UCPrimer
  • Tech Blog
  • About UCPrimer.com

AD Group Policy settings for Microsoft Teams Room on Windows Part 3/3

10/4/2021

0 Comments

 
Picture
Microsoft Teams Rooms (MTR) on Windows platform solutions are by far the most deployed Microsoft meeting room solutions today and there are many vendors to choose from such as the Poly MTR on Windows kits. The solution comprises key components such as a Windows PC running Windows 10 with the Teams Room application, a Touchscreen control panel as well as a number of Peripheral devices (camera, microphone, speaker). Many organization have policies that require Windows PCs to join the AD Domain and have Group Policy Objects (GPOs) assigned to improve the security of the device. This blogpost aims to assist administrators on what GPOs may safely be applied to an MTRoW device without losing any functionality and what GPOs will render the device unusable. It is a continuation of the previous blog post.
In addition to the Teams Room Security features already included by default as described by Microsoft in this document: Microsoft Teams Rooms Security - Microsoft Teams | Microsoft Docs, by joining the MTRoW device to the AD Domain, then AD Group Policy Objects (GPOs) can has also provide additional security hardening requirements related to the Windows10 OS which are categorized into 3 areas:
  1. Windows 10 Security Requirements
  2. Strong User Rights
  3. Security Options
Note that this blogpost is based on Teams Room version 4.9.12 on Windows 10 20H2. Lets look at each of these areas in more detail.

3. Security Options
Policy
Parameter
MTR Default
Possible Changes
Account: Administrator account status
Disabled
​Disabled
Not necessary
​Accounts: Guest account status
​Disabled
Disabled
Not necessary
​Accounts: Limit local account use of blank passwords to console logon only
Enabled
Enabled
Not necessary
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Enabled
Not Defined
Enabled
​Audit: Shut down system immediately if unable to log security audits
Disabled
Disabled
Not necessary
​Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Enabled
Not necessary
​Domain member: Digitally sign secure channel data (when possible)
​Enabled
Enabled
Not necessary
Domain member: Disable machine account password changes
​Disabled
​Disabled
​Not necessary
​Domain member: Maximum machine account password age
90 days
30 days
​No impact
​Domain member: Require strong (Windows 2000 or later) session key
Enabled
Enabled
​Not necessary
​Interactive logon: Do not require CTRL+ALT+DEL
Disabled
Not Defined
Must be enabled as the Skype account needs to be able to sign-in seamlessly after nightly maintenance reboot or device restart must always sign the device back in using Skype account without user interaction
​Interactive logon: Machine account lockout threshold
​5 invalid logon attempts
Not defined
No impact
​Interactive logon: Machine inactivity limit
600 seconds
Not Defined
​Must not be changed as the device needs to be ready to all the time
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
​5 logons
​10 logons
No impact
Interactive logon: Prompt user to change password before expiration
​14 days
​5 days
No impact
​Interactive logon: Smart card removal behavior
No action
No action
Not necessary
Microsoft network client: Digitally sign communications (always)
Enabled
Disabled
No impact
​Microsoft network client: Send unencrypted password to third-party SMB servers
Disabled
Disabled
​​Not necessary
​Microsoft network server: Amount of idle time required before suspending session
30 minutes
Not Defined
No impact
Microsoft network server: Digitally sign communications (always)
​Enabled 
Disabled
No impact
​Microsoft network server: Disconnect clients when logon hours expire
​Enabled
​Enabled
​​Not necessary
​Network access: Allow anonymous SID/Name translation
Disabled
Disabled
​​​Not necessary
Network access: Do not allow anonymous enumeration of SAM accounts
​Enabled
Enabled
​​Not necessary
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Enabled
Disabled
No impact
​Network access: Let Everyone permissions apply to anonymous users
​Disabled
​Disabled
​​Not necessary
Network access: Remotely accessible registry paths
​System\CurrentControlSet\Control\ProductOptions;
System\CurrentControlSet\Control\Server Applications;
Software\Microsoft\Windows NT\CurrentVersion
​System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
​​Not necessary
Network access: Remotely accessible registry paths and sub-paths
System\CurrentControlSet\Control\Print\Printers;
System\CurrentControlSet\Services\Eventlog;
Software\Microsoft\OLAP Server;
Software\Microsoft\Windows NT\CurrentVersion\Print;
Software\Microsoft\Windows NT\CurrentVersion\Windows;
System\CurrentControlSet\Control\ContentIndex;
System\CurrentControlSet\Control\Terminal Server;
System\CurrentControlSet\Control\Terminal
Server\UserConfig;
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;
Software\Microsoft\Windows NT\CurrentVersion\Perflib;
System\CurrentControlSet\Services\SysmonLog
​System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Serve\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
​​Not necessary
Network access: Restrict anonymous access to Named Pipes and Shares
​Enabled
​Enabled
Not necessary
​Network access: Sharing and security model for local accounts
​Classic - local users authenticate as themselves
​Classic - local users authenticate as themselves
Not necessary
Network security : Allow Local System to use computer identity for NTLM
​Enabled
Not Defined
No impact
​Network security: Allow Local System NULL session fallback
​Disabled
Not Defined
No impact
​Network security: Do not store LAN Manager hash value on next password change
Enabled
Enabled
Not necessary
Network security: Force logoff when logon hours expire (to be set at Domain Controller)
​Disabled
​Disabled
​Not necessary
Network security: LAN Manager authentication level
Send NTLMv2 response only. Refuse LM & NTLM
​Not Defined
No impact
Network security: LDAP client signing requirements
​Negotiate signing
​Negotiate signing
Not necessary
​Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
​Require NTLMv2 session security, Require 128-bit encryption
Require 128-bit encryption
No impact
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
​Require NTLMv2 session security, Require 128-bit encryption
​Require 128-bit encryption
No impact
​System objects: Require case insensitivity for non-Windows subsystems
​Enabled
​Enabled
Not necessary
​System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
​Enabled
​Enabled
​Not necessary
​System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Disabled
Disabled
​​Not necessary
​User Account Control: Admin Approval Mode for the Built-in Administrator account
​Enabled
Not Defined
No impact
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
​Prompt for consent for non-Windows binaries
Prompt for consent for non-Windows binaries
​​Not necessary
User Account Control: Behavior of the elevation prompt for standard users
​Prompt for credentials
Prompt for credentials
​​Not necessary
​User Account Control: Detect application installations and prompt for elevation
Enabled
Enabled
​​Not necessary
​User Account Control: Only elevate UIAccess applications that are installed in secure locations
Enabled
Enabled
​​​Not necessary
User Account Control: Run all administrators in Admin Approval Mode
​Enabled
​Enabled
​​​​Not necessary
​User Account Control: Switch to the secure desktop when prompting for elevation
​Enabled
​Enabled
​​​Not necessary
​User Account Control: Virtualize file and registry write failures to per-user locations
​Enabled
Enabled
​​​Not necessary
This finally concludes a long 3-part series blog article that covers many of the common security policy parameters for Windows10 that may or may not be applied to Teams Room on Windows devices. It did not cover 100% of the parameters available but hopefully sufficient for most organization's requirements. Should there be any other parameters which should be covered, kindly leave in the comments section below.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies