Updated: 10/8/15

 

So I find that I tend to live inside of Group Policy Management these days since instead of looking at resolving issues from a single location I look at the top and work my way down. I find that your typical windows domain is not optimized for performance and security as much as it should be. But as many of you know a Windows Domain is organic and is always changing as the demands of the network change and grow. I feel this same mentality should also apply to tweaking the settings of Group Policy for Security and Performance.

I’ve decided to compile the settings I tweak to get the most security/performance out of a Windows Server/Desktop environment. The following items are what I do and find they do the best at what I look for in my environment, security and performance.

Note: sometimes GPO’s don’t always apply immediately, you will need to submit a command into command prompt (with elevated permissions) to forcefully apply the group policy: ‘gpupdate /force’. Once you apply this command your GPO’s will apply to the computer you executed the command from.

NOTE: the dam content won’t indent correctly with the bullets below. 😛

=========================================================================================

Security:

The following settings below can be found in the following location: Computer Configuration > Windows Setting > Security Settings

  • 1. Rename the local administrator account.
  • 2. Disable the guest user account.
  • 3. Disable NT LAN Manager v1.
  • 4. Disable LAN Manager.
  • 5. Disable LAN Manager hash storage.
  • 6. Force prompt of UAC with administrative privileges for all modifications to the system.
  • 7. Minimum password length. (10 characters plus special characters)
  • 8. Maximum Password Age. (60 days)
  • 9. Event logs. (Success and Failure)

The following setting resides in this location: Computer Configurations > Administrative Templates > Windows Components > Windows Installer

  • 1. Disable Windows Installer. (always clause)

 

=========================================================================================

Performance:

 

1. Disable Unneeded windows Services. The following services can be disabled successfully and will not deeply affect the operational status of Windows. This applies to Windows 7, 8, and Windows Server 2008, 2008 R2, 2012, and 2012 R2.

 

  • 1. Diagnostic Policy and Diagnostic System Host Services – For the detection of problems, troubleshooting and presenting known resolutions for Window components. If there are no problems expected anymore, it is safe to disable the service.

 

  • 2. Tablet PC Input Service – Enables the Tablet PC and ink functionality. If the computer is not a Tablet PC, it is safe to disable the service.

 

  • 3. Windows Defender – Additional scanning software for unwanted, malicious software. When Windows Defender is turned off (control panel, item Windows Defender, option Tools, link Options, task Administrator), the startup type is set to manual automatically. If this service is disabled, Windows Defender can no longer be opened by the control panel!

 

  • 4. Window Media Player Network Sharing – If it is not desired to share Windows Media Player libraries, it is safe to disable this service.

 

  • 5. Adobe Acrobat Update Service – This service updates Adobe Acrobat on a weekly basis, this can appear fine but if you run into software compatibility issues you’ll be wishing you disabled this service. This can be disabled on a case-by-case basis.

 

  • 6. IP Helper – Support for an IPv6 connection over a IPv4 network. IPv6 is the new connection type of the future which makes it possible to give every computer connected to the internet a unique IP address instead of one single IP address for the internet connection (where the connected router uses special IP addresses for home use). The use of IPv6 has some advantages (but also disadvantages) but at the moment, there are not many providers supporting this new connection type. If IPv6 is not supported or used, disable the service for security reasons.

 

  • 7. Windows Biometric Service – This service is used for capturing, comparing, manipulating and storing biometric data (like finger prints or iris scan).

 

  • 8. Offline Files – Makes the network shares also available when the share is offline. The edited files will be synchronized automatically the first time the network share has become available. If this option is not desired, then it is better to disable this service.

 

  • 9. Remote Registry – Thanks to this service, external users are able to make changes to the registry keys over the network connection. This option is not safe, therefore it is better to disable it.

 

  • 10. Network Access Protection Agent – The Network Access Protection (NAP) agent service collects and manages health information for client computers on a network. Information collected by the NAP agent is used to make sure that the client computer has the required software and settings. If a client computer is not compliant with health policy, it can be provided with restricted network access until its configuration is updated. Depending on the configuration of health policy, client computers might be automatically updated so that users quickly regain full network access without having to manually update their computer.  If this option is not desired, then it is better to disable this service.

 

  • 11. Parental Controls – This service is a stub for Windows Parental Control functionality that existed in Vista. It is provided for backward compatibility only.  If this option is not desired, then it is better to disable this service.

 

  • 12. Smart Card Removal Policy- Allows the system to be configured to lock the user desktop upon smart card removal. If this option is not desired, then it is better to disable this service.

 

  • 13. Windows Media Center Receiver Service – Windows Media Center Service for TV and FM broadcast reception. If this option is not desired, then it is better to disable this service.

 

  • 14. Windows Media Center Scheduler Service – Starts and stops recording of TV programs within Windows Media Center.  If this option is not desired, then it is better to disable this service.

 

  • 15. Fax – Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network. If this option is not desired, then it is better to disable this service.

 

  • 16. Encrypteing File Systems (EFS) – Provides encryption of files on NTFS partitions. It is safe to disable this service when encryption is not used.

 

  • 17. Internet Connection Sharing (ICS) – For sharing the internet connection with other computers in the network (this computer operates as a router). If a router is used to connect all the computers to the internet, this service is not needed.

