Why is GPO hardening important for Swiss companies?
Cyberattacks are increasingly putting small and medium-sized enterprises (SMEs) at risk. System configuration errors - especially in Active Directory (AD) environments - are often the cause of incidents. As an IT service provider in Amriswil and beyond, we see that those who do not specifically harden their systems open the door to hackers. With Group Policy Objects (GPOs), Windows networks can be secured easily and effectively - provided that the most important settings are implemented and tested in advance.
The most important GPO settings for more security
Below we present tried-and-tested GPO measures that any IT department can test and roll out immediately.
1. user account control (UAC)
Why? UAC protects against accidental execution of programs with administrator rights - a common attack vector for ransomware infections.
Recommended settings:
- Admin Approval Mode for the integrated AdminActivate
- Only increase applications with UIAccess from secure pathsActivate
- Behavior Increase request adminConfirmation on secure desktop
- Behavior Increment request Standard userAutomatically reject
Practical tipIntroduce a pilot group to test the settings.
2. LDAP and SMB signing
Why? These functions prevent manipulation and interception of authentication data in the network.
LDAP signing:
- Domain controller: Require signing
- Clients: Require signing
- Channel Binding TokenAlways
SMB signing:
- Server & ClientsDigital signature always required
GradeCheck compatibility with old systems.3 Secure authentication protocols
NTLMv2 Only:
- LAN Manager Authentication LevelAccept only NTLMv2; prohibit obsolete protocols (LM, NTLM)
Consistently avoid CPasswords!
- Do not store any passwords in GPOs or GPPs.
- Use instead Microsoft LAPS for managing local admin passwords.
4. strong password policies
Recommended:
- Password lengthAt least 10 characters for 2FA use
- Check complexity rules individually, alternative lists/blacklists are only worthwhile with Azure AD
ResourceThe CIS Password Policy Guide provides further details depending on the use case.
5. secure remote connections & RDP
- Remote Credential GuardEnable from Windows 10/Server 2016 - protects login data for RDP accesses
- NLA (Network Level Authentication)Allow RDP access only after successful authentication
6. logging and auditing
Security logs:
- Dimension log size sufficiently (target: 3 months log archive)
- Define audit policy: Which events/changes to AD, network access and PowerShell activities need to be documented?
PowerShell Script Block Logging:
- Switch on command history via GPO
7. protect device access and AD objects
- Add devicesOnly administrators are allowed to add new devices to the domain.
- LLMNR/NetBIOS & WPADDisable these unnecessary protocols to minimize attack surfaces such as relay/phishing.Further resources
CIS Benchmarks
Microsoft Security Baselines
Microsoft LAPS
Conclusion
The hardening concept with GPOs should never be seen as a disruptive additional task, but as an essential part of any IT strategy - especially for growing Swiss SMEs. Step by step, with tests and tried-and-tested settings, security can be raised to a new level. Do you have questions about practical implementation? Get in touch with us - Your A BOT GmbH team from Amriswil will be happy to advise you!
Deutsch (Schweiz) 
English