Maximizing Security with Group PolicyGroup Policy is an excellent method to increase security in an organization. It can be used for everything from setting domain level security policies that apply to every user and computer (such as password length, complexity, and lock-out values) to applying security measures to specific groups of specialized users with specific needs. For example, you might be managing a group of users who need to be highly managed. They need to have a very secure environment implemented on their workstations and logins, an environment that they cannot get aroundenvironments where they cannot edit the Registry, add software, change permissions, stop or start services, or view the event logs. Applying a specific, highly secure Group Policy object to that group would accomplish this. Additionally, the same policy could be applied easily using a template across various OUs and groups of users. If you are managing a group whose members need a great many rights and the capability to manipulate their workstationssuch as the ability to install software, change settings, edit the Registry, and change driversapplying more permissive Group Policies to that group could accomplish that as well. Predefined Security TemplatesMicrosoft provides predefined security templates for Group Policy, based on the type of users and environment needed (secure workstations and servers or highly secure workstations and servers). These templates can be imported into Group Policy objects where they can then either be implemented as-is, or changed, as the environment requires. However they are used, they are a great security starting point with which to obtain a base level of security. The templates can be used to configure settings such as account policies, event log settings, local policies, system service settings, Registry permissions, and file and folder permissions. The following list describes the security templates that can be added after installation:
Required Default Domain Group Policy SettingsAs stated earlier, Account Policy settings applied at the OU Level affect the local SAM database, not Active Directory accounts. The Account Policy settings must be applied on the Default Domain Policy to affect Active Directory accounts. The Account Policy settings that must be configured in the Default Domain Policy to affect the accounts in AD are located in the following areas in the Group Policy:
Restricted Groups: Assigning Local Groups Through GPRestricted Groups can be used to set the membership of local groups such as Administrators and Power Users on servers and workstations. However, this cannot be applied to domain controllers because they don't have local groups. Restricted Groups can be useful in extremely secure environments where the addition of users to local groups on workstations or servers would be problematic or if group membership were accidentally changed. Assigning local groups would automatically remove the incorrect group membership and replace it with the membership specified in Group Policy. For example, you can create an OU that is used only to replace local workstation administrative group membership that was changed. You would create a local group, and if the workstation were discovered to have incorrect group membership, the workstation would be moved to the OU. The next time the workstation was rebooted, the incorrect group membership would be removed and the proper group added. The computer could then be moved back to the proper location. To create a Restricted Group:
|