This is the final article in a four-part series on securing your Active Directory by expert Derek Melber
I can't leave this series of articles on Active Directory security without touching on the de-facto method for managing security for all users and computers in the Active Directory domain: Group Policy. With almost 1,800 policy settings in a single Group Policy Object (GPO), it is no wonder they provide so much power, control, security, and management over an Active Directory enterprise. Every time I get in front of a group of people and talk about Group Policy, I say: "It is impossible to talk about Active Directory security without talking about Group Policy!"
Default Group Policy in Active Directory
I am often told by seasoned Active Directory administrators that they don't use Group Policy. That statement is sort of like saying you don't eat chicken as you take a bite out of that KFC extra-crispy drumstick. There are actually two default GPOs in every Active Directory domain. These default GPOs are there for very distinct reasons and should be investigated to ensure they are configured properly to provide the best security for your company network.
The first default GPO is the Default Domain Policy. This GPO is responsible for establishing and maintaining the account policies for the domain user accounts. As we said in Part II of this article series, the account policies are essential for helping secure the domain user account passwords.
The second default GPO is the Default Domain Controller Policy. This GPO is responsible for establishing the baseline security for all domain controllers in the domain. The primary security settings that are established in the GPO are the user rights. Common user rights include:
Allowing a user to logon using the keyboard attached to the computer (locally)
Changing the system time
Backing up files and folders
Accessing the computer and its resources over a network
Leveraging Group Policy to Establish Security
There is no way to give all of the rich capabilities of Group Policy the due respect it deserves within such a short article. However, I will stress that every network running Active Directory should have more than just the default two GPOs. The reason is that Group Policy provides an automated, centralized method for configuring and deploying security settings to all computers and users within the domain. Some common security related settings and areas of configuration include:
Restricting which applications can be run on each computer
Using IP Security to encrypt data between computers
Restricting anonymous connections to computers
Configuring which authentication protocols will be supported
User rights per computer
Audit policy settings per computer
Controlling group membership
Configuring access control lists (ACLs) for files, folders, and Registry keys
Disabling Guest and Administrator accounts
The full gamut of settings for Internet Explorer
This list is only a partial list of possibilities and is quite impressive. However, there have been many companies that have extended Group Policy. Companies like DesktopStandard, Quest, and Full Armor provide additional policies, settings, and control through their Group Policy extensions and solutions.
Every Active Directory enterprise uses Group Policy to secure user environments and computers. Companies need to leverage the power that Group Policy provides with regard to standardizing desktops and securing the network. There is almost nothing that a Group Policy can't help secure with regard to your Windows Active Directory network.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.