Emulating Group Policy

In this exercise, you will use the Windows native tool gpedit.msc to emulate the server tools Group Policy.
This interface is exactly the same.

Prevent Installation of Removable Devices

Right-click the “Start” button, choose “Run”, and type in gpedit.msc as shown below:

The interface will be shown as below.
Group policy allows you to configure settings and push this out to all of the computers in the domain.
For computer settings, use Computer Configuration.
For user settings, use User Configuration.

In this exercise, you are going to emulate an air gapped computer where the only way to insert or remove data would be by using a removable device such as USB or DVD.

Go to Computer Configuration and expand Administrative Templates.
Right-click Administrative Templates and then choose Filter Options.
Check the box next to Enable Keyword Filters, type in “removable”, and press OK at the foot of the wizard.
See below:

Expand System, expand Device Installation, and expand Device Installation Restrictions:

Double-click Prevent installation of removable devices, press the radio button Enabled, then Apply and OK at the bottom of the wizard.
In the image below, you will notice the Help section provides information on the impact of enabling this policy.

Note that the policy Prevent installation of removable devices has been enabled:

Disable the use of USB storage Devices in Windows 10

In this exercise, you will prevent read and write access to storage devices such as USB drives.
Go to Computer Configuration, expand Administrative Templates.
Expand System, and double-click Removable Storage Access.
On the right-side pane, locate the following:

  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access

Read the help file so that you know what each policy does.
Double-click on each of them, then enable them.
See below:

To enable these policies, reboot your machine.

Prevent Password Cycling

If you have a password history of 12, then you need 13 passwords before you can reuse the first password. People will cycle those passwords on the same day the password expires, so that they can keep using the same password. This is a security risk.

In this exercise, you will prevent someone from recycling their password until they arrive back at the original password.

Go to Computer Configuration, then expand Windows Settings.
Expand Security Settings, then expand Account Policies.
Expand Password Policy, and then set Minimum password age to 1 day.
This means that a password can only be changed once day and will prevent password cycling (see below).
If you really want to make sure, you could change this to 10 so that a password can only be changed once every 10 days.

Please remember to reverse these policies when finished.
In completing these practical exercises, you have prevented the installation of removable devices, prevented read and write access to USB devices, and prevented password cycling using the minimum password age.

Check out the book CompTIA Security+: SY0-601 Certification Guide to help you pass on the first attempt.