Maximizing Security with Group Policy


Maximizing Security with Group Policy

Group Policy is an excellent method to increase security in an organization. It can be used for everything from setting domain level security policies that apply to every user and computer (such as password length, complexity, and lock-out values) to applying security measures to specific groups of specialized users with specific needs.

For example, you might be managing a group of users who need to be highly managed. They need to have a very secure environment implemented on their workstations and logins, an environment that they cannot get aroundenvironments where they cannot edit the Registry, add software, change permissions, stop or start services, or view the event logs. Applying a specific, highly secure Group Policy object to that group would accomplish this.

Additionally, the same policy could be applied easily using a template across various OUs and groups of users. If you are managing a group whose members need a great many rights and the capability to manipulate their workstationssuch as the ability to install software, change settings, edit the Registry, and change driversapplying more permissive Group Policies to that group could accomplish that as well.

Predefined Security Templates

Microsoft provides predefined security templates for Group Policy, based on the type of users and environment needed (secure workstations and servers or highly secure workstations and servers). These templates can be imported into Group Policy objects where they can then either be implemented as-is, or changed, as the environment requires. However they are used, they are a great security starting point with which to obtain a base level of security. The templates can be used to configure settings such as account policies, event log settings, local policies, system service settings, Registry permissions, and file and folder permissions.

The following list describes the security templates that can be added after installation:

  • Secure. There are two secure templates, one for workstations and one for domain controllers. The workstation is called Securews.inf and the domain controller is called Securedc.inf.

  • Highly Secure. The highly secure template (hisecws.inf and hisecdc.inf) goes beyond the secure template and applies even more restrictive and secure policy configurations. It is also available for both domain controllers and workstations.

  • System Root Security. This template (Rootsec.inf) provides a default set of secure root permissions for a root C drive. It is useful if the permissions have been changed and need to be returned to a secure default setting. With regard to child objects, it only propagates the security changes to child objects that inherit permissions; it does not overwrite explicit permissions on child objects.

  • Compatible. This template (Compatws.inf) should only be applied to workstations. It changes the security settings for members of the users group by configuring a basic set of Registry and file permissions that allows most Microsoft software to function properly but securely. It also removes any members of the Power Users group.

Required Default Domain Group Policy Settings

As stated earlier, Account Policy settings applied at the OU Level affect the local SAM database, not Active Directory accounts. The Account Policy settings must be applied on the Default Domain Policy to affect Active Directory accounts. The Account Policy settings that must be configured in the Default Domain Policy to affect the accounts in AD are located in the following areas in the Group Policy:

  • Password Policy

  • Account Lockout Policy

  • Kerberos Policy

Restricted Groups: Assigning Local Groups Through GP

Restricted Groups can be used to set the membership of local groups such as Administrators and Power Users on servers and workstations. However, this cannot be applied to domain controllers because they don't have local groups. Restricted Groups can be useful in extremely secure environments where the addition of users to local groups on workstations or servers would be problematic or if group membership were accidentally changed. Assigning local groups would automatically remove the incorrect group membership and replace it with the membership specified in Group Policy.

For example, you can create an OU that is used only to replace local workstation administrative group membership that was changed. You would create a local group, and if the workstation were discovered to have incorrect group membership, the workstation would be moved to the OU. The next time the workstation was rebooted, the incorrect group membership would be removed and the proper group added. The computer could then be moved back to the proper location.

To create a Restricted Group:

  1. Edit Group Policy.

  2. Choose Computer Configuration, Windows Settings, Security Settings, Restricted Groups.

  3. Right-click on Restricted Groups and select Add Group.

  4. Click Browse.

  5. Type the name of the group and click OK.

  6. Click OK again on the Add Group dialog box.

  7. On the top section labeled Members of This Group click the Add button.

  8. Click Browse.

  9. Type in or browse for the desired users or groups that should be members of the new local Restricted Group. After adding members to the group, the dialog box will look similar to Figure 6.7.

    Figure 6.7. Members added to a restricted group.

    graphics/06fig07.gif

  10. Click OK to finish and close the dialog box.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net