddles that hackers/malware need to jump over.

Yes, I know the principle of least privileges so I run all my owned computers (or at least the computers I have access to), with a limited accounts, rather than using admin as my daily beater. I used to run limited account for Windows XP too, until some programs and games weren't happy about it....so had to revert to and I guess stik with admin account as a beater on that.....

My security programs are Kaspersky Internet Security 2016 (KIS 2016), Malwarebytes AntiMalware, SUPERAntiSpyware, Spybot and SpywareBlaster.

This is what I have so far for my group policy settings:


Anything else I need to add or is everything looking good? Any comments at all either?

Also, I would like it so that I can also apply these settings to all my other computers fine as well, eg my other windows 7 PC, windows xp box, future windows 10 PC I guess, etc. Windows 98SE doesn't have group policies does it? :P

So I am looking for a universally fitted policy setting. ☺


My System SpecsSystem Spec
.
14 Mar 2017   #2
akjudge

Windows 7 Professional
 
 

Since I am uneasy coming up with my own group policy rules, I use CryptoPrevent (Foolish IT – Computer Repair Software – PC Tech Utilities – Malware Prevention). It comes in both a free and paid version options. Currently, it is running 3500+ group policies to prevent some of the issues you are concerned about.
My System SpecsSystem Spec
15 Mar 2017   #3
Alejandro85

Windows 7 Ultimate x64
 
 

The settings you're looking at is called software restriction policies and are an excellent way of improving security, so it allows only specific programs to run. Somewhat painful to setup, but once done it does a great job.

There is no such thing as an "universal" set of rules with software restriction policies. Basically you must apply the same minimum privilege criteria, enable only those things you know you use and disable everything else. Problem with that is that each computer has a different set of software, so each one needs different rules to get optimum security.

As for other computers, XP has the very same option, as does Windows 10. Win98 has almost no security features at all (not even user accounts), much less software restriction policies.

You may also want to explore other options in the group policy, many are very useful, not just for security.
My System SpecsSystem Spec
.

15 Mar 2017   #4
Win7fuser

The one I am using to register is my Windows 7 Professional x64 one.
 
 

Quote   Quote: Originally Posted by akjudge View Post
Since I am uneasy coming up with my own group policy rules, I use CryptoPrevent (Foolish IT Computer Repair Software PC Tech Utilities Malware Prevention). It comes in both a free and paid version options. Currently, it is running 3500+ group policies to prevent some of the issues you are concerned about.
Ooooh... How restrictive is it? Does it still allow games and *normal* programs to run fine or do I need to configure a whitelist for that too and for each and every single one I want to run....? Because as you can see, as an example on my screen - KF2 doesn't run unless I allow *.TMP files in the temp directory....

Also, how does it compare to what I already have? What am I missing that it has that I don't have? Are they all necessary?

Is there a way for Group Policy (GP) settings to whitelist a specific program rather than me having a universal rule for it? For example, instead of a universal unblock rule for all .TMP files, I can jsut set it so that ONLY KF2 that uses .TMP files are allowed and the other programs/games (unless I find out), are not allowed? ...because malware *could* still slip through via the .TMP file.....since that's enabled by default......

Quote   Quote: Originally Posted by Alejandro85 View Post
The settings you're looking at is called software restriction policies and are an excellent way of improving security, so it allows only specific programs to run. Somewhat painful to setup, but once done it does a great job.

There is no such thing as an "universal" set of rules with software restriction policies. Basically you must apply the same minimum privilege criteria, enable only those things you know you use and disable everything else. Problem with that is that each computer has a different set of software, so each one needs different rules to get optimum security.

As for other computers, XP has the very same option, as does Windows 10. Win98 has almost no security features at all (not even user accounts), much less software restriction policies.

You may also want to explore other options in the group policy, many are very useful, not just for security.
Ahh I see....what are you minimum privilege criteria? Do you even use GP as an added layer? What do you think of my current setup? Any comments?

Ah, I can just copy what I have over to the other computers then! Because I basically do the same thing to them as I do to this one; play games, web browse, install stuff, watch stuff....move stuff around.....configure things....

Ok, so how would one keep a windows 98 machine safe on the internet....? Not that I still have one connected, just curious, that's all.....

Well you know, seeing how it's old and doubtful that hackers would be targeting such an old operating system......so you would figure it would be safe right? Just like running windows 3.1 or even DOS! Actually, did the internet exist when MS-DOS was around?

Ok so what are you suggestions then, as I've not used any of the other settings....?
My System SpecsSystem Spec
Reply

 Group Policy settings as an extra layer of security?




Thread Tools




Similar help and support threads
Thread Forum
How to fix Group Policy not applying for Sleep Settings?
Our GP settings for our Power Options are set to 'Never" sleep on all our Windows 7 machines. All our GP settings apply perfectly on our Dell desktops and have never had any issues until now. We've ordered newer Dell desktops but still running Win 7. Once I place them on the domain and move...
General Discussion
Group Policy Settings - Blocked Downloads
First, I wish to thank you guys for this very awesome board, I know I will have fun learning all the stuff I do not know already about computers, tweaks, and what not. My Question, and forgive me for putting it here, I had no idea where else to put it, I thought about tutorials, but I know this...
General Discussion
Cannot change settings of the Group Policy - Security Options
Hello Seven Forums, So I was trying to disable the 'Network Access: Do not allow storage of passwords and credentials for network authentication' since it was enabled which meant I couldn't save passwords. When I right clicked it and opened properties, the options of enabled and disabled were...
General Discussion
Group Policy Editor or Local Security Policy
Will either of these allow me to restrict drive access to a single user only? I've tried to restrict drive access with Group Policy Editor but it applies the restriction globally--even to me the administrator. Could anyone let me know if this is possible and how to do it? Much thanks.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:48.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App