Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

GPO and Windows Security

Justin OwensITIL Problem Manager
We don't support machines, but rather, the people who rely upon them...
At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preference question.  I mean, technically, if you want to be secure, you should lock the machine the point it would only be good for a boat anchor.  I am sure that some DoD security specialist would still think it needs to be coated in concrete after all the cables into it are severed.  

I currently work in a division of the DoD.  I will tell you that we are HIGHLY secure on our standards.  No users have administrative rights on their machines.  Technicians who need admin rights have separate accounts which are audited frequently.   In the past I have worked in the Health Care industry as well as the Financial industry.  Each has specific needs.  So, how do you come up with a Best Practice?

First, decide: What are your business' legal needs?

There are many industries that have specific laws applied to them.  The Healthcare industry has to deal with HIPAA.  Publicly traded companies have to deal with SOX.  Government entities have to deal with DISA.  If you do not work in a field with sensitive, regulated data (financial, health, government, etc), you have more leverage, but as a System Administrator you need to make it your business to know your business.  That means you need to know the applicable laws which regulate it.
Next, consider: What are your business' policy needs?
Some fields are highly competitive, and you may want to limit what data can and cannot be accessd to maintain a competitive lead of some sort or protect industry sensitive data.  You will have to mitigate how you protect that data without hampering usability too much.  The "Security Triangle" is not a new thought, nor is it my own creation, but it is very applicable here.  Think of security like an equilateral triangle.  Each of the three points represents Functionality (think "What it does" and "How it is managed"), Ease of Use, Security.  Image your policy as a dot inside that triangle.  The closer you get to one extreme, the further you get from the other two.  Sometimes this is justifiable, but more often than not, you will want to stay centered inside that triangle.

Security Triangle
Third, look up: What does your upper management expect?
Whether it is good or bad for you as a technician or IT department, your policy must have the buy off and support of upper management.  If you do not, you will find yourself making constant exceptions to the policies in place at best or having your policies revoked at worst.  In either case it causes you to have mud on your face, generates ill will, and causes unneeded extra work for you.

Fourth, analyze: What levels of resources do you have at your disposal?
Are you a stand alone IT shop, or do you have a staff of 1000?  You will need to find a balance that only you can determine.  That balance needs to be somewhere between "It's very easy for IT to manage and maintain" at the expense of usability and "It's very easy to use" at the expense of security and management.  Consider the Security Triangle when making those decisions.  Remember that every policy you put in place will have some level of initial administration and probably ongoing administration as well.  Even policies put in place to make the life of an Administrator simpler can have unexpected consequences.

Finally, evaluate: Do your policies meet the goals of the business and department?
Don't restrict things just because you can.  Remember that IT is generally a non-revenue generating department in a company, so it is important to generate good will when and where you can.  You are trying to "sell" yourselves as valuable and friendly.  Don't be Nick Burns.  If other department heads don't feel you care about and understand their needs, why would they want to care about and understand yours?  A general rule of thumb is this: if you cannot link a business need to a restriction, then don't restrict it.  Don't fight battles that are not significant.  The less you balk at complaints and try to accommodate your users, the more likely you are to have their support when you really need it.  Don't lose sight of the fact that you exist to serve others.  You would not have a department at all if your company didn't have some other product or service they are selling.  Make sure that you do what you can to help them meet those goals and objectives.

I have seen some very locked down environments.  In my opinion, if your users don't have administrative rights on the computer, why restrict the control panel or the command prompt through GPO?  Why on earth would you even care what their desktop background is regardless of administrative levels?  What does your department gain from restricting or enforcing it compared to the level of calls generated because it is enforced?  Will "deregulating" it generate more goodwill than it would cause extra work?  If so, then that would be a quick and easy way to garner support so that when you have to make tougher decisions, they know you are "on their team".

Final Thoughts....

Whatever you decide, be sure you have reason grounded in business need and not just whim.  If you are doing your best to know your business, to know your industry, and to know your user base, you will probably be making decisions which make sense to them most of the time.  On those occasions your policies are not understood for technical reasons, it is more likely to be supported when you are a part of their success.

Justin OwensITIL Problem Manager
We don't support machines, but rather, the people who rely upon them...

Comments (2)

AwinishSenior Solution Architect

Very good article..I like the way of explanation..coz there is no best practices for GPO, it depends how we use it for maximum effect with minimum GPO...Thumbs up for the article.
Justin OwensITIL Problem Manager


Thank you, Awinish.  Your kind words are appreciated.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.