Besides controlling where files and folders are stored, group policy can also be used to control access to workstations and other network resources.
Group policy can be used to enforce the logon time restrictions that you apply to a user or a group of them using Active Directory.
This can not only help you prevent unauthorized access after-hours from employees, but it also protects your network from being vulnerable through an user's account by creating a specific time window where logons can occur.
Alternatively, you could add this item to an existing policy instead of creating a new one (this reduces network overhead by not having to process many separate group policies).
With thousands of group policy settings and numerous administrative templates, sometimes it's difficult to find the specific settings that will enhance the security of your network.
Fortunately, several guidelines are available to help administrators use group policy to lock down users depending on how much control you need or want to give to the user. This section highlights some of policies that you should consider configuring if you want to greatly reduce the ability of your users to modify the settings in Windows.
Tables 21.2 and 21.3 show some of the most common user configuration and computer configuration group policies used to manage workstations. All the values provided are suggestions, and some of these policies might not even apply in your case. Consider which policies are really required and modify them.
Table 21.2. User Configuration Group Policy Settings for Managed Workstations
Policy | Setting |
|---|
User Configuration, Administrative Templates, Control Panel | |
Prohibit access to the Control Panel | Enabled |
Control Panel, Add or Remove Programs | |
Remove Add or Remove Programs | Enabled |
Control Panel, Display | |
Remove Display in Control Panel | Enabled |
Control Panel, Printers | |
Prevent addition of printers | Enabled |
Prevent deletion of printers | Enabled |
Desktop | |
Don't save settings at exit | Enabled |
Prevent adding, dragging, dropping, and closing the Taskbar's toolbars | Enabled |
Prohibit user from changing My Documents path | Enabled |
Desktop, Active Desktop | |
Disable Active Desktop | Enabled |
Network, Network Connections | |
Ability to Enable/Disable a LAN connection | Disabled |
Prohibit access to properties of a LAN connection | Enabled |
Prohibit access to the New Connection Wizard | Enabled |
Prohibit TCP/IP advanced configuration | Enabled |
Start Menu and Taskbar | |
Gray unavailable Windows Installer programs Start Menu shortcuts | Enabled |
Prevent changes to Taskbar and Start Menu Settings | Enabled |
Remove access to the context menus for the taskbar | Enabled |
Remove Drag-and-drop context menus on the Start Menu | Enabled |
Remove links and access to Windows Update | Enabled |
Remove Network Connections from Start Menu | Enabled |
Remove programs on Settings menu | Enabled |
Remove Run menu from Start Menu | Enabled |
System | |
Prevent access to Registry editing tools | Enabled |
Prevent access to the command prompt | Enabled |
Disable the command prompt script processing also? | No |
Turn off Autoplay | Enabled |
Turn off Autoplay on: | CD-ROM drives |
System, Ctrl+Alt+Del Options | |
Remove Task Manager | Enabled |
Windows Components, Internet Explorer | |
Disable changing Advanced page settings | Enabled |
Disable changing Automatic Configuration settings | Enabled |
Disable changing certificate settings | Enabled |
Disable changing connection settings | Enabled |
Disable changing proxy settings | Enabled |
Disable changing ratings settings | Enabled |
Windows Components, Internet Explorer | |
Disable external branding of Internet Explorer | Enabled |
Disable Internet Connection Wizard | Enabled |
Windows Components, Internet Explorer, Browser Menus | |
Disable Save this program to disk option | Enabled |
Windows Components, Internet Explorer, Internet Control Panel | |
Disable the Advanced page | Enabled |
Disable the Connections page | Enabled |
Disable the Programs page | Enabled |
Disable the Security page | Enabled |
Windows Components, Microsoft Management Console | |
Restrict the user from entering author mode | Enabled |
Restrict users to the explicitly permitted list of snap-ins | Enabled |
Windows Components, Task Scheduler | |
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard | Enabled |
Hide Property Pages | Enabled |
Prevent Task Run or End | Enabled |
Prohibit Browse | Enabled |
Prohibit Drag-and-Drop | Enabled |
Prohibit New Task Creation | Enabled |
Prohibit Task Deletion | Enabled |
Windows Components, Windows Explorer | |
Allow only per user or approved shell extensions | Enabled |
