84-02-06

DATA SECURITY MANAGEMENT PLANNING AND DESIGNING GROUP POLICY, PART 1

Melissa Yon

INSIDE What Is Group Policy?; Software Settings; Windows Settings; Administrative Templates; Requirements for Group Policy; Group Policy Infrastructure; Accessing Group Policy; Group Policy Hierarchy; Delegating Group Policy; Group Policy Processing

INTRODUCTION When Microsoft created Windows 2000, three of the goals were to:

1. lower the total cost of ownership 2. reduce the support administrators must provide 3. improve security features of the operating system

Windows 2000 meets all of these goals if Group Policy (GP) is designed and implemented correctly. This two-part series explains GP, how to implement it, and best prac- tices. The present article explains:

• what GP is • requirements of GP PAYOFF IDEA • features of GP For years, administrators have wanted the ability • creating a GP to lock-down users’ desktops and set account settings, such as password and account lockout • applying a GP policies. These are some of the many things that • delegating control of a GP Group Policy can accomplish. Group Policy al- • GP processing lows administrators to create a directory-based policy that can be enforced to all, some, or none The second article (84-02-07) dis- of the client machines, users, and domain con- trollers. This article explains Group Policy, its re- cusses: quirements and features, creating a Group Policy, applying a Group Policy, delegating control of a • migration of NT 4.0 System Poli- Group Policy, and Group Policy processing. Part II cies to Group Policy (84-02-06), in the next issue of Data Security • using System Policies for down- Management, discusses migration of NT 4.0 level clients System Policies to Group Policy, using System Policies for down-level clients, and Group Policy • Group Policy best practices best practices.

06/01 Auerbach Publications © 2001 CRC Press LLC

DATA SECURITY MANAGEMENT

WHAT IS GROUP POLICY? For years, administrators have wanted the ability to lock-down users’ desktops and set account settings, such as password and account lockout policies. These are some of the many things that Group Policy (GP) can accomplish. GP allows administrators to create a directory-based policy that can be enforced to all, some, or none of the client machines, users, and domain controllers. In NT 4.0, system policies were used to implement some of these set- tings. System policies, however, were not directory based and did not have the granularity of Windows 2000 Group Policy. Windows 2000 Group Policy configures computer and user settings to the administrator’s preference. Group Policy contains major categories, which are subdivided into additional categories. The following article section discusses some of these major categories.

SOFTWARE SETTINGS This category allows the administrator to specify software for a user or computer. The software can be assigned or published. When applica- tions are assigned, the shortcut of the application appears on the Start menu and registry entries are added to the registry. When assigned to the computer, the application is installed during machine start-up. When as- signed to the user, the shortcut is displayed on the Start menu. Once the user selects the application, it is installed. If the administrator chooses to publish the software, the application is not advertised or shown on the Start menu. The software is available to the user; however, the user will need to go to the control panel to Add/Remove programs to install the application. The Software Settings category in Group Policy can also be used to upgrade existing applications and to remove outdated ones.

WINDOWS SETTINGS The Windows Settings category contains several different sub-categories. The computer and the user categories differ slightly. The computer sub- categories are Scripts and Security. The user sub-categories are Internet Explorer Maintenance, Scripts, and Security.

Scripts If configured under the computer settings, scripts automate certain tasks at start-up and shutdown. If configured under user settings, scripts will execute at logon and logoff. Scripts can be programmed using PERL, Vi- sual Basic, VB Script, or MS-DOS batch files.

Security Settings The Security Settings can be defined for the computer or user. Security Settings configure different settings such as:

PLANNING AND DESIGNING GROUP POLICY, PART 1

• Account Policies: – Password and Account Lockout Policies • Local Policies: – Configure Audit and User Rights Policies – Configure detailed Security Options • PKI Policies: – Recovery Agents for certificates – Trusted Root Certificates – Certificate Requests • IPSec Policies: – Event Log – Restricted Groups – System Services, Registry – File Systems

ADMINISTRATIVE TEMPLATES The Administrative Templates category gives the administrator access to lock-down the user’s desktop.

