Final Thoughts

Previous page
Table of content
Next page

To know security, you need to know Group Policy. To that end, we've toured the major sights along the Group Policy security highway . From the "Default Domain Controllers Policy" and "Default Domain Policy" GPOs, to Windows XP and Windows 2003 Software Restriction Policies, to Security Templatesa lot that can be accomplished in there.

Walking up to a specific machine and applying local security sounds like a great, straightforward ideauntil you have so many machine you couldn't possibly walk up to them all. This chapter covered some alternate methods for asserting your will across the network.

Use security templates for all types of machines. But if you're configuring Windows 2003/ SP1 machines, the new SCW is your new best friend.

Remember that items in the security branch of a GPO will take affect, maximally, every 16 hourseven if the Group Policy doesn't change in Active Directory. This ensures that if a nefarious local administrator changed the policies on his workstation, they'll eventually be refreshed. However, recall that this "Security Background Refresh" will not affect other areas of Group Policy by default. If you want similar behavior, be sure to read Chapter 3 where we discuss the implications of the setting named "Process even if the Group Policy objects have not changed." You can enable different sections of Group Policy to do this by drilling down in the Group Policy Object Editor within Computer Configuration ˜ Administrative Templates ˜ System ˜ Group Policy. Again, this was covered in Chapter 3. So, for fullest security and protection, re-read that chapter to understand why and how to enable those settings.

What I Didn't Cover

Unfortunately, space limitations restrict me from delving into all security functions of Group Policy. Of note, three categories are missing from this Group Policy security roundup :

  • IP Security

  • Certificate Services and Public Key Infrastructure (PKI)

  • EFS and the EFS Recovery Policy

For more on IP Security For getting a grip on IP Security, check out "The Technical Overview of Network and Communications for Windows Server 2003" at www.microsoft.com/windowsserver2003/techinfo/overview/netcomm.mspx .

For more on Certificate Services and PKI For getting a grip on Certificate Services and PKI, check out "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure" at http://tinyurl.com/5vejh .

For more on EFS and the EFS Recovery Policy You'll find information on the Encrypting File System in Windows XP and Windows Server 2003 at http://tinyurl.com/576kx .

Additionally, see the Knowledge Base articles "HOW TO: Configure a Domain EFS Recovery Policy in Windows 2000" (KB313376) and "Best Practices for the Encrypting File System" (KB 223316).

Even More Resources

If you get really gung-ho and want to hack the security templates yourself to add your own security settings, it's difficult and ornery, but possible. You'll find an excellent reference, "How to Customize Security Settings within Templates," at http://tinyurl.com/3n72j .

Designing versus Implementing

This chapter is titled "Implementing Security with Group Policy" because that's what we did. However, an equally challenging project is the design of your security policy battle plans before you march headlong into implementation. One excellent Microsoft resource, made specifically for the task of working through some examples to design security with GPOs, is the "Common Scenarios" white paper at http://tinyurl.com/4oaks . You can also just search for "Group Policy Common Scenarios Using GPMC" on Microsoft's website.

The "Common Scenarios" white paper includes several "canned" GPOs that help you learn how to design a security policy, and includes situations where computers should be Lightly Managed, Mobile, and Kiosk. Once you play with each scenario, you can decide which features you want to keep in your own environment. These GPOs aren't really meant to be deployed asis (you should modify them to suit your own business), but you'll get a better handle on some security design options. A white paper is included to help you work though the scenarios. In all, I think it's an excellent follow-up once you've been through the exercises in this chapter.


Previous page
Table of content
Next page
Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Jeremy Moskowitz
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Network Security Architectures
Visual C# 2005 How to Program (2nd Edition)
GO! with Microsoft Office 2003 Brief (2nd Edition)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy