Categories
Group Policy Windows Server

Group Policy: Microsoft Network Server Security Options

Much like client communications, server communications should also be considered when implementing group policy configurations. These configurations will mitigate certain attack vectors that face unsecured communications.

Notice: Before you begin, ensure that this article is relevant to your organization and to the Windows version you’re managing. This article is applicable up to Windows 20.04 and meant to remain in-line with how the group policy editor is laid-out.

The following group policy options are located in the following area: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Amount of idle time required before suspending session

Windows DescriptionThis security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Recommended Configuration: 15 Seconds or Fewer.

Rationale: Two reasons this configuration is good; first, these connections consume computing power, and shouldn’t be left running for a long time if no one is using it. Second, an attack could establish numerous sessions to cause a slow down or even a Denial of Service (DoS).

Digitally sign communications (always)

Windows Description: This security setting determines whether packet signing is required by the SMB server component.

Recommended Configuration: Enabled.

Rationale: This configuration protections against session hijacking attempts to steal, interrupt, or even end a connection session by always signing communications.

(adsbygoogle = window.adsbygoogle || []).push({});

Digitally sign communications (if client agrees)

Windows Description: This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.

Recommended Configuration: Enabled.

RationaleThis configuration protections against session hijacking attempts to steal, interrupt, or even end a connection session by digitally signing if available. 

Disconnect clients when logon hours expire

Windows Description: This security setting determines whether to disconnect users who are connected to the local computer outside their user account’s valid logon hours. This setting affects the Server Message Block (SMB) component.

Recommended Configuration: Enabled.

Rationale: If logon hours are configured, the users will not need access during those off-hours; therefore, they should be disconnected when the time is right.

(adsbygoogle = window.adsbygoogle || []).push({});

Server SPN target name validation level

Windows Description: This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.

Recommended Configuration: Accept if provided by client OR more restrictive option.

Rationale: This configuration protects against computer identity spoofing by ensuring that a given computer is actually that computer.

Note: It is crucial to ensure this configuration so that it works within your environment before it is implemented into production.

Affiliate Links:

Looking to take your web browsing privacy more seriously? Use my referral link to download brave browser and start browsing without ads and trackers:

https://brave.com/hel592

Other Articles:

Find other Windows Server Blogs here.

Sources:​

These configurations were established with the help from the following sources:

SANS Sample Policies: Click Here.

CIS Controls: Click Here.

Tech Republic Sample Policies: Click Here.

Leave a Reply

Your email address will not be published. Required fields are marked *