Windows Components Under Windows Components, the administrator can:

• disable NetMeeting • set Internet Explorer options and preferences under Internet Explorer • set Windows Explorer options, such as “Remove map network drive,” “No Computers Near Me in My Network Places,” “Hide Hard- ware Tab,” and others • set the Microsoft Management Console (MMC) to prevent users from entering Author Mode • with Task Scheduler: – hide the Task Scheduler Property Pages – disable New Task Creation – disable Task Deletion • configure the Windows Installer settings under Window Components

Network Options Under the Network Options category, an administrator can:

• configure Offline Folders for the users, so they will have access to the files saved to their network share • prevent the use of Offline Folders • configure the Network and Dial-up options • give/deny access to users

DATA SECURITY MANAGEMENT

It is so granular that some options may be available to users while others are not. The Network Options settings can be specified under the com- puter or user configuration.

System Settings The Administrative Templates includes System Settings under the com- puter and user configurations. Some of the configurable settings are found under Logon/Logoff. An Administrator can:

• disable Lock Computer • disable Change Password • disable Logoff (along with several other settings) • set Group Policy options such as: – Group Policy Refresh – Group Policy Slow Link – Group Policy Domain Controller Selection • configure Logon settings, such as how the logon script will run • enable Disk Quotas • configure a DNS suffix for a client

User Configuration: Start Menu and Taskbar Options The Administrative Template also includes a Start menu and Taskbar Op- tions section under the user configuration. Some of those options are:

• remove Common Groups from Start menu • remove Search menu from Start menu • remove Help from Start menu • remove Run from Start menu • add Logoff to Start menu • disable Logoff on Start menu

User Configuration: Desktop Another user configuration category is the Desktop category, which al- lows an administrator to hide all icons from the desktop. Also, the admin- istrator can configure the Active Desktop and Active Directory (AD) settings.

User Configuration: Control Panel The Control Panel category found under User Configuration allows an administrator to Hide Control Panel. Other options that are useful include limiting the access to the Add/Remove Programs, Display Icon, Printers Icon, and Regional Options.

PLANNING AND DESIGNING GROUP POLICY, PART 1

This is a brief overview of some of the settings found in Group Policy. Each category has many configurable settings. As an administrator, it is important to be aware of the Group Policy features and how to imple- ment them.

REQUIREMENTS FOR GROUP POLICY Group Policy is stored in Active Directory; therefore, there are certain re- quirements that must be met before Group Policy can be implemented. Because it requires Active Directory, a Domain Controller must be in- stalled. One must have read and access permissions to the system folder (which is the SYSVOL folder), and one must also have modify rights to the directory container where the Group Policy will be implemented. If one does not have a Domain Controller installed, one can implement a Local Policy on a specific machine. However, this is not a good idea if one has many machines because each machine will have to be configured separately, and one is limited to the settings one can configure. Because the total cost of ownership to implement Local Policy is much greater than implementing Group Policy, Local Policy is not recommended.

GROUP POLICY INFRASTRUCTURE Group Policy is stored in Active Directory (AD) as a Group Policy Object (GPO). Because one Group Policy may not meet all of one’s needs, there might be multiple Group Policy Objects. The GPO is actually stored on the Domain Controllers in the domain in which the GPO was created. The GPO is then linked to a portion of the AD. Once it is linked to a por- tion of AD, the users or computers in AD will process that Group Policy. It is not necessary to create multiple Group Policies for the same set- tings. The same Group Policy can be applied to different areas in AD. Al- so, the Group Policy will only be processed for the portion of AD to which it is linked.

ACCESSING GROUP POLICY Exhibit 1 shows the actual MMC (Microsoft Management Console) screen where the Default Group Policy is loaded. One can access the MMC and the Default Group Policy snap-in by taking the following steps:

1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click Group Policy. 7. Click Browse.

