A Group Policy To-Do List
Why aren't more Windows pros using GPOs to their full potential?
- By Paul Desmond
- September 01, 2004
At the end of May, I spent my first week as the new editor of MCP Magazine
at the Microsoft TechEd Conference in San Diego, California. What an outstanding way to start my new job. I had absolutely nothing of any consequence to do other than wander the show floor handing out invitations to the launch party for Redmond
magazine. (Coming next month!) It also gave me a chance to get a feel for some of the critical attributes of my new company, qualities that usually take weeks if not months to determine, like how many drinks I could get them to pay for on a single trip. (Answer: lots.)
But every once in a while a pang of guilt would hit me and I'd go sit in on a session while eating another free muffin, or meet with a vendor and see if I could get them to talk about something useful.
And so it was that I came to find out many of you aren't yet using
Group Policy as effectively as you could be—or, in some cases,
at all. So when my turn came around to write this new Marching Orders
column, it was clear that I had to finish my Snickers, put down
the Diet Coke, and get to the bottom of this. I decided to call
three experts to find out what you should, without question, be
using Group Policy for right now.
My victims were: Danny Kim, chief technology officer at Full Armor, a policy management tool vendor based in Boston, who first got me thinking about the topic at TechEd; Jeremy Moskowitz, an independent consultant, trainer and MCP Mag contributor who literally wrote a book on this topic; and Derek Melber, co-founder of technical education company Braincore.Net, and an MCP Mag Contributing Editor.
Because they all immediately brought up security, I decided to
focus this list on security-related issues. "If you don't know
Group Policy, you don't know security," as Moskowitz puts it.
The specific actions you can take using Group Policy are many, but
some of the basics include setting a password policy, Kim says—number
of characters required, how often it must be changed, that kind
Another is to use the restricted groups setting in Group Policy, which gives you the ability to control local users and groups so you can restrict who can do what. For example, you may want to make sure certain individuals will never be in the admin group. "So if a local admin decides to put Harry in the admin group, this Group Policy will take him off," Kim says.
To reduce your level of vulnerability to attack, Kim says you
should also lock down certain system services—FTP, IIS admin
service, messenger service and remote registry service, to name
a few. Many of these services run at a high level of privilege,
leaving your network particularly exposed if they're compromised.
Using Group Policy, you can deny access to all non-admin users and
set security permissions.
Another simple one is screen saver timeout, Melber says. This is a policy that will lock down a user's computer if it hasn't been touched for some number of minutes, usually five to 10. The idea is to keep someone who happens to walk by an empty cube with a live PC session from using it to do nefarious deeds.
Melber also cautions you to restrict user rights for member servers, such that all users aren't allowed to log on to the member machine. Domain controllers have their own security subsystem, but member (also known as stand-alone) servers are often no more secure than the average user desktop. That means disgruntled Joe could walk up to the keyboard and log on using his own account, thereby gaining access to all kinds of resources he probably can't access normally—files and folders not shared on the network, OS configurations, maybe HR material—not pretty.
This is literally just the tip of the iceberg when it comes to Group Policy. Windows XP SP2 is going to increase the number of Group Policy settings by 600, from about 700 to 1,300, Moskowitz says. "It's the biggest registry editor in the world. You make one change and it affects all clients," he says. "Without training from a reputable source (hint, hint), you could be setting yourself up for major difficulties."
Well, I've done my part. Now if you'll pardon me, I've worked up quite a thirst.
Paul Desmond, the founding editor in chief of Redmond Channel Partner magazine, is president of the IT publishing firm PDEdit in Southborough, Mass. Reach him at firstname.lastname@example.org.