The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems. Lesson #4, Planning a Group Policy implementation with security in mind, premieres Thursday, June 9. Click for the course outline.
With power comes complexity and Group Policy is no exception. Many hours of Windows administrators' lives have been squandered away troubleshooting Group Policy. Answers to questions like, "Why isn't this policy in effect on this system?" or "I thought I turned off IPsec!" can be difficult to track down if your Active Directory is full of Group Policy Objects (GPOs) that are applied inconsistently, redundantly and inappropriately.
The most difficult aspects of configuring Group Policy correctly are planning and laying out the policy settings. Windows takes care of the actual deployment to client computers, which is one feature that makes Group Policy a compelling management tool. But this ease of deployment is a double-edged sword. It is just as easy to misconfigure an access control list or change a setting and wreak utter havoc on your domain. Anybody who has played with the "require signed communications" settings knows this all too well.
Even more difficult sometimes is getting the big picture: It is hard to see how your Active Directory layout and structure, which probably mimics your organization's hierarchical personnel structure, can co-exist with GPOs, which cross hierarchical boundaries and rely on other scopes of application. With careful planning, however, Group Policy can overlay your existing directory structure and complement it with its own management boundaries.
Try the following tips to keep your implementation in check. (Click here for the printable version.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hardening Windows School Checklist: Design Group Policy with security in mind |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|  |
|
|
|
|
|
Organize your policies logically and define boundaries to contain them |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
Organizing Active Directory according to geographic location most likely will not match your system management needs. For instance, all company executives' laptops may require |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IPsec but all of the executives may not be based in your New York office. Or, all middle managers may require a customized version of Internet Explorer that does not lock out their |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Internet access, which could be the default configuration for all computers in the domain. You must map out the kinds of restrictions you need and then define boundaries to which |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
those policies apply. This will make it easier to apply them to target users and computers even if the geographical and managerial boundaries do not match. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Inside those boundaries, configure policies that represent common values in your organization |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Do you normally configure workstations in your finance department to lock a computer after three unsuccessful logon attempts? Does a particular domain in your forest need |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
additional desktop restrictions: Should they not be allowed to run Control Panel? Change their wallpaper? Install software? These policy sets probably sound familiar. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Group these together and create GPOs for each like set of policy settings. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
Configure organizational units that contain machines grouped according to like roles or functions within an organization |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows comes by default with domain controllers residing in a separate organizational unit in Active Directory. You might consider putting desktops, laptops and servers into their |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
own organizational units, which makes it easier to apply policies to only laptops, like requiring the use of the encrypting file system (EFS). | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail
the editor to suggest additional checklist topics.
More from Hardening Windows School
Course outline: Pick and choose which courses you'd like to take
Lesson 3: Creating a custom security template
Beginner's checklist: How to enable automatic security updates
| ABOUT THE AUTHOR: Go back to Checklists |
|
 Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. Click to ask Jon a question or purchase his book here. Copyright 2005 |
|