DATA SECURITY MANAGEMENT

EXHIBIT 1 — Accessing the Default Group Policy

8. Click Default Domain Policy. 9. Click OK. 10. Click Finish. 11. Click Close. 12. Expand Group Policy.

Linking Group Policy Group Policy is different from NT 4.0 System Policies in that one does not link a Group Policy to a Security Group. Group Policies can only be linked to sites, domains, and organizational units (OUs). The Group Pol- icy can be applied to many users and computers or to few users and

PLANNING AND DESIGNING GROUP POLICY, PART 1 computers. A GPO linked to a site will apply to all users and computers in that site. A GPO linked to a domain will apply to all users and com- puters in a domain. Likewise, a GPO linked to an OU will apply to all users and computers in the OU. To link a GPO to a site, one must start the MMC and open the AD Sites and Services Snap-In. The steps are as follows:

1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click AD Sites and Services. 7. Click OK. 8. Click Finish. 9. Click Close. 10. Expand the AD Sites and Services Snap-In. 11. Right-click the site to which the GPO is being linked. 12. Click Properties. 13. Click the Group Policy tab. 14. Click Add. 15. Click the GPO. 16. Click OK.

Exhibit 2 displays the Group Policy Properties screen. Notice that one can also select New to create a new GPO, select Add to link a GPO, se- lect Edit to edit the selected GPO, or select Delete to break the link of the GPO to the site, domain, or OU. If it is necessary to link a GPO to the domain or OU, one must add another snap-in. The steps are as follows:

1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click AD Users and Computers. 7. Click OK. 8. Click Finish. 9. Click Close. 10. Expand the AD Users and Computers Snap-In. 11. Right-click the domain or OU to which the GPO is being linked. 12. Click Properties. 13. Click the Group Policy tab. 14. Click Add.

DATA SECURITY MANAGEMENT

EXHIBIT 2 — Group Policy Properties Screen

15. Click the GPO. 16. Click OK.

One notices that the Group Policy Properties screen is exactly the same as the Site Group Policy Properties screen.

GROUP POLICY HIERARCHY Group Policy is inherited and cumulative. This means that if User Group Policies are implemented and there are Policies linked to the site, do- main, and OUs, all Group Policies apply. If two Group Policies have the same setting configured, then the setting in the last Group Policy that is processed will overwrite the setting in the previous Group Policy. Group Policy hierarchy is processed in the following order:

PLANNING AND DESIGNING GROUP POLICY, PART 1

1. The Local Policy is applied. 2. The GPOs linked to the site are applied. 3. The GPOs linked to the domain (the user or computer is a member) are applied. 4. The GPOs linked to the OU are applied. 5. Finally, the GPOs linked to the Child OUs are applied.

Finally, if there is more than one GPO linked at the site, domain, or OU level, the GPO at the top of the list has the highest priority. To look at it another way, the linked GPOs are processed from the bottom up in the Group Policy Properties screen.

No Override and Block Inheritance Microsoft has provided a way for the administrator to override the way Group Policy is enforced. An administrator can use the “No Override” or the “Block Inheritance” features. When the “No Override” option is enabled on a particular GPO, the settings for that GPO cannot be overwritten by a Group Policy setting processed later. For example, if the GPO linked to the domain is set to “No Override,” then the GPO linked to the OU cannot overwrite any set- tings set at the domain level. The “Block Inheritance” feature allows the administrator to block set- tings applied at higher levels. If “Block Inheritance” is checked at the OU level, no GPO settings that are linked at the site or domain level will apply, provided the “No Override” has not been selected at the site or domain level. One cannot use “Block Inheritance” to block a “No Over- ride” GPO. The “No Override” is selected by clicking options in the Group Policy Properties screen and selecting “No Override.” The “Block Inheritance” is selected by clicking the “Block Inheritance” checkbox on the Group Pol- icy Properties screen. Exhibits 3 and 4 show how Group Policy is applied.

Filtering the Group Policy Object GPOs linked to sites, domains, and OUs are applied to all users and com- puters in the site, domain, or OU. This is a cause for concern because one might want to exclude some users and computers from the GPO. This can be done using Security Groups to filter the GPO. In the GPO Properties screen, click Properties and click on the Secu- rity tab. (To get to the GPO Properties screen, right-click the site, domain, or OU. Click Properties, click on Group Policy tab [see Exhibit 5].) Notice that the “Authenticated Users” have “Read and Apply Group Policy” control. In other words, all authenticated users in the domain or OU will process and apply this Group Policy — even administrators. To filter who or what receives this GPO, one must remove the Authenticated

