Re: Group Policy????
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/26/05
- Next message: David: "Re: Login Interactively"
- Previous message: S. Pidgorny
: "Re: Group Policy????" - In reply to: udi via WinServerKB.com: "Group Policy????"
- Next in thread: Roger Abell: "Re: Group Policy????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 10:34:58 -0500
As Svyatoslav suggested you are much better of using Domain or
Organizational Unit level Group Policy than local Group Policy for domain
computers for ease of management and consistent application. Here are some
pointers to get you started.
Read the Windows 2003 Deployment Kit link below on Designing a Managed
Environment and the other general link to Group Policy. Download and use the
Group Policy Management Console to implement, troubleshoot, and manage Group
Policy.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/3ddb5bec-a454-4e9b-a6e7-397ee7c4ea3a.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/gp/default.mspx
I will briefly suggest what to consider at for each point.
1. Modify the user rights for logon locally and deny logon locally. Keep in
mind than deny override allow and that administrators are also members of
everyone and users groups. This can be done via Group Policy - computer
configuration/Windows settings/local policies/user rights.
2. Not sure exactly what you want to do here but it sounds like that you
want to manage membership of the local administrators group to be just
"owner" of the computer possibly though it is best to not make a regular
user a local administrator unless their is a compelling business reason to
do such. Group Policy Restricted Groups may help here.
3. Either disable the server service though that will prevent you from
using Computer Management to remotely manage the computers or modify the
user rights for access this computer from the network or deny access this
computer from the network to manage who can access the computer from the
network. Access to Remote Desktop can be managed by modifying membership of
the Remote Desktop users group and/or the user right for allow/deny logon
through Terminal Services. Ipsec can also be used to manage network access
at the computer level though it is a fairly complex topic and ipsec policies
must be tested out before implementing in the domain. A strong domain
password policy is also a must to protect network resources and high value
computers need to be physically secured. Ipsec, services, user rights,
Remote Desktop can all be managed via Group Policy.
4. You can manage ntfs permissions to restrict user access to
folders/files. By default users will have full control to their user profile
and write access to some parts of the all users profile such as shared
folders. Be sure to test changes before implementing so that the user has a
functional computer and can logon. I don't recommend making changes of ntfs
permission to the \windows folder and subfolders. Ntfs permissions can be
applied via Group Policy/security policy - file system or via logon/startup
Group Policy scripts. I recommend using file system group policy ONLY at the
OU level and to remove it when computer ntfs permissions have been updated.
This needs to be thoroughly tested on a test OU with test computers first.
1B. Use Software Restriction Policies to manage what applications a user
can install and run on their computer. You can use hash, certificate, and
path rules and a default unrestricted or disallowed security level. Keep in
mind that desktop shortcuts are considered an executable file. The link
below explains much more.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
2B. Network resources can be restricted by the use of the built in Windows
Firewall where you can configure the scope of an exception to allow only
desired traffic by IP address or subnet or you can use ipsec policies to
manage network access. Keep in mind that anything that filters access by IP
address alone could be accessed if a user is able to configure their
computer with an IP address in the allowed range. The first link below is
about ipsec and I also suggest you read the Windows 2003 and XP Pro security
guides which have specific information on security policy which is a subset
of Group Policy - computer configuration. --- Steve
http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx
http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
center. View the pertinent operating system for security guides, etc.
"udi via WinServerKB.com" <forum@WinServerKB.com> wrote in message
news:506BDE30F5A10@WinServerKB.com...
>I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
> client.
> I want to implement Group Policy in our Domain Environment.
> Also I want to implement Local Policy on Every Client Machine.
>
> I want to apply following restriction in our Domain.
> 1) Nobody's Logon to Local Machine
> 2) Restrict all the Local System Resource except Owner of machine.
> 3) Nobodys access local machine from network
> 4) Restrict Operating System Drive on every client machine.
>
> Group Policy Object.
> 1) Restrict Software installaltion for user
> 2) Restrict some network sources.
>
> Can anybodys help me on this, also suggest any other activities restrict
> through Group Policy as well as Local Machine Group Policy.
>
> Please guide me step by step..I so can easily implement in our domain
> environment.
>
> Regards
> Udi
>
>
> --
> Message posted via WinServerKB.com
> http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1
- Next message: David: "Re: Login Interactively"
- Previous message: S. Pidgorny
: "Re: Group Policy????" - In reply to: udi via WinServerKB.com: "Group Policy????"
- Next in thread: Roger Abell: "Re: Group Policy????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
