How to Harden Active Directory Group Policy: Security Configuration Guide

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Active Directory's default configuration prioritizes backward compatibility over security: a design philosophy from 2003 that did not anticipate modern credential theft attacks. The result: most enterprise AD environments still have WDigest credential caching enabled, NTLMv1 negotiation allowed, a single shared local administrator password across all workstations, and insufficient audit logging to detect credential attacks.
All of these can be fixed with Group Policy settings that apply immediately to all domain-joined machines. The CIS Benchmarks and Microsoft Security Baselines document the target state: this guide covers the highest-impact settings and the exact GPO paths.
Authentication Protocol Hardening
Disable LM hash storage:
LAN Manager hashes are extremely weak (split into two 7-character DES-encrypted halves) and can be cracked in seconds. They are stored by default when a password is set.
GPO path:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options >
"Network security: Do not store LAN Manager hash value on next password change"
Setting: Enabled
Block NTLMv1 authentication:
NTLMv1 session keys are vulnerable to relay and downgrade attacks. Modern Windows supports NTLMv2; blocking v1 forces all NTLM authentication to use the stronger protocol.
GPO path:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > Security Options >
"Network security: LAN Manager authentication level"
Setting: Send NTLMv2 response only. Refuse LM & NTLM
# This is the most aggressive setting (value 5)
# If you have legacy systems that cannot use NTLMv2:
# Start with "Send NTLMv2 response only, refuse LM" (value 4)
# Then investigate what fails and remediate before moving to value 5
Disable WDigest credential caching (prevent plaintext passwords in LSASS):
WDigest stores cleartext credentials in LSASS for HTTP Digest Authentication. Mimikatz's sekurlsa::wdigest recovers these plaintext passwords.
GPO path:
Computer Configuration > Administrative Templates > MS Security Guide >
"WDigest Authentication (disabling may require KB2871997)"
Setting: Disabled
# Or via registry (if the MS Security Guide ADMX is not installed):
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
# UseLogonCredential: DWORD = 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
-Name "UseLogonCredential" -Value 0 -Type DWORD
# Takes effect on next logon (does not kick existing sessions)
Enable Credential Guard (requires UEFI + Virtualization-Based Security):
GPO path:
Computer Configuration > Administrative Templates >
System > Device Guard >
"Turn On Virtualization Based Security"
Setting: Enabled
Virtualization Based Protection of Code Integrity:
Enabled with UEFI lock (prevents disabling without clearing UEFI variables)
Credential Guard Configuration:
Enabled with UEFI lock
# Credential Guard moves NTLM hashes and Kerberos TGTs out of LSASS
# into a separate VSM (Virtual Secure Mode) process that malware cannot access
Local Administrator Password Solution (LAPS)
The most common lateral movement path in ransomware attacks: local administrator account with the same password on every workstation. Compromise one machine, use the local admin credential to authenticate to all others via PsExec or WMI. LAPS breaks this by randomizing each machine's local admin password.
Deploy Windows LAPS (built into Windows 11 22H2 and Server 2025):
# Step 1: Update AD schema (run on DC as Domain Admin)
Update-LapsADSchema
# Step 2: Configure LAPS via GPO
# Computer Configuration > Administrative Templates >
# System > Local Administrator Password Solution
# Enable LAPS: Enabled
# Password Settings: 14+ chars, complexity enabled, 30-day rotation
# Password Encryption: Enabled (encrypts stored password in AD attribute)
# Post-authentication actions: Reset password (after password retrieved)
# Step 3: Grant specific AD groups read access to LAPS passwords
# Only help desk accounts that legitimately need local admin access
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=corp,DC=local"
Set-LapsADReadPasswordPermission -Identity "OU=Workstations,DC=corp,DC=local" `
-AllowedPrincipals "CORP\Helpdesk-L2"
# Step 4: Verify LAPS is setting passwords
Get-LapsADPassword -Identity "WORKSTATION01" -AsPlainText
# Output shows: ComputerName, DistinguishedName, Account, Password, PasswordUpdateTime
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Audit Policy Configuration
Default Windows audit policy does not log enough detail to detect credential attacks. The recommended audit policy logs security events in seven key categories.
Configure Advanced Audit Policy via GPO:
GPO path:
Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies
Account Logon:
Audit Credential Validation: Success, Failure
(logs Event 4776: NTLM auth attempts; detect NTLMv1 usage)
Account Management:
Audit User Account Management: Success, Failure
Audit Security Group Management: Success
(logs user/group creation, modification, deletion)
Logon/Logoff:
Audit Logon: Success, Failure
(logs Event 4624/4625: all logon attempts)
Audit Special Logon: Success
(logs Event 4672: privilege assignments at logon)
Object Access:
Audit File System: Failure (too noisy for success)
Audit Registry: Failure
Policy Change:
Audit Audit Policy Change: Success, Failure
Audit Authentication Policy Change: Success
(detect GPO changes, policy modifications)
Privilege Use:
Audit Sensitive Privilege Use: Success, Failure
(logs Event 4673/4674: use of dangerous privileges like SeDebugPrivilege)
System:
Audit System Events: Success, Failure
(logs system startup/shutdown, audit log cleared)
Verify audit policy is applying:
# Run on any domain machine after GPO applies:
auditpol /get /category:*
# Check that each subcategory shows "Success" or "Failure" as configured
# Or from PowerShell:
Get-WinEvent -LogName Security -MaxEvents 100 | \
Where-Object { $_.Id -in (4625, 4672, 4776) } | \
Select-Object Id, TimeCreated, Message | Format-List
User Rights Assignment and Restricted Groups
User Rights Assignments control which accounts can perform sensitive operations: logon locally to DCs, load drivers, act as part of the OS. Default settings are often too permissive.
GPO path:
Computer Configuration > Windows Settings > Security Settings >
Local Policies > User Rights Assignment
High-priority restrictions:
"Access this computer from the network":
Remove: Everyone, Users
Keep: Administrators, Authenticated Users (for workstations)
On DCs: Administrators, Domain Controllers only
"Allow log on locally" (on Domain Controllers):
Restrict to: Domain Admins, Account Operators, Backup Operators
Remove: Everyone, Users, Guests
"Debug programs" (SeDebugPrivilege):
Remove from Administrators (or restrict to specific named accounts)
SeDebugPrivilege allows opening any process: used by Mimikatz
Risk: Removing from Administrators may break some software; test first
"Load and unload device drivers":
Restrict to: Administrators only
Prevent attackers from loading malicious drivers (BYOVD attacks)
"Deny log on through Remote Desktop Services" (on all non-bastion hosts):
Add: Guests, Local account (prevents local user RDP from spreading laterally)
Microsoft Security Baseline GPO: import and apply:
# Download Microsoft Security Compliance Toolkit from Microsoft.com
# Includes pre-built GPOs for Windows 11, Server 2022, etc.
# Import baseline GPO:
Import-GPO -BackupId "{GUID}" `
-Path "C:\SecurityBaselines\Windows11\GPOs" `
-TargetName "WIN11-Security-Baseline" `
-MigrationTable "migration.migtable"
# Link to appropriate OU:
New-GPLink -Name "WIN11-Security-Baseline" `
-Target "OU=Workstations,DC=corp,DC=local" `
-Enforced Yes
The bottom line
The highest-impact Active Directory GPO security changes: disable WDigest credential caching (prevents plaintext passwords in LSASS memory), block NTLMv1 authentication (use LAN Manager authentication level = 5), stop LM hash storage, deploy LAPS to randomize local administrator passwords per machine, enable Advanced Audit Policy with Credential Validation / Logon / Privilege Use categories, and restrict User Rights Assignment (SeDebugPrivilege from Administrators, local admin from non-DC RDP). Use Microsoft's Security Compliance Toolkit to import pre-built Windows 11 and Server 2022 baselines rather than building every setting manually.
Frequently asked questions
What are the most important Active Directory Group Policy security settings?
In priority order: (1) Disable WDigest credential caching: prevents Mimikatz from extracting plaintext passwords from LSASS; (2) Deploy LAPS: randomizes local admin passwords per machine to stop lateral movement via shared credentials; (3) Block NTLMv1: set LAN Manager authentication level to 5 (NTLMv2 only); (4) Enable Advanced Audit Policy (Credential Validation, Logon, Privilege Use); (5) Enable Credential Guard on systems with UEFI and VBS support.
What is LAPS and why does Active Directory need it?
LAPS (Local Administrator Password Solution) randomizes the password of the local Administrator account on each domain-joined machine and stores it in an encrypted AD attribute. Without LAPS, most organizations use a single local admin password across all workstations: attackers who compromise one machine use that credential via pass-the-hash or PsExec to authenticate to every other workstation in the domain. LAPS breaks lateral movement by making each machine's local admin password unique and automatically rotated.
What are the most important Group Policy security settings for Windows workstations?
High-priority Group Policy security settings: disable LLMNR (Link-Local Multicast Name Resolution) and NBT-NS to prevent Responder attacks (Computer Configuration > Admin Templates > Network > DNS Client: turn off multicast name resolution); enable Windows Firewall on all profiles with default-deny inbound; configure the Windows Defender Firewall to block inbound SMB from non-server sources (workstation-to-workstation SMB lateral movement); enable audit policy for process creation, logon events, and object access; set account lockout policy (5 failures, 30-minute lockout duration); and restrict credential caching (Interactive Logon: Number of previous logons to cache) to 1 or 0 on high-security systems.
How do I deploy Windows LAPS (the new version) vs legacy LAPS?
Windows LAPS (built into Windows 11 22H2 and Windows Server 2022 with April 2023 cumulative update) replaces the legacy LAPS MSI deployment. Windows LAPS stores passwords in Azure AD or on-premises AD with encrypted storage (legacy LAPS stored passwords in clear text in AD, visible to anyone with read access to the ms-Mcs-AdmPwd attribute). Enable Windows LAPS: in Active Directory, update the schema with Update-LapsADSchema; configure via Group Policy (Computer Configuration > Admin Templates > LAPS: Enable local admin password management); passwords are stored in the msLAPS-Password attribute and are encrypted. Windows LAPS also supports managing custom local admin accounts, not just the built-in Administrator account.
How do I harden Microsoft Office via Group Policy to reduce macro attack risk?
Office macro hardening via Group Policy requires the Office ADMX templates (downloadable from Microsoft). Key settings: disable macros for all Office applications except those running from trusted locations (User Configuration > Admin Templates > Microsoft Office > Security Settings > Trust Center); block macros from running in Office files from the internet (enforces Mark of the Web check — macros in downloaded files are blocked even if macros are enabled globally); enable the 'Block macros from running in Office files from the Internet' setting, which is separate from the general macro setting; and configure Trusted Locations to a small set of network shares for the few legitimate macro users. For highest security: enable 'VBA Macro Notification Settings: Disable all macros except digitally signed macros' and sign only approved macros with an internal code signing certificate.
How do you audit Active Directory GPO inheritance and detect GPO misconfigurations that weaken your security baseline?
Run 'Get-GPOReport -All -ReportType XML -Path C:\GPOReports\' from the Group Policy Management console to export every GPO's full settings as XML for offline review. Use the Group Policy Modeling wizard (GPMC > Group Policy Modeling) to simulate the resultant set of policies for a specific user-computer combination and verify that security settings are actually landing as intended after inheritance and WMI filter evaluation. Run 'gpresult /H C:\Temp\gpresult.html' on representative machines in each OU to identify GPOs that are applied, not applied, or blocked by inheritance. Alert on unauthorized GPO modifications via Event 5136 (directory service object modification) filtered for objects in the 'Group Policy Objects' container: any modification to a GPO that contains security settings should be reviewed immediately and compared against your change management records.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