DATA SECURITY MANAGEMENT

EXHIBIT 3 — Cumulative Group Policy with No Overrides at the Domain Level

NA Domain Policy 1. No Run on Start Menu 2. Add Logoff to the Start Menu

na.train.com Domain GP

Southeast OU Policy 1. Hide all icons on the Desktop Southeast 2. Disable Control Panel OU GP

Sales OU Group Policy 1. Disable Command Prompt Sales 2. Enable Run on Start Menu

OU GP

Cumulative Group Policy 1. Enable Run on the Start Menu 2. Add Logoff to the Start Menu 3. Hide all icons on the Desktop 4. Disable Control Panel 5. Disable Command Prompt

Users “Allow” on “Apply Group Policy.” It is also a good idea to remove the “Read” access. If the “Apply Group Policy” is removed but the “Read” access is still there, then all authenticated users will still process the Group Policy. However, they will not apply the Group Policy. To in- crease performance, uncheck the “Allow” box for “Read” and “Apply Group Policy” for “Authenticated Users.” Once access from authenticated users has been removed, one can then add Security Groups, Users, or Computers and specify “Read” and “Apply Group Policy” access. One must give “Read” access if one wants it to ap- ply the Group Policy. If one does not give the “Read” and “Apply Group Policy” access to anyone, then the GPO will not be processed and applied. The following steps will add a user, computer, or security group.

1. Click Add from the Security screen. 2. Click the user, computer, or security group. 3. Click OK. 4. Select the user, computer, or security group. 5. Click to check the Allow box for Read. 6. Click to check the Allow box for Apply Group Policy. 7. Click Apply.

PLANNING AND DESIGNING GROUP POLICY, PART 1

EXHIBIT 4 — Cumulative Group Policy with Block Inheritance at the OU Level

Americas Site Policy 1. Remove Search from the Start Menu 2. Remove "Map Network Drive" and "Disconnect Network Drive" Americas Site Site GPO SA Domain Policy 1. Enable Control Panel and set No Override 2. Disable Logoff to Start Menu and set to No Override sa.train.com Domain GP NA Domain Policy 1. No Run on Start Menu 2. Add Logoff to the Start Menu

na.train.com Domain GP

Southeast OU Policy 1. Hide all icons on the Desktop Southeast 2. Disable Control Panel 3. Enable "Map Network Drive" and OU GP "Disconnect Network Drive" and set Block Inheritance Sales OU Group Policy 1. Disable Command Prompt Sales 2. Enable Run on Start Menu

OU GP Cumulative Group Policy 1. Remove Search from the Start Menu 2. Add "Map Network Drive" and "Disconnect Network Drive 3. Enable Run on the Start Menu 4. Add Logoff to the Start Menu 5. Hide all icons on the Desktop 6. Disable Control Panel 7. Disable Command Prompt The SA Domain Policy does not apply here since the user is in the NA domain.

DELEGATING GROUP POLICY Many companies have an administration team that is dispersed. That is, they have one administrator for desktop security, one administrator for accounts, one administrator for network security, or the administration may be given to the respective departments for their OU. If this is the case, one can design AD so that an administrator can only link GPOs to certain sites, domains, or OUs, and only edit already-created GPOs or create GPOs, but not edit GPOs already created by other administrators. This is called “Delegating Group Policy.” One can delegate the following:

• manage group policies for site, domain, OU • edit Group Policy objects

DATA SECURITY MANAGEMENT

EXHIBIT 5 — The GPO Properties Screen

• create Group Policy objects • Group Policy to control MMC consoles

Administrators, by default, have all of these rights.

Allowing a Non-Administrator to Manage an OU The following steps will allow a user or group of users to link existing GPOs to the OU. In the MMC, using AD Users and Computers:

1. Right-click the OU. 2. Click Delegate Control. 3. Click Next. 4. Click Add. 5. Select the user(s) or groups.

PLANNING AND DESIGNING GROUP POLICY, PART 1

6. Click Add. 7. Click OK. 8. Click Next. 9. Click Manage Group Policy Links. 10. Click Next. 11. Click Finish.

Editing Group Policy Objects In the MMC using Group Policy Snap-In:

1. Choose the Group Policy allowed to be edited. 2. Right-click the root of the group policy. 3. Click Properties. 4. Click the Security tab. 5. Click Add. 6. Select the user or group of users. 7. Click Add. 8. Click OK. 9. If the users will not have the GPO applied to them, make sure that the Apply Group Policy is NOT allowed. 10. Check Read and Write. 11. Click OK.

