Article

Group Policy: The final consideration in securing Active Directory

Derek Melber, Contributor

This is the final article in a four-part series on securing your Active Directory by expert Derek Melber

I can't leave this series of articles on Active Directory security without touching on the de-facto

    Requires Free Membership to View

method for managing security for all users and computers in the Active Directory domain: Group Policy. With almost 1,800 policy settings in a single Group Policy Object (GPO), it is no wonder they provide so much power, control, security, and management over an Active Directory enterprise. Every time I get in front of a group of people and talk about Group Policy, I say: "It is impossible to talk about Active Directory security without talking about Group Policy!"

Default Group Policy in Active Directory

I am often told by seasoned Active Directory administrators that they don't use Group Policy. That statement is sort of like saying you don't eat chicken as you take a bite out of that KFC extra-crispy drumstick. There are actually two default GPOs in every Active Directory domain. These default GPOs are there for very distinct reasons and should be investigated to ensure they are configured properly to provide the best security for your company network.

The first default GPO is the Default Domain Policy. This GPO is responsible for establishing and maintaining the account policies for the domain user accounts. As we said in Part II of this article series, the account policies are essential for helping secure the domain user account passwords.

The second default GPO is the Default Domain Controller Policy. This GPO is responsible for establishing the baseline security for all domain controllers in the domain. The primary security settings that are established in the GPO are the user rights. Common user rights include:

  • Allowing a user to logon using the keyboard attached to the computer (locally)
  • Changing the system time
  • Backing up files and folders
  • Accessing the computer and its resources over a network

    Leveraging Group Policy to Establish Security

    There is no way to give all of the rich capabilities of Group Policy the due respect it deserves within such a short article. However, I will stress that every network running Active Directory should have more than just the default two GPOs. The reason is that Group Policy provides an automated, centralized method for configuring and deploying security settings to all computers and users within the domain. Some common security related settings and areas of configuration include:

  • Restricting which applications can be run on each computer
  • Using IP Security to encrypt data between computers
  • Restricting anonymous connections to computers
  • Configuring which authentication protocols will be supported
  • User rights per computer
  • Audit policy settings per computer
  • Controlling group membership
  • Configuring access control lists (ACLs) for files, folders, and Registry keys
  • Disabling Guest and Administrator accounts
  • The full gamut of settings for Internet Explorer

    This list is only a partial list of possibilities and is quite impressive. However, there have been many companies that have extended Group Policy. Companies like DesktopStandard, Quest, and Full Armor provide additional policies, settings, and control through their Group Policy extensions and solutions.

    Summary

    Every Active Directory enterprise uses Group Policy to secure user environments and computers. Companies need to leverage the power that Group Policy provides with regard to standardizing desktops and securing the network. There is almost nothing that a Group Policy can't help secure with regard to your Windows Active Directory network.


    Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: