84-02-06 DATA SECURITY MANAGEMENT PLANNING AND DESIGNING GROUP POLICY, PART 1 Melissa Yon INSIDE What Is Group Policy?; Software Settings; Windows Settings; Administrative Templates; Requirements for Group Policy; Group Policy Infrastructure; Accessing Group Policy; Group Policy Hierarchy; Delegating Group Policy; Group Policy Processing INTRODUCTION When Microsoft created Windows 2000, three of the goals were to: 1. lower the total cost of ownership 2. reduce the support administrators must provide 3. improve security features of the operating system Windows 2000 meets all of these goals if Group Policy (GP) is designed and implemented correctly. This two-part series explains GP, how to implement it, and best prac- tices. The present article explains: • what GP is • requirements of GP PAYOFF IDEA • features of GP For years, administrators have wanted the ability • creating a GP to lock-down users’ desktops and set account settings, such as password and account lockout • applying a GP policies. These are some of the many things that • delegating control of a GP Group Policy can accomplish. Group Policy al- • GP processing lows administrators to create a directory-based policy that can be enforced to all, some, or none The second article (84-02-07) dis- of the client machines, users, and domain con- trollers. This article explains Group Policy, its re- cusses: quirements and features, creating a Group Policy, applying a Group Policy, delegating control of a • migration of NT 4.0 System Poli- Group Policy, and Group Policy processing. Part II cies to Group Policy (84-02-06), in the next issue of Data Security • using System Policies for down- Management, discusses migration of NT 4.0 level clients System Policies to Group Policy, using System Policies for down-level clients, and Group Policy • Group Policy best practices best practices. 06/01 Auerbach Publications © 2001 CRC Press LLC DATA SECURITY MANAGEMENT WHAT IS GROUP POLICY? For years, administrators have wanted the ability to lock-down users’ desktops and set account settings, such as password and account lockout policies. These are some of the many things that Group Policy (GP) can accomplish. GP allows administrators to create a directory-based policy that can be enforced to all, some, or none of the client machines, users, and domain controllers. In NT 4.0, system policies were used to implement some of these set- tings. System policies, however, were not directory based and did not have the granularity of Windows 2000 Group Policy. Windows 2000 Group Policy configures computer and user settings to the administrator’s preference. Group Policy contains major categories, which are subdivided into additional categories. The following article section discusses some of these major categories. SOFTWARE SETTINGS This category allows the administrator to specify software for a user or computer. The software can be assigned or published. When applica- tions are assigned, the shortcut of the application appears on the Start menu and registry entries are added to the registry. When assigned to the computer, the application is installed during machine start-up. When as- signed to the user, the shortcut is displayed on the Start menu. Once the user selects the application, it is installed. If the administrator chooses to publish the software, the application is not advertised or shown on the Start menu. The software is available to the user; however, the user will need to go to the control panel to Add/Remove programs to install the application. The Software Settings category in Group Policy can also be used to upgrade existing applications and to remove outdated ones. WINDOWS SETTINGS The Windows Settings category contains several different sub-categories. The computer and the user categories differ slightly. The computer sub- categories are Scripts and Security. The user sub-categories are Internet Explorer Maintenance, Scripts, and Security. Scripts If configured under the computer settings, scripts automate certain tasks at start-up and shutdown. If configured under user settings, scripts will execute at logon and logoff. Scripts can be programmed using PERL, Vi- sual Basic, VB Script, or MS-DOS batch files. Security Settings The Security Settings can be defined for the computer or user. Security Settings configure different settings such as: PLANNING AND DESIGNING GROUP POLICY, PART 1 • Account Policies: – Password and Account Lockout Policies • Local Policies: – Configure Audit and User Rights Policies – Configure detailed Security Options • PKI Policies: – Recovery Agents for certificates – Trusted Root Certificates – Certificate Requests • IPSec Policies: – Event Log – Restricted Groups – System Services, Registry – File Systems ADMINISTRATIVE TEMPLATES The Administrative Templates category gives the administrator access to lock-down the user’s desktop. Windows Components Under Windows Components, the administrator can: • disable NetMeeting • set Internet Explorer options and preferences under Internet Explorer • set Windows Explorer options, such