Group Policy Windows Server

Group Policy: System Objects Security Options

System Objects are the backbone of domain administration and day-to-day end-user activities. It is crucial to secure these so that the domain users are not ticked, and that Discretionary Access Control Lists (DACL) are in a more secure state.

Notice: Before you begin, ensure that this article is relevant to your organization and the Windows version you’re managing. This article is applicable up to Windows 20.04 and meant to remain in-line with how the group policy editor is laid-out.

The following group policy options are located in the following area: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Require case insensitivity for non-Windows subsystems

Windows Description: This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.

Recommended Configuration: Enabled.

Rationale: Malicious users can trick end-users into running a different program (Win32 Tools) by renaming a system process with different case sensitivity.

Strengthen default permissions of internal system objects (e.g. Symbolic Links)

Windows Description: Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

Recommended Configuration: Enabled.

Rationale: This configuration is the default behavior but will ensure that DACL permissions are inherently more robust.

(adsbygoogle = window.adsbygoogle || []).push({});
Affiliate Links:

Looking to take your web browsing privacy more seriously? Use my referral link to download brave browser and start browsing without ads and trackers:

Other Articles:

Find other Windows Server Blogs here.


These configurations were established with the help from the following sources:

SANS Sample Policies: Click Here.

CIS Controls: Click Here.

Tech Republic Sample Policies: Click Here.

(adsbygoogle = window.adsbygoogle || []).push({});

Leave a Reply

Your email address will not be published. Required fields are marked *