You should always run Group Policy on your Active Directory-based systems. If you don't, plenty of attacks are just waiting to happen inside your network, as you can see from the following column.
Let's play pretend.
Pretend you've got a malicious insider on your network with a bone to pick. We'll call him Eddie. Perhaps Eddie is a consultant or even a salesperson. He might even come in during off hours to work his "security" shift. Regardless of what he does, he knows it is pretty simple to connect to someone's network and do just about anything he wants. Why? Default Windows settings, that's why.
Eddie doesn't know about the wonders of Group Policy Object (GPO) in Windows 2000 and later. However, thanks to his malicious mindset and quest for information, he knows that most Windows systems aren't hardened from common threats and realizes there are plenty of goodies in the form of 1s and 0s on your network for the taking.
Now this Eddie doesn't need a wireless LAN connection to get into your network. He can plug right into one of the dozens of live network drops throughout the building -- in empty cubicles and meeting rooms. As a fallback plan, Eddie knows he will likely succeed in attaching to an unsecured Wi-Fi access point just as easily if he needs to. He also knows that having physical access to your systems is invaluable.
Based on my experience, Eddie will do several things on your Windows systems -- most likely on 2000,
How can you stop folks like Eddie? Group Policy is a good start. They are easy to implement at the local computer, domain and domain control levels. They can help keep out attackers consistently across all your Windows 2000 and above systems -- and certainly make your job (and life) much easier.
Nearly every network I test has at least a few Windows systems that either do not have Group Policy running or it's not running properly. Although managing Group Policy can be cumbersome at times, there's no good reason not to implement them on standalone and Active Directory-based systems. Get to know the Group Policy Editor (gpedit.msc) and associated tools such as the Group Policy Management Console (GPMC). You'll be amazed at what you can do to lock down your Windows systems.
Check out Roberta Bragg's checklists on hardening Windows systems for all the details you need. Just be careful when making changes -- especially at the domain or domain controller level. You can easily lock yourself out or otherwise break the systems if you don't fully understand what you're changing.
All pretending aside, the truth of the matter is, unless and until we take advantage of Windows Group Policy, Eddie and others like him will continue their dastardly ways against our Windows systems -- a war that's silly for us to lose.
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.
This was first published in May 2005