MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)
Lesson 3: Configuring Client Computer Security Policy
Group Policy contains configuration and security settings that you can use to control the behavior, security, and appearance of Windows Explorer as well as a computer's network configuration. Using Group Policy, you can accomplish these tasks to standardize and restrict access to many of the features of Windows Explorer:
-
Restrict access to desktop icons.
-
Limit the programs that a user can run.
-
Hide drive icons in My Computer and in the Open and Save dialog boxes.
-
Restrict features of Active Desktop.
-
Remove features of Windows that are unnecessary for your organization.
-
Create startup/shutdown and logon/logoff scripts that create a standard network environment.
-
Manage offline documents and content.
After this lesson, you will be able to
-
Configure Group Policy to tailor the user experience for various classes of workers
-
Restrict access to management tools
-
Restrict access to Internet Explorer configuration
Estimated lesson time: 20 minutes
Using Client-Side Group Policy Configuration
Group Policy is most appropriately used to prevent users from accidentally reconfiguring and interfering with the operation of their computers. While avoiding user downtime is important in an environment where single-user computers are common, it is critical in an environment where multi-user servers such as Terminal Services servers are used. In these environments, desktop and application settings directly affect everyone who uses the terminal server.
You access most configuration tools in Windows through the Microsoft Management Console (MMC). Restricting access to the MMC is critical to preventing users from making administrative changes to their computers. Group Policy can also be used to control access to the MMC.
In most enterprises, workers typically use a relatively small set of programs, defined by the kind of work they perform. For example, an administrative assistant might use Microsoft Outlook and Microsoft Word extensively, but have no need for Microsoft Excel or other programs. An accountant might require access to the Great Plains Software database client, Excel, and Internet Explorer on a regular basis, use Outlook and Word infrequently, and not use any other programs. An assembly-line worker might need only a Microsoft Access client for a SQL Server data collection application.
By far the most important security feature of Group Policy is its ability to restrict the number of programs that are available to a group as required by their jobs. Group Policy implements this restriction by matching the name of the application against an allowed list. This absolutely prevents the vast majority of security breaches that a user might cause either maliciously or accidentally. However, restricting access to certain programs does not prevent a user from downloading a similar program and running it to obtain the same functionality.
A clever hacker will rename an executable to have the same name as a program that he knows is allowed. You must use NTFS file system permissions to prevent this workaround.
It is absolutely crucial that you test Group Policy application whenever you create or modify GPOs, or when you suspect that your GPO is not completely effective. The easiest way to test GPOs is to create a test user account within the OU in question, so that the test user is a peer to the types of user accounts that the Group Policy is intended to control. Once you've created this test user, you can log on to your computer using the test user account to test the GPO.
Configuring Group Policy by Type of Worker
Group Policy is frequently used to create separate desktop configurations for different types of workers. Consider the difference between the requirements of knowledge workers and task workers.
-
Knowledge workers require the ability to run multiple Office programs, create and manage documents of different types, and access various network shares. This configuration matches the way that most business computers are configured today. Beyond typical access to applications and shared information, knowledge workers need somewhere to store the documents that they create; documents are often stored on a share located on a network file server. However, knowledge workers do not need to be able to reconfigure their computers and benefit from a streamlined desktop without unnecessary distractions.
-
Task workers perform the same task routinely and have need for only a few programs. These workers find it most convenient if the programs they need to use are conveniently available without distraction. Security for these clients can be dramatically improved by restricting the programs they are allowed to run to the set of applications they are known to use. This type of restriction is the most important security feature allowed by Group Policy because it eliminates the ability of users to run programs that provide unauthorized access. This prevents nearly all types of hacking originating from clients.
Because task workers in many cases run database clients that do not require access to the local or remote file system, you can eliminate all drive mappings and allow only the database client required by the worker. This turns the client into a single-function kiosk, which is the most secure configuration possible. You could even use a Group Policy setting to enable a custom user interface that offers only the one program required by the task worker. In such an environment, making Windows Explorer unavailable and disabling the Task Manager would prevent the computer from being used to run any other program.
