Référence GPO Windows
Une référence complète des stratégies de groupe Microsoft Windows — base de données interrogeable des paramètres GPO avec chemins de registre, versions Windows supportées, étapes de configuration, implications sécurité et cas d'usage concrets. Pensée pour les administrateurs gérant Active Directory, Intune et Windows en autonome.
Qu'est-ce qu'une stratégie de groupe ?
Un objet de stratégie de groupe (GPO) est un paramètre de configuration Windows qui définit le comportement des ordinateurs et des comptes utilisateurs. Chaque stratégie correspond à une ou plusieurs valeurs de registre, s'applique à une portée précise (Ordinateur ou Utilisateur) et est livrée dans un fichier ADMX (modèle administratif). Cette référence indexe le catalogue ADMX de Microsoft avec des explications détaillées, des correspondances de registre et des conseils opérationnels qu'on ne trouve pas sur les pages officielles Microsoft Learn.
Prevent Installation of Devices Using Drivers that Match These Device Setup Classes
Bloque device classes by GUID. Use USB storage class GUID to bloquer all USB storage while allowing HID devices.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Remote Server Management Through WinRM
Active WinRM for à distance management. Should be restricted to management subnets via IP filter.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Print Spooler to Accept Client Connections
Disabling this atténue PrintNightmare (CVE-2021-1675) by preventing à distance accès to the spooler.
Computer Configuration > Administrative Templates > Printers
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn Off AutoPlay
Désactive AutoPlay for all drives including USB. Empêche autorun-based malware.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Users to Connect Remotely Using Remote Desktop Services
Master switch for allowing inbound RDP connections.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set the Default Behavior for AutoRun
Empêche AutoRun commands from executing when media is inserted.
Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →AppLocker - Executable Rules
Controls which .exe and .com files can run. Par défaut rules allow standard program locations.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →AppLocker - Script Rules
Controls which .ps1, .bat, .cmd, .vbs, .js files can run.
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set Time Limit for Disconnected Sessions
Terminates disconnected RDP sessions après a set period.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Require Network Level Authentication for Remote Connections
Exige NLA avant establishing a full RDP session. Reduces exposure of the login screen.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Unencrypted Traffic (WinRM Service)
Empêche WinRM from sending or receiving unencrypted traffic.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Point and Print Restrictions
Controls whether utilisateurs get UAC prompts when installing drivers via Point and Print.
Computer Configuration > Administrative Templates > Printers
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Set Time Limit for Active but Idle Sessions
Disconnects idle RDP sessions après the specified time.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Do Not Allow Drive Redirection
Empêche local drives from being mapped in RDP sessions. Reduces data exfiltration risk.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Do Not Allow Clipboard Redirection
Désactive clipboard sharing between RDP client and server.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Limits Print Driver Installation to Administrators
Empêche non-admins from installing printer drivers. Atténue PrintNightmare.
Computer Configuration > Administrative Templates > Printers
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Turn on Script Execution
Controls the PowerShell execution stratégie. RemoteSigned exige à distance scripts to be signed.
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Always Prompt for Password Upon Connection
Empêche saved credentials from being used to auto-connect via RDP.
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Basic Authentication (WinRM Client)
Empêche the WinRM client from using Basic authentification.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Client
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Redirection Guard
Protects against printer driver redirection attaques.
Computer Configuration > Administrative Templates > Printers
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Remove Access to Use All Windows Update Features
Empêche utilisateurs from accessing Windows Update directly. Forces use of WSUS.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Allow Basic Authentication (WinRM Service)
Basic auth sends credentials in base64 (essentially plaintext). Should be disabled.
Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WinRM Service
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Configure Automatic Updates
Controls how Windows Update downloads and installs updates. Value 4 is the standard managed paramètre.
Computer Configuration > Administrative Templates > Windows Components > Windows Update
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →Minimum Password Length
Minimum nombre de caractères requis in a mot de passe. NIST recommande 8+, CIS recommande 14+.
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Supporté sur Windows 10, Windows 11, Windows Server 2016 and later
Voir la référence →