Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Network security: NTLM SSP Security: Minimum session security
Applique 128-bit chiffrement and NTLMv2 session security. Value 537133056 active both requirements. MSPs use this to prevent downgrade attaques on client authentification.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: NTLM SSP Security: Require NTLMv2 session security
Forces servers to require NTLMv2 session security. Value 537133056 exige both NTLMv2 and chiffrement. Critical for MSPs enforcing authentification baseline across client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Restrict Unauthenticated RPC clients
Empêche unauthenticated RPC clients from connecting to the ordinateur. Paramètre to 1 denies NULL sessions. Essential for MSPs blocking anonymous RPC exploitation.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Authentication Level
Sets DCOM authentification level to Packet Privacy (6). Exige chiffrement of all DCOM traffic. Critical for MSPs protecting sensitive RPC/DCOM communications.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Allow LocalSystem NULL session fallback
Controls whether LocalSystem can fallback to NULL sessions. Paramètre to 0 désactive fallback. MSPs use this to force authenticated sessions throughout infrastructure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Machine Launch Restrictions (Security Descriptor)
Controls who can launch DCOM applications. Restreindre empêche attackers from launching DCOM objects for privilege escalation or persistence.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Enable RPC over named pipes
Controls RPC over named pipes support. Keep enabled for compatibility but combine with authentification paramètres. MSPs monitor this for security posture.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Audit: Audit Other Account Logon Events
Audite NTLM-based authentications and other compte connexion tentatives. Paramètre to 3 logs both success and failure. Essential for MSPs detecting compromised credentials in client environments.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC Endpoint Mapper: Authentication level for unauthenticated connections
Exige authentification for RPC endpoint mapper queries. Paramètre to 1 applique authentification. Critical for MSPs preventing RPC enumeration attaques on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Domain Controller: Restrict NTLM: NTLM authentication in this domain
Restreint NTLM usage in the domaine at DC level. Paramètre to 4 denies NTLM and logs tentatives. Critical for MSPs enforcing domaine-wide Kerberos migration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Machine Access Restrictions (Security Descriptor)
Controls DCOM accès permissions at machine level. MSPs restrict this to prevent lateral movement via DCOM exploitation on client workstations.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Disable RPC Connection Pooling
Désactive RPC connection pooling. Paramètre to 1 exige new connections per request, reducing session hijacking. MSPs use this to harden RPC security.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Shares that can be accessed anonymously
Lists shares accessible via NULL sessions. MSPs keep this empty to prevent anonymous share enumeration and data exposure.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Audit: Audit Kerberos Authentication Service
Tracks Kerberos authentification événements on domaine computers. Paramètre to 3 logs successes and failures. Helps MSPs monitor NTLM deprecation progress.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Do not store LAN Manager hash on next password change
Empêche storage of LM hashes on mot de passe change. Paramètre to 1 désactive LM storage. Essential for MSPs eliminating weak authentification material.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →DCOM: Default Impersonation Level
Sets DCOM impersonation level to Identify (3). Empêche DCOM clients from impersonating callers. MSPs use this to limit privilege escalation via DCOM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network security: Disable SMBv1
Désactive legacy SMBv1 protocol. Paramètre to 0 completely désactive SMBv1. Critical for MSPs eliminating WannaCry/NotPetya attaque vectors from client networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Microsoft network server: Digitally sign communications (always)
Exige SMB signing on all connections. Paramètre to 1 applique signing. Essential for MSPs preventing man-in-the-middle attaques on SMB shares.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Let Everyone permissions apply to anonymous users
Controls whether anonymous utilisateurs inherit Everyone permissions. Keep at 0 to deny anonymous accès. Critical for MSPs preventing unauthenticated enumeration.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network Access: UNC Hardened Access (domain systems)
Restreint anonymous NULL session accès to UNC paths. Paramètre to 1 exige authentification. Essential for MSPs blocking WMIEXEC and similar attaques.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →RPC: Enable RPC over TCP/IP
Controls RPC over TCP/IP. MSPs may restrict this on highly secured networks, but most modern systems require it for services like WMI and WinRM.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure RPC connection timeout
Sets RPC connection timeout in milliseconds. Value 30000 forces disconnection après 30 secondes. MSPs use this to prevent resource exhaustion.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →WMI: Restrict WMI Remote Access
Controls WMI accès control behavior. Par défaut (0) respects WMI namespace security. MSPs audit this to ensure WMI is properly restricted on client systems.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Network access: Insecure guest logons
Autorise insecure guest authentification to SMB servers. Paramètre to 0 exige secure authentification. Critical for MSPs preventing credential relay on legacy networks.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →