|
|
|
|
|
|
|
about me about server user land webmail |
|
|
|
twice DIGITAL |
|
|
|
lpfountz |
|
|
|
Netgate Q&A 5354AP1 Aries2 |
The DigitalPimp
Ben Pfountz
CPES Active Directory Guide
Securing Your Workstations with Group Policies
by Ben Pfountz (netprince@vt.edu)
Background
The default installation of windows 2000 is tweaked for the first time user. This is most obvious the first time a user logs into the system. Features such as the welcome to windows splash screen and network connection wizard can become very annoying to experienced users who log onto a different lab computer every day. The most efficient way to remove most of these annoyances is via Active Directory's Group Policy.
AD's Group Policies are also good for lab functionality. In the CPES computer lab, there are 20 computer systems available for public use. Before group policy, the early morning users would log into a machine and lock the computer whenever they walked away for a few minutes. With AD's Group Policy, we have removed the ability for users to lock the lab computers, while still retaining the ability for Administrators to lock them.
There are two forms of group policy, both of which are distributed from the AD servers within the domain. The computer policy is downloaded to a client computer when the computer is starting up, while the user policy is downloaded when the user is logging in. In CPES, we decided to use group policy's loopback processing to enable computer policy to override group policy depending on which area of the lab a user is visiting. For example, users in the PC lab cannot lock their computers because of the need to share the computers with other users. On the other hand, users in their offices are allowed to lock their own personal computers.
Designing Your Group Policy
There are many decisions to be made when designing a group policy. A good number of the options available in group policy settings could anger your computer users, so be sure to discuss these options with management before enabling them. For example, Internet Explorer can be configured to show a company web site as the home page, and it can prevent users from changing the home page. Some users may complain, but management may decide it is important for the users to see the company web site for important announcements.
The complete list of available Group Policy options can be viewed from any machine by launching the mmc. Choose file, add/remove snap in, Add, Group Policy, Local Computer, Close, and OK.
The CPES Group Policy
- Administrative Tools -> Active Directory Users and Computers
- Right Click domain name (CPES.cpes.vt.edu), choose properties
- Domain operation mode should be Native mode, since we are no longer using any NT servers
- Select the 'Managed By' tab, and fill in the information
- Select the 'Group Policy' tab
- This is where the domain wide default group policy is configured
- OU's group policy will simply modify this policy through inheritance
- Be sure 'Block Policy Inheritance' is not checked.
- Instead of modifying the default domain policy, add a new policy below
the default policy
- click new
- name the policy "CPES strict-default policy"
- Select the new policy, and click edit
- You can add a policy for every OU you create in the above manner. Policy rules are inherited down the tree, and you can use loop back processing to override the user configuration of a user policy with the user configuration of a computer policy.
Tree Location |
Policy |
Setting |
Applies To |
| Computer Configuration-> Admin Templates-> System-> Group Policy | User Group Policy loop back processing mode | Enabled: Merge | non-pc lab |
| Computer Configuration-> Windows Settings-> Security Settings-> Account Policies-> Password Policy | Enforce Password History | 18 passwords | |
| Maximum password age | 180 days | ||
| Minimum password length | 7 characters | ||
| Minimum password age | 3 days | ||
| Passwords must meet complexity requirements | Enabled | ||
| Computer Configuration-> Windows Settings-> Security Settings-> Account Policies-> Account Lockout Policy | Account Lockout Duration | 15 minutes | |
| Account lockout threshold | 5 invalid attempts | ||
| Reset counter after 5 minutes | 5 minutes | ||
| Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Audit Policy | Audit account logon events | success, failure | |
| Audit account management | success, failure |
||
| Audit directory service access | success, failure | ||
| Audit privilege use | success | ||
You probably want to enable more logging
than this, when designing the new domain, I enabled all logging functionality. |
|||
| Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options | Disable CTRL+ALT+Del requirement for logon | Disabled |
|
| Do not display last user name in logon screen | Enabled | ||
| LAN Manager Authentication Level | Send NTLMv2 response only/refuse LM | ||
| Restrict CD-ROM access to locally logged-on user only | Enabled | ||
