Policy Expert

  • Deny Access to This Computer From the Network – Best Practices for DC and Member Server

    Setting which group of users will be denied from accessing the computer from the network is a fundamental step in a hardening project. Hardening can be a painful procedure when done

    Read More
  • Access This Computer From the Network – Best Practices for DC and Member Servers

    Setting which group of users can access a computer from the network is a fundamental step in a hardening project. Hardening can be a painful procedure when done in complex environments.

    Read More
  • Audit Kerberos Service Ticket Operations should be set to ‘Success and Failure’

    Kerberos is an authentication protocol, designed for enhanced security. Kerberos authentication protocol designed with a ticket-granting mechanism. As part of the Kerberos authentication mechanism, an Authentication Server is granting a Ticket

    Read More
  • Create Symbolic Link in Windows is set to ‘Administrators’ (DC only) – The Policy Expert:

    This Policy Expert post will discuss the recommended setting for Symbolic Links in your servers, since as much as they are useful, Symbolic Links can also be used maliciously to gain

    Read More
  • Ensure ‘Turn on PowerShell Script Block Logging’ is set to ‘Disabled’

    PowerShell is a built-in scripting language and a command-line executor developed by Microsoft to provide a better interface for system administrators to simplify and automate administrative tasks. PowerShell’s power makes it

    Read More
  • IIS: Ensure ‘deployment method retail’ is set

    This configuration is important both for the performance and the security of the production environment.   Performance-wise, you can set the <deployment retail> to true in order to ensure that no

    Read More
  • IIS: Ensure TLS 1.0 is disabled- The Policy Expert

    Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication between web browsers and servers. It is used in almost every app nowadays. Many IP-based protocols such as

    Read More
  • Domain Controller: LDAP Server Signing Requirements

    LDAP signing increases security in communication between LDAP clients and Active Directory domain controllers. LDAP signing is a Simple Authentication and Security Layer (SASL) feature, as part of the LDAP protocol

    Read More
  • RDS: Do Not Allow Drive Redirection

    Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result

    Read More
  • rds: Do not allow LPT port redirection

    Short for line printer terminal, LPT is used by IBM compatible computers as an identification for the parallel port, such as LPT1, LPT2, or LPT3. The LPT port is commonly required when installing a printer

    Read More
  • RDS: Do Not Allow COM Port Redirection- The Policy Expert

    COM port is the name of the serial port interface on IBM PC-compatible computers. It can refer not only to physical ports but also to emulated ports, such as ports created by Bluetooth or USB-to-serial adapters.   Server hardening can be

    Read More
  • Restrict NTLM: Audit Incoming NTLM Traffic- The Policy Expert

    NTLM is Microsoft’s old mythological authentication protocol. Although new and better authentication protocol has already been developed, NTLM is still very much in use. Basically, even the most recent Windows versions

    Read More