With over 5000 settings in the newly improved and enhanced Group Policy that comes with Windows Server 2008, it might be a bit overwhelming to think about which settings are most important to you and your network. Microsoft has really gone beyond the call of duty with some settings, as they fix issues and secure computers like we have always wanted to, but never had the tools before. Implementing these security settings for your desktops will increase the overall security, by reducing the attack surface that is available. Some settings only support Windows Vista, while others are backward compatible to Windows XP SP2.
Control Local Administrators Group Membership
One of the most insecure settings that can be granted to an end user is local administrative access. By adding the user account to the local Administrators group, the user is being granted nearly ultimate control over their desktop. The user can perform almost any action, even if the network is configured to deny this access. Actions that a user can perform, due to them having local administrative access, include, but are not limited to, the following:
- Remove their computer from the domain
- Modify any Registry setting
- Modify permissions on any folder or file
- Modify any system setting, including settings that are in files in the System folder
- Install any application
- Uninstall applications, security patches, or service packs
- Access any Website allowed by firewall
- Download and install ActiveX controls, Web applications, or other malicious applications downloaded from the Internet
Although there is a need to have users running as administrator to allow certain applications to function, this type of access is very dangerous and exposes the desktop and the entire network to potential security breaches and attacks.
With Windows server 2008 Group Policy, the current user can be removed from the local Administrators group with just one simple policy. This setting controls Windows XP SP2 and greater operating systems. This setting falls under the new Group Policy Preferences settings. To access this setting, open up a Group Policy Object and expand:
User Configuration\Preferences\Control Panel
Then, right-click on Local Users and Groups. From the menu, click on New – Local Group. The following dialog box will appear, as shown in Figure 1.
Figure 1: Group Policy Preference for Local Group
To configure the policy, type in Administrators into the Group text box, then click on the “Remove the current User” check box. Upon the next Group Policy background refresh all user accounts that are under the scope of management of the GPO where this setting is configured will have their user account removed from the local Administrators group on the computer where they are logged in.
Reset Local Administrator Password
In conjunction with the first Group Policy setting, it is essential that the local Administrator password is also reset. This is due to the fact that the user had administrative privileges before removing them from the local Administrators group, therefore they could have reset the Administrator account password to something they know.
Therefore, after the user account has been removed from the local Administrators group, the local Administrator account password must be reset. If this setting can be made simultaneously with the removal of the user account, the user will have no chance to know or alter the new local Administrator password.
This setting controls Windows XP SP2 and greater operating systems. This setting falls under the new Group Policy Preferences settings. To access this setting, open up a Group Policy Object and expand:
Computer Configuration\Preferences\Control Panel
Then, right-click on Local Users and Groups. From the menu, click on New – Local User. The following dialog box will appear, as shown in Figure 2.
Figure 2: Group Policy Preference for Local User
To configure the policy, type in Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Upon the next Group Policy background refresh all computer accounts that are under the scope of management of the GPO where this setting is configured will have the local Administrator password reset.
Windows Firewall with Advanced Security
In the past users and administrators alike have stayed away fro musing the Windows Firewall, due to limited capabilities compared to other products. Now, the Windows Firewall comes with advanced security settings, which are certain to raise some eyebrows.
The new advanced security features of Windows Firewall incorporate not only inbound and outbound filtering, but include IPSec.
These settings can only control Windows Vista, which is the only desktop operating system that includes these options. This setting falls under the security area within a Group Policy. To access this setting, open up a Group Policy Object and expand:
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security
When you expand the policy, you will see three nodes:
- Inbound rules
- Outbound rules
- Connection Security Rules
If you right-click on any of the options, you can select the New Rule option, which the inbound rule is shown in Figure 3.
Figure 3: One of the many screens in the inbound rule wizard
UAC
User Account Control (UAC) provides an opportunity to help secure the computer where a user and an administrator is logged in. In my research and testing, UAC is ideal for all administrators and can be a good solution for standard users. Since UAC forces all users to be a standard user for all tasks, it helps protect against any application or virus that attempts to write to protected areas of the computer. It does this by prompting the user with a dialog box each time a protected area of the computer is accessed. This might be accessing an application, installing an application, modifying the registry, writing to a system file, etc.
This is ideal for all administrators, as they can now use a single user account for their daily tasks, both for IT and for personal use. For standard users, the only way that UAC will function well is if all applications that run on the desktop can be run without requiring administrator credentials. In this situation, the user can perform all of the functions and run all applications as a standard user. Then, if a task needs to be performed that requires administrative access, they can get help from someone on the helpdesk or an administrator.
The settings that control UAC can be found at Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, which can all be seen in Figure 4.
Figure 4: Group Policy options to control UAC
Password Policy
Even though passwords are not all that attractive as a security setting, the ability to control passwords using Group Policy can’t be left off of the top 5 list. Windows Server 2008 still uses Group Policy to determine the initial account policy settings, which have not changed since Windows 2000. The settings are initially configured in the Default Domain Policy, but they can be made in any GPO which is linked to the domain. The only thing to keep in mind is that the GPO that contains the account policy settings must have the highest priority of all GPOs linked to the domain.
The settings that you can configure include those shown in Figure 5 and the settings shown in Table 1.
Figure 5: Password Policy settings in the Default Domain Policy
Here are some guidelines to follow for setting these policies:
|
Policy Setting |
Minimum Value |
Secure value |
|
Min Password Age |
1 |
1 |
|
Max Password Age |
180 |
45 |
|
Min Password Length |
8 |
14+ |
|
Password Complexity |
Enabled |
Enabled |
Table 1
If you want to set the new granular password policy settings, refer to the following articles on www.windowsecurity.com.
- Configuring Granular Password Settings in Windows Server 2008, Part 1
- Configuring Granular Password Settings in Windows Server 2008, Part 2
Summary
The Windows Server 2008 Group Policy options are impressive. With over 5000 settings, you will not get bored with the potential you have in controlling the computers in your environment. Of these 5000+ settings, ensuring that security is set for all computers and users is essential. If you take advantage of the settings shown in this article, you will have a more secure desktop environment and overall network.
