• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

what all GPO i can apply to secure my Windows server 2008 network?

Kindly advice what all Group policies I can apply to my windows server 2008 network by which i can get the users restricted network.
I want each user to do the essancial work only they can not even do anyother things which they should not do?
Kidly advice for the same.
  • 5
  • 3
1 Solution
GPO does not secure "networks".  It is not a networking tool.

GPO "forces" settings (mostly registry) on local individual machines from a single central location.  The settings may or may not even be "security" related.  GPO is also the fastest and easiest way to totally wreck both the Domain and individual machines if you go "GPO happy" and flip settings all over the place under the banner of "security".

Security is a whole system of various methods that run from the Physical Layer all the way up to the Application Layer.  You have to target specific threat types that actually exist in your environment (as opposed to imagined ones that don't really exist or have a very low likelihood) and use the correct method appropriate to deal with the threat (which often is not GPOs).   There is a huge amount of security measures taken in the IT industry that are based on superstition and Voodoo that leave systems in a wreck.  I've had to clean up those messes left behind by "consultants",...it ain't pretty.
Advice to your specific question:

1. Never ever ever ever ever ever ever touch the two Default Policies.  They are the Default Domain Policy and the Default Domain Controller Policy.  Always create new policies and put your changes in them.   Create separate Policies for different areas (example: one for Desktop settings,...one for Internet Explorer,....one for Windows Update,...one for Windows Firewall Settings).

2. Start out small and conservative.  Make small changes that have a tangible obvious reason to exist.  Don't make changes without knowing all the "side-effect" that the change will cause.  By creating separate policies for different areas and not touching the Default Policies,  you can "unlink" a particular policy if things go bad and the default settings will return for the most part, but beware there are some types of settings that will not automatically return to default.

3. Bottom line,..work within the realm of what you know what you are doing,...if you don't know what you are doing, then don't do it.   Read, learn,...come back to it when you understand it better.
dxbdxb2009Author Commented:
thanks for your reply.
I understand your meaning....
kindly send me a link where i can see some of common most used GPO applied to the network like monitors should shut down if they are not used till 15 mints like......
Some good examples you remember or advise.....
Thanks once again for your support.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

There is no "common most used" that I ever heard of.

Monitor shutoff timeout is not a security policy,... and you asked about security.

For me,

Browser GPO
I set the browser to not run the "first run". Pretty much nothing else touched.
This is not really a "security policy" either,...more of a management/maintainence policy.

Windows Firewall GPO
Desktops and Server have the Firewall turned off  
Laptops have the Firewall turned off when on the LAN,..turn on when off the LAN

Windows Update - WSUS GPO
Various GPOs that apply the WSUS behavor differently depending on the machine's role in the network.

Terminal Server GPO
Regular users do not have the "Shutdown" option on the Start Menu.  Administrators do have the option.

Power Saver GPO
Allow normal users to change the Power Saver Settings.  I think it is stupid that MS dosen't allow them to do this.  Power settings are unique to each user (not machine global) yet the user has to be a local Admin to change them, which I don't let them be admins,...which means the Power settings are stuck at whatever MS made the defaults to be.

That is about all I use as far as GPOs are concerned.  I don't believe,..and don't not treat,... nor consider,... GPO to be my primary security tool.  My primary security tools for within the LAN are the NTFS permissons and proprientary permissions that are directly designed into the Applications that our business uses.  A huge amount of secureity rests on not allowing the users to be local Administrators on their workstation.

Security between the LAN and the Internet center around a Firewall product that costs well over $6000.00

Email Security is handled by a SPAM filtering product appliance costing a few thousand dollars.

Anti Virus in handled separately from SPAM by an AV product costing a few thousand dollars.

So GPO,...has a very small role when viewed in the big picture.

This is one of those subjects that if you ask 3 different IT people the question you will get 5 different answers that all disagree with each other.
dxbdxb2009Author Commented:
pwindell: Thanks for your valuable suggestion,
Pls explain your words with a good example:-
"My primary security tools for within the LAN are the NTFS permissons and proprientary permissions that are directly designed into the Applications that our business uses."
How & where all you empliment NTFS permission if you are given with 50-75 users to do so.
Thanks once again,
NTFS permissions aren't associated with users,...they are associated with Files and Folders.  They can be associated with other things like Registry Keys and Active Directory OUs,..but I doubt you will go that far with that.   You grant permissions to Groups primarily,...granting to specific users is a very bad idea and gets unmanagable.  You add users to Groups,...then grant Groups permissions to the files or folders (usually folders) that you are supposed to have access to.

I cannot give you all the details here.  This is normal stuff that someone in your position is already supposed to know to be able to do their jobs.  Don't take that the wrong way,...I'm just trying to be honest and fair with you,...but it is fairly basic conecepts and a job requirement.  You have very little chance of not making a mess with something as complex and dangerous as GPO's if you don't understand the simpler things like dealing with NTFS permissions.   If your knowledge is lacking in that area then do not go changing anything anywhere until you have studied the subject well enough to understand what you are doing and how bad the side effects can be if you do it wrong.

Concerning permissions in your main business Applications I cannot help with.  They are all different. It depends on how well the Application was developed and how securily it was designed.  The people that the Application came from are really the only ones that can help you with that.
dxbdxb2009Author Commented:
pwindell: thanks for great suggestion.

I do agree with you regarding NTFS permissions.

Kindly advise some example of mostly used GPO used for uses as well as computers.

An earlier reply will highly appreciated.

Many thanks,

I already did.  I listed 5 examples above.

Just run the Group Policy Management Tool,...create a new Test Policy and look around in it.  All the settings have an "Explaination Tab" to describe what it does.  Just do not touch or edit the two Default Policies and don't link a Policy to anything until you are sure what it will do.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now