Note: this set of GPOs accompany's a YouTube video all about building your own pentest lab
Personally, when I setup an internal/test/pentest Active Directory environment I like to leave some settings the way most client environments are setup - both for ease of management and easier attacks, so that includes spinning up the following GPOs:
Enable RDP on desktops Create a new GPO and link it whatever OU your workstations are in, and set Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and set Allow users to connect remotely using Remote Desktop Services to Enable
Then, create a security group in AD, called RDP-peeps for example, that you want to allow to RDP into all workstations.
Finally, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups. Right click Restricted Groups and choose Add Group. In the Group box type in the name of the group Remote Desktop Users and click OK. Once you do, the properties of this group opens. Click the Add button under Members of this group and select the RDP-Peeps group from the domain. This is a little confusing, but essentially what we're saying is "Take RDP-Peeps and add it to all the local machines as a group that's authorized to RDP in."
A word of warning: this will remove any members that might already be in the Remote Desktop Users group (that is on every workstation and server), so if you just want to modify the members of the group, use the option called This group is a member of.
Disable power savings To stop computers from snoozing on the job, head to Computer Configuration > Policies > Administrative Templates > System > Power Management > Sleep Settings and set Allow standby states (S1-S3) when sleeping (plugged in) to Disabled
Disable client firewalls Create a new GPO attached to whatever OU your workstations are in, and set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections to Disabled.
Just to be safe, set Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Protect all network connections to Disabled as well.
Lower password complexity Open up the Default Domain Policy and under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy set Password must meet complexity requirements to Disabled. Also lower the Minimum password length to 0 and Minimum Password Age to 0.
Disable SMB signing Create a new GPO and link it to the root domain. Setup Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options and disable these settings:
-
Domain member: Digitally encrypt or sign secure channel data (always)
-
Domain member: Digitally encrypt or sign secure channel data (when possible)
-
Domain member: Digitally sign secure channel data (when possible)
-
Microsoft network server: Digitally sign communications (always)
-
Microsoft network server: Digitally sign communications (if client agrees)
-
Microsoft network client: Digitally sign communications (always)
-
Microsoft network client: Digitally sign communications (if client agrees)
Depending on your server OS version, you might need to disable SMB signing on your DCs as well. Open up Default Domain Controller policy, and if any of the above settings are enabled, set them all to Not defined
Enable WinRM
Rather than repost the settings here, I'll just point you towards this great article which spells out all the details. Then use the Test-WsMan IP.OF.YOUR.WORKSTATION
to validate WinRM is working as expected.