Summary

In this chapter, you learned how to apply many of the same principles for securing clients that you used in Chapter 8 for securing servers. You saw that you will have to apply different policies based on how a client computer will be used. A properly designed Active Directory OU model is priceless when it comes to securing computers and accounts based on the roles that they play in the network.

In accordance with Chapter 8, we revisited the concept of creating security templates and applying them in concert with Group Policy. You will want to design a different security template for each type of computer—for example, laptops and desktops. There are also additional templates that can be obtained from Microsoft as part of the Windows XP Security Guide.

We then explained the benefit of defining software restriction policies that you can use to make sure that you have control over the software that is running on the computers in your charge. You saw the difference between configuring the default behavior to be unrestricted with rules denying specific applications or paths and configuring the default behavior to be disallowed with rules explicitly allowing applications or executable paths. Disallowing the default behavior is more secure, while the Unrestricted option interferes less with the user of the computer. There are pros and cons for each rule type—certificate, hash, path, and Internet zone— depending on the details of the situation and the level of administrative burden you are willing to endure.

Next you learned how to prevent users from accessing certain sections of the Windows operating system itself. You can use built-in groups to assign specific rights to users when it is appropriate. You can also use administrative templates in a GPO that grants or denies access to a feature of the operating system.

Finally, you were introduced to security patch management, namely with Software Update Services (SUS) and Group Policy. You learned the basics of configuring a SUS server as well as SUS clients. We showed you the different implementations of SUS and some basic guidelines that you should try to follow. You learned that, with SUS, you can choose which updates to deploy to your client computers rather than configuring all of the computers to use the Microsoft Windows Update site as the authority on which patches and fixes to apply.

To verify your patch management, and for that matter to secure configurations, you learned how to use the Microsoft Baseline Security Analyzer to audit one or more computers under your control. You saw that it can be invoked manually or automated in a script using its commandline version.