Configuring Internet Explorer Using Group Policy
Just as you can use Group Policy to control the behavior of most components of Windows, you can use it to control the behavior of Internet Explorer. Group Policy restrictions for Internet Explorer are contained in two places in the Group Policy namespace:
-
\User Configuration\Windows Settings\Internet Explorer Maintenance
-
\User Configuration\Administrative Templates\Windows Components\Internet Explorer
The Internet Explorer Maintenance settings control home page and other URLs, Security Zone settings, content rating settings, and other such "pre-deployment" settings, similar to those that can be configured with the Internet Explorer Administration Kit.
The Internet Explorer settings allow you to disable components of the Internet Explorer user interface, such as menu items, Properties dialog boxes, and options.
Controlling Internet Explorer Settings
To truly secure the Web browsing experience, you must use Group Policy to direct your internal users through a proxy server such as Microsoft Internet Security Accelerator that is capable of checking the HTTP protocol for errors and restricting access to sites that are dangerous. The primary security purpose of controlling Internet Explorer settings is to prevent users from bypassing the proxy server to browse the Web directly.
For organizations whose security policy does not require a proxy server, you can control Internet Explorer security settings to prevent users from changing security zone restrictions that could enable dangerous content like ActiveX controls from Web sites that you don't trust.
Finally, controlling Internet Explorer settings is a convenient way to create a uniform browsing experience for users and maintain consistent home and support pages throughout an organization, facility, or department.
Limitations of Group Policy
When you configure Internet Explorer security using Group Policy, bear in mind that most of the settings are user interface restrictions that do not truly disable a particular type of functionality. If a user finds some other interface or downloads some program, script, or registry file that is capable of making a change to Internet Explorer settings, your Group Policy could be overridden by these changes. Hackers trade these sorts of scripts over the Internet.
For example, in the Group Policy namespace \User Configuration\Administrative Templates\Windows Components\Internet Explorer, the \Browser menus\Tools menu option Disable Internet Options might seem like an easy way to disable access to the Internet Explorer Internet Options dialog box. However, a knowledgeable user can get to these settings in Control Panel even if the browser menu item is disabled. In this specific case, use the Internet Explorer\Internet Control Panel options to disable each tab of the Internet Options Control Panel so that Control Panel is not available in either case.
The Internet Explorer Internet Options case is a classic example of why interface-based security restrictions of the sort implemented by GPOs are "surface" security restrictions rather than the "deep" security restrictions provided by ACLs for the file system and Active Directory. Surface interface-based restrictions don't remove a program's functionality; they just remove the ability of a user to invoke the functionality. If the user is clever enough to find a way around the restrictions, the code still exists and is available to thwart your security settings. Getting around Group Policy restrictions is frequently achieved by writing scripts that interact directly with a program's configuration API, for example.
For this reason, you must rigorously test both the correct application of Group Policy and all the methods you can think of to circumvent a specific policy setting to be certain that your policy settings are effective. When you test Group Policy settings, try different methods to accomplish the same configuration change to make sure that the Group Policy option covers all the possibilities.
Table 1.1 lists Internet Explorer configurations that are especially important to security.
Disable these features: | Search Customization Settings Internet Connection Wizard Reset Web Settings feature Importing and exporting of favorite links |
Disable these capabilities: | Changing Advanced page settings Changing home page settings Changing proxy settings Changing ratings settings Changing certificate settings Saving passwords through AutoComplete Changing messaging settings Changing default browser check |
In the Internet Control Panel, disable these pages: | General page Security page Content page Connections page Programs page Advanced page |
In this practice, you configure two different Group Policies for different types of workers. You also restrict access to the MMC and prevent users from reconfiguring Internet Explorer.
Exercise 1:Configuring a Computer for Knowledge Workers
To create a Group Policy thats appropriate for knowledge workers, you enable numerous configuration settings within the \User Configuration\Administrative Templates\Windows Components namespace.
Perform this exercise while logged on to the domain controller as Administrator.
To create a GPO for knowledge workers
-
Open Active Directory Users And Computers.
-
Expand the domain.fabrikam.com domain and the Departments OU.
-
Right-click the Engineering OU, and choose Properties.
-
In the Engineering Properties dialog box, select the Group Policy tab, andclickNew.
-
Type Engineering Desktop Settings as the name for the GPO.
To remove access to configuration icons
-
On the Group Policy tab, select Engineering Desktop Settings, and click Edit.
The Group Policy editor appears, as shown in Figure 1.11.
Figure 1-11. The Group Policy editor
-
Under User Configuration in the tree in the Group Policy window, expand Administrative Templates, and then expand the Windows Components.
-
Click the Control Panel node in the GPO namespace.
-
Double-click Disable Control Panel.
-
In the Disable Control Panel Properties dialog box, select Enabled, andclickOK.
-
In the tree under Administrative Templates, select Desktop.
-
Double-click Hide My Network Places Icon On Desktop.
-
In the Hide My Network Places Icon On Desktop dialog box, select Enabled, and click OK.
To restrict access to dangerous executables
-
In the tree under Administrative Templates, select System.
-
Double-click Disable Registry Editing Tools.
-
In the Disable Registry Editing Tools dialog box, select Enabled, and click OK.
-
Double-click Disable The Command Prompt.
-
In the Disable The Command Prompt dialog box, select Enabled, and click OK.
-
In the tree, expand System, and select Logon/Logoff.
-
Double-click Disable Task Manager.
-
In the Disable Task Manager dialog box, select Enabled, and click OK.
To modify the Start menu settings
-
In the tree, select Start Menu & Taskbar.
-
Double-click Disable Programs On Settings Menu.
-
In the Disable Programs On Settings Menu dialog box, select Enabled, andclick OK.
-
Double-click Disable And Remove Links To Windows Update.
-
In the Disable And Remove Links To Windows Update dialog box, select Enabled, and click OK.
-
Double-click Add Logoff On The Start Menu.
-
In the Add Logoff On The Start Menu dialog box, select Enabled, andclickOK.
To restrict access to local hard disk drives
-
In the tree under Windows Components, select Windows Explorer in the GPO namespace.
-
Double-click Hide These Specified Drives In My Computer.
-
In the Hide These Specified Drives In My Computer dialog box, select Enabled, select Restrict A, B, C, and D Drives Only from the list, and click OK.
-
Double-click Prevent Access To Drives From My Computer.
-
In the Prevent Access To Drives From My Computer dialog box, select Enabled, select Restrict A, B, C, and D Drives Only from the list, and click OK.
-
Close the GPO.
Exercise 2:Using Scripts to Create a Consistent Environment
The Group Policy created in the previous exercise is not yet complete. You have removed local drives to prevent a worker from accidentally storing files locally rather than on a server, but youve provided no mechanism for users to create their own drive mappings to the server, nor have you created any mappings. To complete this Group Policy, you need to create a logon script that maps a network drive to aserver so that the user has a place to store documents.
First, you need to create a shared folder on the server to provide a place for user documents to be stored. You then create a logon script associated with a GPO to map a network drive. You might find that a network drive you want to use for apersistent drive mapping already exists in the users profile or has been mapped by apreviously applied GPO. To ensure that your mapping takes precedence over any pre-existing mapping, first delete any mappings pertaining to the drive letter, andthen create your own.
To create a shared folder on the server
-
On the desktop, double-click My Computer.
-
In My Computer, double-click the C drive.
-
On the File menu, point to New, and choose Folder. A new folder appears on the desktop.
-
Name the folder Company.
-
Right-click the Company folder, and click Sharing.
The Company Properties dialog box appears with the Sharing tab visible, as shown in Figure 1.12. Sharing a folder makes its contents accessible over the network.
Figure 1-12. The Company Properties dialog box
-
In the Company Properties dialog box, select Share This Folder, and click OK.
-
Close all the windows on the desktop.
To create the logon script
-
Open Active Directory Users And Computers.
-
In Active Directory Users And Computers management console, expand domain.fabrikam.com and the Departments OU.
-
Right-click the Engineering OU, and choose Properties.
-
On the Group Policy tab of the Engineering Properties dialog box, select the Engineering Desktop Settings GPO.
-
Click Edit.
-
In the Group Policy editor, expand the User Configuration\Windows Settings node in the GPO namespace.
-
Click Scripts (Logon/Logoff).
-
Double-click Logon.
The Logon Properties dialog box appears, as shown in Figure 1.13, allowing you to link logon scripts to a GPO.
Figure 1-13. The Logon Properties dialog box
-
Click Add. The Add A Script dialog box asks for a Script Name and optional parameters.
-
Click Browse to open a file browser.
-
Right-click in the file list window, point to New, and click Text Document.
-
Type Logon.bat to rename the New Text Document.txt file.
A dialog box asks if you really want to change the files extension.
-
Click Yes to change the type of the file.
To edit the logon script
-
Right-click Logon.bat, and click Edit.
Microsoft Notepad launches and Logon.bat is opened for editing. Thefile isempty.
-
Type net use z: /delete, and press Enter to start a new line.
-
Type net use z: \\dc01\Company as the second line of the batch file. Ifyour server is not named dc01, replace dc01 with the name of your server.
-
Close Notepad.
-
Click Yes to save the changes.
-
In the Browse dialog box, click Open.
-
Click OK. The text file youve just created is now associated with the GPO asalogon script.
-
Click OK, and then close the GPO.
-
Click OK to close the Engineering Properties dialog box.
-
Close the Active Directory Users And Computers management console.
Exercise 3:Configuring a Computer for Task Workers
This policy builds on the knowledge worker policy because it is applied to an OU that is subordinate to the knowledge worker policy. It is important to remember that the task worker policy is not complete by itself and requires some of the restrictions provided in the knowledge worker Group Policy to remain secure.
In this exercise, the task worker requires access to Microsoft WordPad, a Windows accessory that creates and manages documents. You will enable the following Group Policy settings within the \User Configuration\Administrative Templates node:
-
\Desktop\Hide all icons
-
\Start Menu & Taskbar\Disable and remove shutdown
-
\Start Menu & Taskbar\Remove Search
-
\Start Menu & Taskbar\Remove Run
-
\Start Menu & Taskbar\Remove Help
-
\Start Menu & Taskbar\Remove Favorites
-
\Start Menu & Taskbar\Remove Documents
-
\Start Menu & Taskbar\Disable changes to Taskbar and Start Menu Settings
-
\System\Run only allows Windows applications: wordpad.exe
Perform this exercise while logged on to the domain controller as Administrator.
To create a GPO for a restricted desktop appropriate for a task worker
-
Open Active Directory Users And Computers.
-
In the tree in the Active Directory Users And Computers management console, expand Departments, and select the Engineering OU.
-
Right-click the OU, and click Properties.
-
In the Engineering Properties dialog box, click the Group Policy tab.
-
Click New. A new GPO object appears in the GPO list.
-
Type Intern Restrictions as the name for the GPO.
To configure the GPO settings
-
Click Edit to open the Group Policy editor.
-
In the tree, expand the GPOs User Configuration node, and then expand the Administrative Templates node.
-
Expand the Windows Components node.
-
Click Desktop in the GPO namespace.
-
Double-click Hide All Icons On Desktop.
-
In the Hide All Icons On Desktop dialog box, select Enabled, and click OK.
-
Click Start Menu & Taskbar in the GPO namespace.
-
Double-click Disable And Remove The Shut Down Command.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Remove Search Menu From Start Menu.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Remove Run Menu From Start Menu.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Remove Help Menu From Start Menu.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Remove Favorites Menu From Start Menu.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Remove Documents Menu From Start Menu.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable Changes To Taskbar And Start Menu Settings.
-
In the dialog box, select Enabled, and click OK.
To allow only specific executables to be launched
-
Click System in the GPO namespace.
-
Double-click Run Only Allowed Windows Applications to open the Properties dialog box, as shown in Figure 1.14.
Figure 1-14. The Run Only Allowed Windows Applications policy setting is very important for security
-
Select Enabled, and click Show.
-
When the Allowed Applications dialog box appears, click Add.
-
Type wordpad.exe, click OK, and then click OK again.
-
Close the Group Policy editor.
-
Click Close, and then close the Active Directory Users And Computers management console.
Exercise 4:Configuring MMC Client Security
In this exercise, you create a domain-wide MMC restriction that applies to all members of the domain, and then you create a filter to prevent the MMC restriction from affecting domain administrators.
To prevent users from using the MMC to configure their computers
-
Create a policy called MMC Restrictions in the fabrikam.com domain Group Policy editor.
Use the previous exercise to refresh your memory about how to do this, ifnecessary.
-
Click Edit to open the Group Policy editor.
-
Expand User Configuration, Administrative Templates, and Windows Components, and select Microsoft Management Console.
-
Double-click Restrict The User From Entering Author Mode.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Restrict Users To The Explicitly Permitted List Of Snap-ins.
-
In the dialog box, select Enabled, and click OK.
-
Close the GPO.
-
Click Properties to open the MMC Restrictions Properties dialog box.
-
On the Security tab of the dialog box, select Domain Admins.
-
Select the Apply Group Policy check box in the Deny column, and click OK.
A Security message box asks if you want to continue.
-
Click Yes and close the domain.fabrikam.com Properties window and the Active Directory Users And Computers management console.
Exercise 5:Configuring Internet Explorer Security
In this exercise, you configure Internet Explorer to eliminate the users ability to make changes to a configuration.
Perform this exercise while logged on to the domain controller as an Administrator.
To configure Internet Explorer settings in a GPO
-
Open the Engineering Desktop Settings GPO.
-
Expand User Configuration, Windows Settings, and Internet Explorer Maintenance.
-
Click Browser User Interface, and then double-click Browser Title.
-
In the Browser Title dialog box, select the Customize Title Bars check box.
-
In the Title Bar Text box, type Fabrikam, and click OK.
-
In the GPO tree, click URLs.
-
Double-click Important URLs.
-
In the Important URLs dialog box, select the Customize Home Page URL check box, and in the Home Page URL box, type http://www.fabrikam.com.
-
Select the Customize Search Bar URL check box, and in the Search Bar URL box, type http://www.msn.com.
-
Select the Customize Online Support Page URL check box, and in the Online Support Page URL box, type http://support.microsoft.com.
-
Click OK.
To establish Internet Explorer Zone restrictions
-
In the GPO tree, click the Security node under Internet Explorer Maintenance.
-
Double-click Security Zones And Content Ratings.
-
In the Security Zones And Content Ratings dialog box, select Import The Current Security Zones Settings.
-
Click Modify Settings. The Security dialog box appears, as shown in Figure 1.15.
Figure 1-15. The Security dialog box
-
Select Internet, and click Custom Level.
The Security Settings dialog box appears, as shown in Figure 1.16. Use this dialog box to customize the various security levels.
Figure 1-16. The Internet Explorer Security Settings dialog box
-
Select High in the Reset To list, click Reset, click Yes to confirm, and click OK.
-
Click OK to close the Security Settings dialog box.
-
Click OK to close the Security Zones And Content Ratings dialog box.
To prevent users from changing Internet Explorer settings
-
In the GPO tree, expand User Configuration, Administrative Templates, and Windows Components.
-
Click Internet Explorer.
-
Double-click Disable Changing Proxy Settings.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable Internet Connection Wizard.
-
In the dialog box, select Enabled, and click OK.
-
In the GPO tree, expand Internet, and click Internet Control Panel.
-
Double-click Disable The General Page.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable The Security Page.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable The Content Page.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable The Connections Page.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable The Programs Page.
-
In the dialog box, select Enabled, and click OK.
-
Double-click Disable The Advanced Page dialog box.
-
In the dialog box, select Enabled, and click OK.
-
Close the Group Policy configuration editor.
The following questions are intended to reinforce key information in this lesson. Ifyou are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
-
What is the most important security feature of Group Policy?
-
What is the easiest way to test how Group Policy will affect a class of users?
-
What security component is required to truly secure users and computers from potentially harmful Internet content?
-
What should users be restricted from using to prevent them from mis-configuring their computers?
-
Why would you delete drive mappings prior to establishing them in a logon script?
Lesson Summary
-
The primary purpose of Group Policy is to secure, control, and standardize the configuration of a large group of client computers and user accounts.
-
Group Policy should be tailored to classes of workers so that applications can be restricted to the narrowest possible set for any individual worker.
-
Testing the application of Group Policy using a test account is critical to understanding the ultimate effects of Group Policy in any specific instance.
-
Group Policy restrictions disable access to User Interface features; they do not necessarily restrict access by third-party programs or scripts to the features that they control.