Quick Links
Some options to beef up security on your Windows computer aren’t available in the Settings app. You can find them in the Group Policy Editor, provided you’re using Windows Pro or Enterprise editions. Let’s look at several of them.
To access the Group Policy Editor, press Windows+R to open the Run dialog box. Entergpedit.mscin the text and click the “OK” button.
1Screen Lockout Time
Enabling the screen lockout policy locks your computer after a specified period of inactivity. Using the computer after being locked out will require authentication, protecting your computer from unauthorized access.
Be sure tocreate a backup of your Group Policy Editor settingsin case you make a mistake. This will give you a way to revert changes to the state they were in before you made the changes.
To find the screen lockout policy in the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Here, edit the “Interactive Logon: Machine Inactivity Limit” policy.
You will need to enter the number of seconds that should pass before your computer automatically locks. you may pick a number between 0 and 599,940.
2Password Policies
The default password policies on Windows are not that strict. For instance, users can use the same password indefinitely and don’t need to create complex passwords. Luckily, you can make them stricter by editing the right security policies.
To find the password policies in the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
There are several group policies to tweak here. Here are the ones I recommend changing:
Enforce password history
24 password remembers
Maximum password age
Forces users to change their password after a specified number of days.
60-90 days
Minimum password age
Sets the number of days a user must wait before they can change their password since they last changed it.
1 day
Minimum password length
Sets the minimum number of characters a user can enter when creating a password for their account.
8-12 characters
Password must meet complexity requirements
Password should contain uppercase letters, lowercase letters, numbers, and special characters to be valid.
Enabled
3Account Lockout Threshold
If someone tries to hack into a user’s profile, they might attempt to guess the password. By setting the “Account Lockout Threshold” policy, you may ensure the account is locked for several minutes before the user can attempt to log in again or until an administrator unlocks it.
To find the “Account Lockout Threshold” policy in the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
I’d recommend setting it to 3–5 login attempts before the account lockout period is triggered. Doing this will also enable the “Allow Administrator Lockout” policy and set the “Account Lockout Duration” and “Reset Account Lockout Counter After” policies to 10 minutes. You can tweak them individually if you want to if the default values don’t work for you.
4Disable Removable Media
Disabling removable media ensures flash drives, external drives, and other storage devices cannot be accessed on your Windows computer. That means no one can copy data from your computer or infect it with malicious software through these devices.
To disable removable media, navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. Find the “All Removable Storage classes: Deny All Access” policy and enable it.
If you want to set it for a specific profile instead of the whole computer, log into that profile, and enable the policy there. You will find it by going to User Configuration > Administrative Templates > System > Removable Storage Access.
5User Account Control (UAC)
The UAC is a security feature that prevents users without administrative privileges from changing system settings. When a user wants to perform an action that requires administrator permission, they will receive a prompt asking them to obtain it before proceeding. This ensures that no one can make important changes without the consent of an administrator.
To access the UAC policies in the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Look for policies that start with “User Account Control.”
Here is how you should set it up to make your system more secure:
Behavior of the Elevation Prompt for Standard Users
Prompt for Credentials
Behavior of the Elevation Prompt for Administrators in Admin Approval Mode
Detect Application Installations and Prompt for Elevation
Only Elevate Executables that are Signed and Validated
6Enable Account Audit Policies
Windows allows you to track certain actions regarding user accounts on your system. Reviewing the logs lets you look for suspicious activity, such as failed login attempts, unauthorized access, misuse of elevated privileges, or alterations to account settings.
To find these policies in the Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
Here, edit the following policies by ticking the “Success” and “Failure” checkboxes:
you’re able to find the audit trail of these policies in the Event Viewer. To open it, press Windows+R to bring up Windows Run. Entereventvwrin the textbox and click the “OK” button.
Then, select Event Viewer > Windows Logs > Security to find the logs created for the audit policies.
Combine these group policy edits along withother Windows Security settingsto make your computer as safe as it can be. You can apply these tips whether you’re an IT administrator at a company or someone whose computer is used by others at home.
It’s best to do everything possible to protect your personal data. This includesdisabling features like Command Prompt and clipboard history. The safety of your computer is in your hands.
