Top Five Security-Related Group Policy Settings

  • Article

**Security Tip of the Month – November 2009
**See other Security Tips of the Month

By Jeremy Moskowitz, Microsoft MVP – Group Policy

-------------------------------------------------------------------------------------------------------------------------------------------

In the October edition of TechNet magazine, I answered the question, “What’s New in Group Policy for Windows 7 and Windows Server 2008 R2.” Besides “what’s new,” people oftentimes want to know how to get “more secure” using the Group Policy infrastructure that they already use. Let’s take a look at five policy setting areas and learn how they can deliver settings you might use to help make your world more secure.

 

#5: Control UAC with More Control

User Account Control (UAC) is a security mechanism meant to prompt users for credentials when they try to launch various parts of the operating system that are privileged only to administrators. The default behavior is to prompt users for administrator credentials. In practice, users aren’t typically provided these administrator credentials. So why bother giving them the ability to enter in credentials at all? My suggestion is to tweak the UAC setting located at Computer Configuration | Security Settings | Security Options | User Account Control: Behavior of the elevation prompt for standard users. Set it to “Automatically deny elevation requests.” Then, when users try to touch admin-only parts of the operating system, they get an immediate Access Denied, instead of being prompted. One less thing for users to see and get frustrated with (since they shouldn’t be there in the first place.)

Figure 1. Group Policy Management Editor

 

#4: Advanced Audit Policy Configuration

Windows Vista introduced some extra auditing capabilities. However, to enable them, there was no “Group Policy way” to do it.  You used a tool called “Auditpol.exe.” That command-line tool, while still available in Windows 7, isn’t my preferred way to turn on these enhanced auditing features. Head down to Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration and see what’s new for auditing.

Figure 2. Advanced Audit Policy Configuration

With Windows 7 as target machines, you can now use Group Policy to set up precisely which machines get what advanced auditing.

Extra Tip: Click on the node named “Audit Policies” itself to get links to some “how-to” steps for this special section. Additionally, to see what can be audited and the results of auditing, check out this Microsoft article

 

#3: AppLocker

AppLocker’s job is to ensure that you’re running only the software you do want to run, and not running software you don’t want to run. AppLocker is valid for Windows 7 and Windows Server 2008 R2 target systems. My buddy Greg Shields has a great article on AppLocker in the October 2009 TechNet magazine.

Then, start getting more secure. Find out if AppLocker is right for you. Check it out at

Computer Configuration | Policies | Windows Settings | Security Settings | Application Control Policies | AppLocker.

Figure 3. AppLocker Policy Wizard

 

#2: Hardware Restriction

What’s that? You don’t yet know how to prevent USB memory devices from getting on your network?  Start out your journey by watching this video from one of my training classes then head down to Computer Configuration | Policies | Administrative Template | System | Device Installation | Device Installation Restrictions and give it a shot yourself!

Figure 4. Device Installation Restrictions

 

#1: Windows Firewall with Advanced Security

Windows Server 2008 and Windows Server 2008 R2 ship with the firewall turned on. That’s a good idea, but sometimes it can be a bear to know which ports to open based on what the server is actually doing for you. With the Windows Firewall with Advanced security section of the Group Policy editor, you’re in charge. It’s located at Computer Configuration | Policies | Windows Settings | Windows Firewall with Advanced Security.

Figure 5. New Inbound Rule Wizard

My favorite part is the “Predefined” rules. Just click a dropdown, select the job role the server is performing, and you remain secure, opening only the ports needed to perform the task you’ve chosen.

 

Conclusion

There’s so much to love with regard to Group Policy and security; it was tough to limit this article to just five things. Make contact with me on the community forums of GPanswers.com to let me know your favorite security-related Group Policy ideas!

-------------------------------------------------------------------------------------------------------------------------------------------

Jeremy Moskowitz runs GPanswers.com, a community forum for Group Policy enthusiasts. Jeremy is one of ten Group Policy MVPs and teaches hands-on training to administrators who want to make their world more secure using Group Policy. Learn more about GPanswers and getting training at www.GPanswers.com/training.He has also founded PolicyPak Software, an innovative add-on for Group Policy which increases the security of your applications. Learn more at www.PolicyPak.com *and download the free Community Edition. Follow Jeremy on Twitter @jeremymoskowitz.*