| Restrict floppy access to locally logged-on user only | Enabled | ||
| Prompt user to change password before expiration | 3 Days | ||
| Secure channel: Require strong (Windows 2000 or later) session key | Enabled | ||
| Computer Configuration-> Windows Settings-> Security Settings-> Event Log-> Settings for Event Logs | Retention method for application log | As needed | |
| Retention method for security log | As needed | ||
| Retention method for system log | As needed | ||
| Computer Configuration-> Administrative Templates-> Windows Components-> Task Scheduler | Disable new task creation | enabled | PC Lab |
| Computer Configuration-> Administrative Templates-> System | Don't Display welcome screen at logon | enabled | |
| Disable Autoplay | enabled | PC Lab | |
| Computer Configuration-> Administrative Templates-> Network-> Offline Files | Enabled | Disabled | PC Lab |
| Disable user conf of offline files | Enabled | PC Lab | |
| Synchronize all offline files before logging off | Disabled | PC Lab | |
| Disable make available offline | Enabled | PC Lab | |
| Prevent use of offline files | Enabled | PC Lab | |
| At logoff, delete local copy of users offline files | Enabled | PC Lab | |
Locate User Configuration->
Windows Settings-> Internet Explorer Maintenance, right click, and
select Preference Mode (note mmc might crash if you forgot to replace
your admparse.dll as described in AD1 and AD2 setup) |
|||
| User Configuration-> Windows Settings-> Internet Explorer Maintenance-> Advanced-> Internet Settings | |||
| Autocomplete | Use AutoComplete for user names and passwords on forms | disabled | |
| Prompt to save passwords | disabled | ||
| Advanced Settings | Enable Auto dialing | disabled | Non-Laptop |
| Disable Script Debugging | enabled | ||
| Enable page transitions | disabled | ||
| Enable page hit counting | disabled | ||
| Automatically check for IE Updates | disabled | ||
| Show Go button in address bar | disabled | ||
| Show friendly http error messages | disabled | ||
| When searching from the address bar | Do not search from the address bar | ||
| User Configuration-> Windows Settings-> Internet Explorer Maintenance-> Advanced-> Corporate Settings | |||
| Temporary Internet Files (User) | Set amount of disk space to use | 10240 | |
| Temporary Internet Files (Machine) | Set amount of disk space to use | 40960 | |
| Disable Roaming Cache | Enabled | ||
| User Configuration-> Windows Settings-> Internet Explorer Maintenance-> URLs-> Important URLs | Customize Home Page URL | http://www.support.cpes.vt.edu/ | |
| User Configuration-> Windows Settings-> Internet Explorer Maintenance-> Connection-> Automatic Browser Configuration | Automatically detect configuration settings | Disabled | Non-Laptop |
| User Configuration-> Windows Settings-> Internet Explorer Maintenance-> Connection-> Proxy Settings | |||
| Enable Proxy Settings | Enabled | ||
| Use the same proxy server for all addresses | Disabled | ||
| Proxy Servers | (all blank) | ||
| User Configuration-> Administrative Templates-> System | Disable Autoplay | Enabled | PC Lab |
| Disable Registry Editing Tools | Enabled | Non-Admins | |
| Don't display welcome screen at logon | Enabled | ||
| User Configuration-> Administrative Templates-> System-> Logon/Logoff | Disable Lock Computer | Enabled | Users |
| Disable Lock Computer | Disabled | Non PC Lab |
|
| User Configuration-> Administrative Templates-> Network-> Network and Dial-up Connections | Prohibit access to the Network Connection Wizard | Enabled | PC Lab |
| User Configuration-> Administrative Templates-> Control Panel-> Display | Disable Changing Wallpaper | Enabled | PC Lab |
| Hide Appearance Tab | Enabled | PC Lab | |
| Activate Screen Saver | Enabled | ||
| Screen saver executable name | Enabled: ssbezier.scr | PC Lab | |
| Password protect the screen saver | Enabled | Admins | |
| Screen Saver Timeout | Enabled | PC Lab | |
| User Configuration-> Administrative Templates-> Desktop-> Active Desktop | Disable Active Desktop | Enabled | PC Lab |
| User Configuration-> Administrative Templates-> Start Menu & Taskbar | Add Logoff to the Start Menu | Enabled | |
| Disable and Remove the Shut Down command | Enabled | PC Lab | |
| Disabled | Non PC Lab | ||
| User Configuration-> Administrative Templates-> Windows Components-> Internet Explorer | Disable the Reset Web Settings Feature | Enabled | PC Lab |
| Do not allow AutoComplete to save passwords | Enabled | ||
| Disable AutoComplete for Forms | Enabled | ||
| Disable Internet connection wizard | Enabled | PC-Lab | |
| Disable changing home page settings | Enabled | Non PC Lab | |
| Disable changing Temporary Internet files settings | Enabled | PC Lab | |
| Disable changing proxy settings | Enabled | PC Lab | |
| Disable Find Files via F3 within the browser | enabled | ||
| Computer Configuration-> Windows Settings-> Local Policies-> Security Options | |||
NOTE: policy marked in red does not inherit and needs to be set for each group policy you create.