as “Remove map network drive,” “No Computers Near Me in My Network Places,” “Hide Hard- ware Tab,” and others • set the Microsoft Management Console (MMC) to prevent users from entering Author Mode • with Task Scheduler: – hide the Task Scheduler Property Pages – disable New Task Creation – disable Task Deletion • configure the Windows Installer settings under Window Components Network Options Under the Network Options category, an administrator can: • configure Offline Folders for the users, so they will have access to the files saved to their network share • prevent the use of Offline Folders • configure the Network and Dial-up options • give/deny access to users DATA SECURITY MANAGEMENT It is so granular that some options may be available to users while others are not. The Network Options settings can be specified under the com- puter or user configuration. System Settings The Administrative Templates includes System Settings under the com- puter and user configurations. Some of the configurable settings are found under Logon/Logoff. An Administrator can: • disable Lock Computer • disable Change Password • disable Logoff (along with several other settings) • set Group Policy options such as: – Group Policy Refresh – Group Policy Slow Link – Group Policy Domain Controller Selection • configure Logon settings, such as how the logon script will run • enable Disk Quotas • configure a DNS suffix for a client User Configuration: Start Menu and Taskbar Options The Administrative Template also includes a Start menu and Taskbar Op- tions section under the user configuration. Some of those options are: • remove Common Groups from Start menu • remove Search menu from Start menu • remove Help from Start menu • remove Run from Start menu • add Logoff to Start menu • disable Logoff on Start menu User Configuration: Desktop Another user configuration category is the Desktop category, which al- lows an administrator to hide all icons from the desktop. Also, the admin- istrator can configure the Active Desktop and Active Directory (AD) settings. User Configuration: Control Panel The Control Panel category found under User Configuration allows an administrator to Hide Control Panel. Other options that are useful include limiting the access to the Add/Remove Programs, Display Icon, Printers Icon, and Regional Options. PLANNING AND DESIGNING GROUP POLICY, PART 1 This is a brief overview of some of the settings found in Group Policy. Each category has many configurable settings. As an administrator, it is important to be aware of the Group Policy features and how to imple- ment them. REQUIREMENTS FOR GROUP POLICY Group Policy is stored in Active Directory; therefore, there are certain re- quirements that must be met before Group Policy can be implemented. Because it requires Active Directory, a Domain Controller must be in- stalled. One must have read and access permissions to the system folder (which is the SYSVOL folder), and one must also have modify rights to the directory container where the Group Policy will be implemented. If one does not have a Domain Controller installed, one can implement a Local Policy on a specific machine. However, this is not a good idea if one has many machines because each machine will have to be configured separately, and one is limited to the settings one can configure. Because the total cost of ownership to implement Local Policy is much greater than implementing Group Policy, Local Policy is not recommended. GROUP POLICY INFRASTRUCTURE Group Policy is stored in Active Directory (AD) as a Group Policy Object (GPO). Because one Group Policy may not meet all of one’s needs, there might be multiple Group Policy Objects. The GPO is actually stored on the Domain Controllers in the domain in which the GPO was created. The GPO is then linked to a portion of the AD. Once it is linked to a por- tion of AD, the users or computers in AD will process that Group Policy. It is not necessary to create multiple Group Policies for the same set- tings. The same Group Policy can be applied to different areas in AD. Al- so, the Group Policy will only be processed for the portion of AD to which it is linked. ACCESSING GROUP POLICY Exhibit 1 shows the actual MMC (Microsoft Management Console) screen where the Default Group Policy is loaded. One can access the MMC and the Default Group Policy snap-in by taking the following steps: 1. Click Start>Run. 2. Type mmc. 3. Press Enter. 4. Click Console>Add/Remove Snap-In. 5. Click Add. 6. Click Group Policy. 7. Click Browse. DATA SECURITY MANAGEMENT EXHIBIT 1 — Accessing the Default Group Policy 8. Click Default Domain Policy. 9. Click OK. 10. Click Finish. 11. Click Close. 12. Expand Group Policy. Linking Group Policy Group Policy is different from NT 4.0 System Policies in that one does not link a Group Policy to a Security Group. Group Policies can only be linked to sites, domains, and organizational units (OUs). The Group Pol- icy can be applied to many users and computers or to few users and PLANNING AND DESIGNING GROUP POLICY, PART 1 computers.