?
Solved

Group policy best practice.

Posted on 2007-07-26
10
Medium Priority
?
1,812 Views
Last Modified: 2011-07-11
Hello,

I was wondering if anyone could give me a "best practice" of what group policies should be implemented to lockdown the end users as much as possible without affecting their ability to do work. I was also wondering if there was a way to see what group policies I have cummalative already in place. I dont want to go too overboard but would like of what should be implemented.

THanks!!
0
Comment
Question by:zingab
  • 5
  • 5
10 Comments
 

Author Comment

by:zingab
ID: 19574497
I briefly looked through the articles, I am looking for more specifics, like which policies should be enabled  as to secure my network better rather than just theory.

Thanks!!
0
 

Author Comment

by:zingab
ID: 19576361
Specifics on a what group policy should be enabled disabled would be great thanks.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:zingab
ID: 19576367
also, what tool if any can I use to analyze what group policies are already enabled or do i have to go throu each.

Please answer above question also. Thanks
0
 
LVL 5

Expert Comment

by:TheMetrix
ID: 19576601
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

The link above talks about locking down a 2003 Terminal Server but you can take what you think you will need.

http://articles.techrepublic.com.com/5100-1009-6081763.html
http://www.edgeblog.net/2007/lockdown-windows-2003-xp-with-simple-scripts/


A lot of the policies that you will set are mainly personal preference. Do like most of us do, go through GP setting by setting and enable/disable what you will or will not need your users to do.
0
 

Author Comment

by:zingab
ID: 19577321
Specifics on a what group policy should be enabled disabled would be great thanks
also, what tool if any can I use to analyze what group policies are already enabled or do i have to go throu each.

Please answer above question also. Thanks
0
 
LVL 5

Expert Comment

by:TheMetrix
ID: 19577576
The Group Policy Management Console is the tool to use. The download link is in my first post.

Follow the instructions for the Terminal Server settings. Most of them you won't use because they will lock your server down too far.
0
 

Author Comment

by:zingab
ID: 19577818
Specifics on a what group policy should be enabled disabled would be great thanks
also, what tool if any can I use to analyze what group policies are already enabled or do i have to go throu each.

Please answer above question also. Thanks
0
 
LVL 5

Expert Comment

by:TheMetrix
ID: 19577973
Let me clearify a little bit for you. My situation is most likely different than yours so your settings and mine will be different.

You can follow the Lock Down Terminal Services Guide for setting your Group Policies.

I cannot tell you what you need to set because I do not know. I can only guide you in the direction you are looking for. You say you want to lock your users down, how far do you want to lock them down, so far they can't pass gas without the network admins permission? See my point now?

I gave you what you asked for "best practices" practices. Now all you have to do is choose from the "Best Practices" what will work best for you.
0
 
LVL 5

Accepted Solution

by:
TheMetrix earned 2000 total points
ID: 19578001
Below are the settings I use for our Manufacturing Production Floor. I have them locked down almost to the point that they have to ask permission to use the Rest Room.

Computer Configuration (Enabled)hide
No settings defined.
User Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Public Key Policies/Autoenrollment Settingshide
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Disabled
 

Software Restriction Policieshide
Enforcement
Policy Setting
Apply software restriction policies to All software files except libraries (such as DLLs)
Apply software restriction policies to the following users All users
 
Designated File Types
File Extension File Type
ADE Microsoft Office Access Project Extension
ADP Microsoft Office Access Project
BAS BAS File
BAT MS-DOS Batch File
CHM Compiled HTML Help file
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Application
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
LNK Shortcut
MDB Microsoft Office Access Application
MDE Microsoft Office Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST MST File
OCX ActiveX Control
PCD PCD File
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SHS Scrap object
URL Internet Shortcut
VB Visual Basic Source file
WSC Windows Script Component
 
Trusted Publishers
Allow the following users to select trusted publishers End users
Before trusting a publisher, check the following to determine if the certificate is revoked None
 

Software Restriction Policies/Security Levelshide
Policy Setting
Default Security Level Unrestricted

Software Restriction Policies/Additional Ruleshide
Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description  
Date last modified 11/2/2006 4:08:55 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
Security Level Unrestricted
Description  
Date last modified 11/2/2006 4:08:55 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
Security Level Unrestricted
Description  
Date last modified 11/2/2006 4:08:55 PM
 
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description  
Date last modified 11/2/2006 4:08:55 PM
 
