Windows Group Policy settings can help with IT's two biggest enterprise desktop security tasks: protecting against
malware and preventing users from tampering with their desktops.
Windows Group Policy lets IT set folder options, scheduled tasks, security settings, software installations, drive mappings and other configurations for users or groups of users. For the purposes of this article, I'm talking about using Group Policy settings to improve security on desktops running Windows 7, Internet Explorer 9 and Office 2010. I am also assuming that domain controllers are running Windows Server 2008 R2. However, many of the Group Policy settings that I will discuss do exist in older operating systems.
Internet Explorer security zones
One of the first steps to securing desktops against malware is to harden Internet Explorer. Microsoft offers a number of Group Policy settings that can be used to force IE to behave according to corporate security and acceptable-use policies.
You'll need to address Internet Explorer security zones and content restrictions. To do so, install IE 9 onto the computer that you are using to edit the Group Policy settings. Next, configure the Internet security zone settings to meet your enterprise desktop security needs. Don't forget to make the Web browser aware of any trusted, restricted or local intranet sites. When you are done, go ahead and configure the browser's content restrictions to comply with your organization's acceptable-use policy.
Once the browser has been configured, open the Group Policy Editor and navigate to "User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security." Double-click on the Security Zones and Content Ratings setting. When you do, Windows will display a dialog box that allows you to import the security and content settings that you have just configured.
While you are at it, I recommend going to "User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\URLs" and double-clicking the "Important URLs" setting. You can then specify the browser's home page, search bar URL and online support page. Many forms of malware attempt to redirect these addresses to malicious sites, so centrally specifying the URLs through Group Policy settings can help to avoid browser hijacking.
Control Panel settings
One of the best things that you can do to prevent users from tampering with their desktops is to block their access to the Control Panel. A word of caution, though: Make sure that you do not apply this particular Group Policy setting to an organizational unit that includes administrative accounts or help desk accounts. Otherwise, you may lock yourself or the support staff out of the Control Panel.
With that said, you can access the Control Panel-related settings at "User Configuration\Administrative Templates\Control Panel." I recommend enabling the "Prohibit Access to the Control Panel" setting because it removes the Control Panel from the Start menu and from Windows Explorer. It also prevents users from running Control.exe, which is required for Control Panel applets.
Incidentally, if you have certain Control Panel settings that you want to be consistent across all of your desktops, you can implement those settings through the Group Policy Editor. The Control Panel settings are located at "Computer Configuration\Preferences\Control Panel Settings."
Securing Outlook with Group Policy settings
Malicious email messages are another source of malware. Although antispam software should catch most malicious messages, there is always the chance that an occasional message might make it into the user's inbox. Thus, it's a good idea to configure your Group Policy settings to secure Outlook.
More on Group Policy settings:
Group Policy tricks to secure network endpoints
Using Group Policy to lock down the Control Panel
Managing Terminal Services via Group Policy
The Group Policy Editor does not contain any Outlook-related security settings by default, but you can download a set of administrative templates for Microsoft Office.
There are way too many Outlook-related security settings to discuss them all, but be sure to take a look at the attachment-related security settings, which are located at "User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security Form Settings\Attachment Security." You can use the attachment security settings to control what types of attachments users are allowed to open.
If you go to "User Configuration\Administrative Templates\Microsoft Outlook 2010\Security," you will find a setting that prevents users from customizing attachment security settings. I also recommend going to "User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Trust Center" and checking the security settings related to hyperlinks in suspected phishing messages and macro security.
Using Group Policy settings to configure User Account Control
Even though some administrators find User Account Control annoying, this feature can go a long way toward keeping your desktops secure. As with other enterprise desktop security settings, it's a good idea to centrally configure User Account Control through the use of Group Policy settings. You can find the User Account Control settings in the Group Policy Editor at "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options."
Although it is impossible to discuss every vital enterprise desktop security setting, the ones presented here should give you a good start for securing your desktops. While you are at it, don't forget the importance of configuring the desktop's local security policies. Active Directory Group Policy objects only take effect once a user logs into the domain. Local security policies can help to safeguard desktops against pre-login exploits.
ABOUT THE AUTHOR:
Brien Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. For more on Posey, visit his website at www.brienposey.com.