Creating Group Policy Objects The following steps allow a user to create a new GPO. In the MMC using AD Users and Computers:

1. Double-click the user. 2. Click the Member Of tab. 3. Click Add. 4. Select Group Policy Creator Owners. 5. Click Add. 6. Click OK twice.

Controlling MMC Consoles Controlling MMC consoles is implemented in several ways. The GPO is actually used to set and limit many of these rights. For example, many of these settings are found under User Configuration, Administrative Tem- plates, Windows Components, and Microsoft Management Console.

GROUP POLICY PROCESSING As previously stated, the Group Policy objects are processed in a hierar- chal manner. The Local Policy is processed first and the OU that the com-

DATA SECURITY MANAGEMENT

EXHIBIT 6 — Cumulative Group Policy with Multiple GPOs

NA Domain Policy NA GPO 1. No Run on Start Menu 2. Add Logoff to the Start Menu na.train.com Domain GP

Southeast OU Policy Southeast GPO1 (Appears at Top of GPO List) Southeast 1. Hide all icons on the Desktop - Block OU GP Inheritance 2. Disable Control Panel

Sales OU Group Policy 1. Disable Command Prompt Sales 2. Enable Run on Start Menu

OU GP

Cumulative Group Policy 1. Enable Run on the Start Menu 2. Add Logoff to the Start Menu 3. Enable Control Panel 4. Remove Favorites from the Start Menu 5. Hide all Icons on the Desktop 6. Disable Command Prompt puter and user is a member of processes its Group Policy last. Therefore, the order is as follows:

• Local Policy • Site Policy • Domain Policy • OU Policy

Of course, if there are nested OUs, each OU will apply its policy. If there are multiple Group Policies (see Exhibit 6) in any container, the Policies will be applied from bottom to top in the list. The only time this order will change is if filtering is applied so that the policy is not applied for that user, if “No Override” has been enabled, or if “Block Inheritance” has been marked. The Computer Configuration Policies are processed at computer start- up. Once the computer starts up, the computer will apply all the Com- puter Configuration Group Policies. The User Configuration Policies are applied once the user presses CTRL+ALT+DEL. By default, the desktop will not load until all User Policies are processed. The more policies one processes, the longer it takes for the desktop to appear.

PLANNING AND DESIGNING GROUP POLICY, PART 1

Once the user is logged on, the Group Policy, by default, will refresh every 90 minutes on client machines and every five minutes on domain controllers. These settings can be configured in Group Policy. The Policy can also be forced from the command line on the client machine. One cannot, however, force a refresh on the client from the server. The command-line command for the client is:

secedit /refreshpolicy {machine_policy | user_policy}[/enforce]

Some of the Group Policy settings are not refreshed. These settings in- clude Software settings and Folder Redirection settings. Other considerations for Group Policy processing are slow links. Group Policy will detect and determine if there is a slow link by pinging the server and measuring the time. If Group Policy determines it is a slow link, then the configuration set in Group Policy will determine if the pol- icy is loaded. By now one should be more familiar with Group Policies and how to create a Group Policy. One should be able to create a Group Policy, link it to a site, domain, or OU. One should also be able to delegate control of the OU to a user(s). This is a very good starting point for implement- ing Group Policy. However, some issues still exist. For example, will one’s NT 4.0 System Policies migrate to Windows 2000? How can one create System Policies for down-level clients? Finally, one may know how to create Group Policy, but what are the best practices for creating Group Policy? All these issues are discussed in the next Group Policy ar- ticle (84-02-07).

Melissa Yon, MCSE, MCT, MCP+I, CTT, is currently a technical trainer for Lucent Technologies Worldwide Ser- vices. She has nine years of experience in designing and implementing desktop, server, and enterprise solutions and conducting training. In the last two years, she has designed training materials and delivered training and so- lutions for Lucent Technologies.