%SystemRoot%\System32\freecell.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:09:21 PM
 
%SystemRoot%\System32\mshearts.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:09:32 PM
 
%SystemRoot%\System32\sol.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:09:41 PM
 
%SystemRoot%\System32\spider.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:09:51 PM
 
%SystemRoot%\System32\winmine.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:11:34 PM
 
C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:11:49 PM
 
C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:11:58 PM
 
C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:12:08 PM
 
C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:12:18 PM
 
C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:12:29 PM
 
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
Security Level Disallowed
Description  
Date last modified 11/2/2006 4:09:08 PM
 

Administrative Templateshide
Control Panelhide
Policy Setting
Force classic Control Panel Style Enabled
Prohibit access to the Control Panel Enabled

Control Panel/Displayhide
Policy Setting
Hide Appearance and Themes tab Enabled
Hide Desktop tab Enabled
Password protect the screen saver Disabled
Prevent changing wallpaper Enabled
Screen Saver Disabled
Screen Saver timeout Disabled

Control Panel/Display/Desktop Themeshide
Policy Setting
Load a specific visual style file or force Windows Classic Enabled
Path to Visual Style:  
To select Luna type:
%windir%\resources\Themes\Luna\Luna.msstyles
 
To select a different visual style, type:
ie: \\<server>\share\Corp.msstyles
 
To select Windows Classic, leave the box
above blank and enable this setting
 
Policy Setting
Prohibit Theme color selection Enabled
Remove Theme option Enabled

Control Panel/Printershide
Policy Setting
Browse the network to find printers Enabled

Desktophide
Policy Setting
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove Properties from the My Documents context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove the Desktop Cleanup Wizard Enabled

Desktop/Active Desktophide
Policy Setting
Active Desktop Wallpaper Enabled
Wallpaper Name: \\cfi-fs\install\Group Policy\Wallpapers\CFI-BackGround.jpg
Example: Using a local path: C:\windows\web\wallpaper\home.jpg
Example: Using a UNC path: \\Server\Share\Corp.jpg
Wallpaper Style: Center
 
Policy Setting
Add/Delete items Disabled
Disable Active Desktop Disabled
Disable all items Disabled
Enable Active Desktop Enabled
Allows HTML and JPEG Wallpaper
 
Policy Setting
Prohibit adding items Enabled
Prohibit editing items Enabled

Network/Network Connectionshide
Policy Setting
Ability to Enable/Disable a LAN connection Disabled
Ability to rename LAN connections Disabled
Ability to rename LAN connections or remote access connections available to all users Disabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to properties of components of a LAN connection Enabled
Prohibit access to the New Connection Wizard Enabled
Prohibit Enabling/Disabling components of a LAN connection Enabled
Prohibit TCP/IP advanced configuration Enabled
Prohibit viewing of status for an active connection Enabled

Network/Offline Fileshide
Policy Setting
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
 

Shared Foldershide
Policy Setting
Allow shared folders to be published Enabled

Start Menu and Taskbarhide
Policy Setting
Add Logoff to the Start Menu Enabled
Force classic Start Menu Enabled
Prevent grouping of taskbar items Enabled
Remove Balloon Tips on Start Menu items Enabled
Remove My Music icon from Start Menu Enabled
Remove My Network Places icon from Start Menu Enabled
Remove My Pictures icon from Start Menu Enabled
Remove Set Program Access and Defaults from Start menu Enabled
Turn off notification area cleanup Enabled
Turn off personalized menus Enabled

Systemhide
Policy Setting
Don't display the Getting Started welcome screen at logon Enabled
Prevent access to registry editing tools Enabled
Disable regedit from running silently? Yes
 
Policy Setting
Windows Automatic Updates Enabled

System/Ctrl+Alt+Del Optionshide
Policy Setting
Remove Change Password Enabled

System/Group Policyhide
Policy Setting
Group Policy refresh interval for users Enabled
This setting allows you to customize how often Group Policy is applied
to users. The range is 0 to 64800 minutes (45 days).
Minutes: 5
 
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 2
 

Windows Components/Microsoft Management Consolehide
Policy Setting
Restrict the user from entering author mode Enabled

Windows Components/Windows Explorerhide
Policy Setting
Remove CD Burning features Enabled
Removes the Folder Options menu item from the Tools menu Enabled
Turn on Classic Shell Enabled

Windows Components/Windows Updatehide
Policy Setting
Remove access to use all Windows Update features Enabled
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question