Do not request alternate credentials | Enabled |
Hide these specified drives in My Computer | Enabled |
Pick one of the following combinations | Restrict all drives |
Hides the Manage item on the Windows Explorer context menu | Enabled |
No "Computers Near Me" in My Network Places | Enabled |
No "Entire Network" in My Network Places | Enabled |
Prevent access to drives from My Computer | Enabled |
Pick one of the following combinations | Restrict all drives |
Remove "Map Network Drive" and "Disconnect Network Drive" | Enabled |
Remove DFS tab | Enabled |
Remove File menu from Windows Explorer | Enabled |
Remove Hardware tab | Enabled |
Remove Search button from Windows Explorer | Enabled |
Remove UI to change menu animation setting | Enabled |
Remove Windows Explorer's default context menu | Enabled |
Removes the Folder Options menu item from the Tools menu | Enabled |
Windows Components, Windows Explorer, Common Open File Dialog | |
Hide the common dialog places bar | Enabled |
Windows Components, Windows Installer | |
Prevent removable media source for any install | Enabled |
Table 21.3. Computer Configuration Group Policy Settings for Managed Workstations
Policy | Setting |
|---|
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options |
|---|
Accounts: Rename administrator account | "!%Admin%!" |
Accounts: Rename guest account | "!%Guest%!" |
Devices: Allowed to format and eject removable media | Administrators |
Devices: Prevent users from installing printer drivers | Enabled |
Devices: Restrict CD-ROM access to locally logged-on user only | Enabled |
Devices: Restrict floppy access to locally logged-on user only | Enabled |
Devices: Unsigned driver installation behavior | Do not allow installation |
Interactive logon: Do not display last username | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 10 logons |
Interactive logon: Prompt user to change password before expiration | 14 days |
Interactive logon: Smart card removal behavior | Lock Workstation |
Microsoft network server: Disconnect clients when logon hours expire | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Recovery console: Allow automatic administrative logon | Disabled |
Recovery console: Allow floppy copy and access to all drives and all folders | Disabled |
Shutdown: Allow system to be shut down without having to log on | Disabled |
Shutdown: Clear virtual memory pagefile | Enabled |
Event Log | |
Maximum application log size | 10240 kilobytes |
Maximum security log size | 10240 kilobytes |
Maximum system log size | 10240 kilobytes |
Prevent local guests group from accessing application log | Enabled |
Prevent local guests group from accessing security log | Enabled |
Prevent local guests group from accessing system log | Enabled |
Administrative Templates, Network, Network Connections |
Prohibit use of Internet Connection Sharing on your DNS domain network System | Enabled |
Turn off Autoplay | Enabled |
Turn off Autoplay on: | CD-ROM drives |
System, Logon | |
Don't display the Getting Started welcome screen at logon | Enabled |
Run these programs at user logon | Disabled |
Windows Components, Internet Explorer | |
Disable Automatic Install of Internet Explorer components | Enabled |
Disable Periodic Check for Internet Explorer software updates | Enabled |
Disable showing the splash screen | Enabled |
Disable software update shell notifications on program launch | Enabled |
Security Zones: Do not allow users to add/delete sites | Enabled |
Security Zones: Do not allow users to change policies | Enabled |
Windows Components, NetMeeting | |
Disable remote Desktop Sharing | Enabled |
Windows Components, Task Scheduler | |
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard | Enabled |
Hide Property Pages | Enabled |
Prevent Task Run or End | Enabled |
Prohibit Browse | Enabled |
Prohibit Drag-and-Drop | Enabled |
Prohibit New Task Creation | Enabled |
Prohibit Task Deletion | Enabled |
Windows Components, Windows Installer | |
Remove browse dialog box for new source | Enabled |
For more in-depth information about each policy setting and an extended list of templates for managing workstations using group policy download the following installation package: http://www.microsoft.com/downloads/details.aspx?familyid=354B9F45-8AA6-4775-9208-C681A7043292&displaylang=en
In most cases Terminal Servers (due to their nature) require extensive use of group policy to limit user activities. Although locking down Terminal Servers is outside the scope of this book, the principles are the essentially same as locking down a workstation, and there are several good resources on the Internet on how to accomplish this task. The following link provides a starting point:
