what all GPO i can apply to secure my Windows server 2008 network?

Posted on 2010-01-12
Medium Priority
Last Modified: 2012-05-08
Kindly advice what all Group policies I can apply to my windows server 2008 network by which i can get the users restricted network.
I want each user to do the essancial work only they can not even do anyother things which they should not do?
Kidly advice for the same.
Question by:dxbdxb2009
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 29

Expert Comment

ID: 26315301
GPO does not secure "networks".  It is not a networking tool.

GPO "forces" settings (mostly registry) on local individual machines from a single central location.  The settings may or may not even be "security" related.  GPO is also the fastest and easiest way to totally wreck both the Domain and individual machines if you go "GPO happy" and flip settings all over the place under the banner of "security".

Security is a whole system of various methods that run from the Physical Layer all the way up to the Application Layer.  You have to target specific threat types that actually exist in your environment (as opposed to imagined ones that don't really exist or have a very low likelihood) and use the correct method appropriate to deal with the threat (which often is not GPOs).   There is a huge amount of security measures taken in the IT industry that are based on superstition and Voodoo that leave systems in a wreck.  I've had to clean up those messes left behind by "consultants",...it ain't pretty.
LVL 29

Expert Comment

ID: 26315412
Advice to your specific question:

1. Never ever ever ever ever ever ever touch the two Default Policies.  They are the Default Domain Policy and the Default Domain Controller Policy.  Always create new policies and put your changes in them.   Create separate Policies for different areas (example: one for Desktop settings,...one for Internet Explorer,....one for Windows Update,...one for Windows Firewall Settings).

2. Start out small and conservative.  Make small changes that have a tangible obvious reason to exist.  Don't make changes without knowing all the "side-effect" that the change will cause.  By creating separate policies for different areas and not touching the Default Policies,  you can "unlink" a particular policy if things go bad and the default settings will return for the most part, but beware there are some types of settings that will not automatically return to default.

3. Bottom line,..work within the realm of what you know what you are doing,...if you don't know what you are doing, then don't do it.   Read, learn,...come back to it when you understand it better.

Author Comment

ID: 26317160
thanks for your reply.
I understand your meaning....
kindly send me a link where i can see some of common most used GPO applied to the network like monitors should shut down if they are not used till 15 mints like......
Some good examples you remember or advise.....
Thanks once again for your support.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 29

Accepted Solution

pwindell earned 2000 total points
ID: 26319137
There is no "common most used" that I ever heard of.

Monitor shutoff timeout is not a security policy,... and you asked about security.

For me,

Browser GPO
I set the browser to not run the "first run". Pretty much nothing else touched.
This is not really a "security policy" either,...more of a management/maintainence policy.

Windows Firewall GPO
Desktops and Server have the Firewall turned off  
Laptops have the Firewall turned off when on the LAN,..turn on when off the LAN

Windows Update - WSUS GPO
Various GPOs that apply the WSUS behavor differently depending on the machine's role in the network.

Terminal Server GPO
Regular users do not have the "Shutdown" option on the Start Menu.  Administrators do have the option.

Power Saver GPO
Allow normal users to change the Power Saver Settings.  I think it is stupid that MS dosen't allow them to do this.  Power settings are unique to each user (not machine global) yet the user has to be a local Admin to change them, which I don't let them be admins,...which means the Power settings are stuck at whatever MS made the defaults to be.

That is about all I use as far as GPOs are concerned.  I don't believe,..and don't not treat,... nor consider,... GPO to be my primary security tool.  My primary security tools for within the LAN are the NTFS permissons and proprientary permissions that are directly designed into the Applications that our business uses.  A huge amount of secureity rests on not allowing the users to be local Administrators on their workstation.

Security between the LAN and the Internet center around a Firewall product that costs well over $6000.00

Email Security is handled by a SPAM filtering product appliance costing a few thousand dollars.

Anti Virus in handled separately from SPAM by an AV product costing a few thousand dollars.

So GPO,...has a very small role when viewed in the big picture.

This is one of those subjects that if you ask 3 different IT people the question you will get 5 different answers that all disagree with each other.

Author Comment

ID: 26329915
pwindell: Thanks for your valuable suggestion,
Pls explain your words with a good example:-
"My primary security tools for within the LAN are the NTFS permissons and proprientary permissions that are directly designed into the Applications that our business uses."
How & where all you empliment NTFS permission if you are given with 50-75 users to do so.
Thanks once again,
LVL 29

Expert Comment

ID: 26343194
NTFS permissions aren't associated with users,...they are associated with Files and Folders.  They can be associated with other things like Registry Keys and Active Directory OUs,..but I doubt you will go that far with that.   You grant permissions to Groups primarily,...granting to specific users is a very bad idea and gets unmanagable.  You add users to Groups,...then grant Groups permissions to the files or folders (usually folders) that you are supposed to have access to.

I cannot give you all the details here.  This is normal stuff that someone in your position is already supposed to know to be able to do their jobs.  Don't take that the wrong way,...I'm just trying to be honest and fair with you,...but it is fairly basic conecepts and a job requirement.  You have very little chance of not making a mess with something as complex and dangerous as GPO's if you don't understand the simpler things like dealing with NTFS permissions.   If your knowledge is lacking in that area then do not go changing anything anywhere until you have studied the subject well enough to understand what you are doing and how bad the side effects can be if you do it wrong.

Concerning permissions in your main business Applications I cannot help with.  They are all different. It depends on how well the Application was developed and how securily it was designed.  The people that the Application came from are really the only ones that can help you with that.

Author Comment

ID: 26351561
pwindell: thanks for great suggestion.

I do agree with you regarding NTFS permissions.

Kindly advise some example of mostly used GPO used for uses as well as computers.

An earlier reply will highly appreciated.

Many thanks,

LVL 29

Expert Comment

ID: 26352105
I already did.  I listed 5 examples above.

Just run the Group Policy Management Tool,...create a new Test Policy and look around in it.  All the settings have an "Explaination Tab" to describe what it does.  Just do not touch or edit the two Default Policies and don't link a Policy to anything until you are sure what it will do.

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question