Wichtigste Sicherheits-GPOs
Prioritaet 1 (sofort):
✅ LAPS (Local Admin Password Solution)
✅ Windows Defender konfigurieren
✅ BitLocker erzwingen
✅ Audit-Richtlinien aktivieren
Prioritaet 2 (zeitnah):
✅ AppLocker / WDAC
✅ USB-Geraete einschraenken
✅ PowerShell-Logging
✅ SMBv1 deaktivieren
Prioritaet 3 (erweiterter Schutz):
✅ Credential Guard
✅ Windows Firewall mit erweiterten Regeln
✅ Attack Surface Reduction Rules
LAPS (Windows LAPS)
# Windows LAPS - Lokale Admin-Passwoerter automatisch rotieren
# AD Schema erweitern
Update-LapsADSchema
# GPO konfigurieren:
# Computer Configuration → Administrative Templates →
# System → LAPS:
# Enable local admin password management: Enabled
# Password Settings:
# Complexity: 4 (Large letters + small + numbers + symbols)
# Length: 16
# Age: 30 Tage
# LAPS-Berechtigung (nur IT-Admins koennen lesen)
Set-LapsADComputerSelfPermission -Identity "OU=Workstations,DC=firma,DC=local"
# Passwort auslesen
Get-LapsADPassword -Identity "PC-MUSTERMANN" -AsPlainText
# Passwort rotieren
Reset-LapsPassword -Identity "PC-MUSTERMANN"
Windows Defender per GPO
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus:
Real-time Protection:
- Turn off real-time protection: Disabled (nie deaktivieren!)
- Monitor file and program activity: Enabled
Network Inspection System:
- Turn on definition updates: Enabled
Exclusions (vorsichtig!):
- Process Exclusions: Backup-Agent (backup.exe)
Attack Surface Reduction Rules
# ASR Rules per GPO oder direkt:
# GPO: Computer Config → Admin Templates → Windows Defender →
# Exploit Guard → Attack Surface Reduction
# Block Office-Makros die Win32-API aufrufen
# GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
# Block ausschliessbare Skripte (JS, VBS, PowerShell obfuskiert)
# GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
# Block Credential Stealing from LSASS
# GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B0
# PowerShell Setup:
Set-MpPreference -AttackSurfaceReductionRules_Ids `
"92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B",`
"5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" `
-AttackSurfaceReductionRules_Actions AuditMode, AuditMode
# Erst AuditMode! Dann Enable wenn keine False-Positives
Audit-Richtlinien aktivieren
# Granulare Audit-Richtlinien (Advanced Audit Policy)
# GPO: Computer Config → Security Settings →
# Advanced Audit Policy Configuration:
# Logon/Logoff:
# Audit Logon: Success, Failure
# Audit Logoff: Success
# Account Logon:
# Audit Credential Validation: Success, Failure
# Audit Kerberos Authentication: Failure
# Account Management:
# Audit User Account Management: Success, Failure
# Audit Computer Account Management: Success
# Object Access:
# Audit File System: Success, Failure (nur sensible OUs)
# Privilege Use:
# Audit Sensitive Privilege Use: Success, Failure
# Richtlinie erzwingen
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /get /category:*
FAQ
Wie oft sollten GPOs reviewed werden?
Jaehrlich empfohlen. Zusaetzlich bei: neuen Sicherheitsvorfaellen, Windows-Updates die GPO-Aenderungen erfordern, MS Security Baselines Updates (halbjaehrlich).
Fazit
GPO-basierte Sicherheitshaertung mit LAPS, ASR-Rules und Audit-Richtlinien ist der effektivste Schutz fuer Windows-Endpunkte ohne Drittanbieter-Software.
GPO und Windows-Sicherheit fuer KMU in Heidelberg, Mannheim und der Rhein-Neckar-Region. Beratung anfragen.