 

  • 18. – Bluetooth Support Service – This service is only useful when there are devices which are connected by Bluetooth. If this option is not desired, then it is better to disable this service.

=========================================================================================

The following setting resides in this location: User Configuration > Policies > Administrative Templates > Control Panel > Personalization

2. Setting a Windows 7 client’s desktop to ‘Best Performance’. By default it’s set to ‘Best Appearance’, but this eats unnecessary system resources.

  • 1. At right pane, double-click “Load a specific theme”.
  • 2. Select “Enabled”.
  • 3. Under “Path to theme file”, type “%Systemroot%\Resources\Ease of Access Themes\basic.theme”.
  • 4. Click “OK”.

The following setting resides in this location: User Configuration > Preferences > Windows Settings > Registry

  • 1. Right-click “Registry”, select “New > Registry Item”.
  • 2. Next to “Action”, select “Update”.
  • 3. Next to “Hive”, select “HKEY_CURRENT_USER”.
  • 4. Next to “Key Path”, type “SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects”.
  • 5. Under “Value name”, type “VisualFXSetting”.
  • 6. Next to “Value type”, select “REG_DWORD”.
  • 7. Next to “Value data”, type “2”.
  • 8. Close the Group Policy Management Window for the GPO you added this too or keep it open for the next tweak, Power Management.

 

=========================================================================================

The following setting resides in this location: Computer Configurations > Administrative Templates > System > Power Management

3. Setting a Windows 7 client to ‘High Performance’ to get the most out of a desktop’s CPU. A little back-story, by default Windows Server 2008 R2/2012R2/Windows Vista/Windows 7 ship with the power settings set at ‘Balanced’, this is great but it never utilizes the full power of a CPU. This setting seems like a no-brainer, if left unchecked your servers and/or desktops could be running at reduced performance.

  • 1. Select the setting “Select an Active Power Plan”.
  • 2. Select the setting ‘High performance’.

 

=========================================================================================

The following setting resides in this location: User Configuration > Preferences > Windows Settings > Registry

4. Speeding up the shutdown time of Windows. By default the wait-to-kill-service is set to 20000 or 20 seconds, by changing this to 2000 or 2 seconds you speed up the shutdown time significantly.

  • 1. Right-click “Registry”, select “New > Registry Item”.
  • 2. Next to “Action”, select “Update”.
  • 3. Next to “Hive”, select “HKEY_LOCAL_COMPUTER”.
  • 4. Next to “Key Path”, type “SYSTEM\CurrentControlSet\Control“.
  • 5. Under “Value name”, type “WaitToKillServiceTimeout”.
  • 6. Next to “Value type”, select “REG_SZ”.
  • 7. Next to “Value data”, type “2000”.

 

 

=========================================================================================

The following setting resides in this location: User Configuration > Preferences > Windows Settings > Registry

5. Changing the Mouse Hover over time. By default it’s set to 400 milliseconds, I like to use 30, so it’s dam near instant.

  • 1. Right-click “Registry”, select “New > Registry Item”.
  • 2. Next to “Action”, select “Update”.
  • 3. Next to “Hive”, select “HKEY_CURRENT_USER“.
  • 4. Next to “Key Path”, type “Control Panel\Mouse“.
  • 5. Under “Value name”, type “MouseHoverTime“.
  • 6. Next to “Value type”, select “REG_SZ”.
  • 7. Next to “Value data”, type “30”.

 

=========================================================================================

The following setting resides in this location: User Configuration > Preferences > Windows Settings > Registry

6. Altering Desktop settings to improve ‘snappy’ performance ‘feeling’.

  • 1. Right-click “Registry”, select “New > Registry Item”.
  • 2. Next to “Action”, select “Update”.
  • 3. Next to “Hive”, select “HKEY_CURRENT_USER“.
  • 4. Next to “Key Path”, type “Control Panel\Desktop”.
  • 5a. Adding the following values or modify existing values (these are all ‘REG_SZ’, don’t use ‘REG_DWORD’) basically make each of these changes individually.
    • “AutoEndTasks”=”1”
    • “HungAppTimeout”=”1000”
    • “MenuShowDelay”=”8”
    • “WaitToKillAppTimeout”=”2000”
    • “LowLevelHooksTimeout”=”1000”

 

 

=========================================================================================

7. Disable ‘GUI Boot’ during the boot into Windows and disable startup programs. The GUI screen is basically the screen that has the loading bar or the circle.

  • 1. Go to Search or Run and type ‘msconfig’.
  • 2. Click on the ‘Boot’ Tab and click on the ‘No Gui boot’ box and check it off. Make sure to tick the box on the right side labeled ‘Make all boot setting permanent’ and then press apply.
  • 3.  Go the ‘Startup’ Tab and uncheck all of the programs that aren’t necessary, the list of programs should be pretty obvious. Basically anything that is from Microsoft and Intel are the only ones you should leave checked.
  • 4. Everything else can pretty much be disabled, press ‘Apply’ once your finished making changes and click ‘do not show on reboot’ in the next screen and press ‘Restart’.

=========================================================================================

 

 

This concludes this list for the time being. I’m always looking to perfect Group Policy and as I vet the organic changes I’ll update this list. Hopefully these settings will be of benefit to whom ever finds this page. 🙂