The following excerpt, courtesy of APress, is from
Chapter 4 of the book "Active Directory Field Guide" written by Laura E. Hunter. Click for the complete book excerpt series or purchase the book.
Using Advanced Techniques
We'll close out the chapter with a few other Group Policy tricks that should be in any administrator's arsenal. This includes the ability to centrally configure permissions for all of your client workstations, as well as how to control membership to sensitive local and domain groups.
Controlling the Registry and File System
One of the largest headaches for most network admins is the need to secure large numbers of client workstations in a quick and efficient manner. We've already seen how you can import security templates into Group Policy to deploy network-based security settings like minimum password lengths and account lockout policies, but you can also use a GPO to enforce security standards on your users' local hard drives. By browsing to Computer Configuration → Windows Settings → Security Settings within the GPMC, you can add entries to the following Group Policy nodes:
In the case of System Services, you can define how local services will behave on system startup, and which users and groups have permission to start, stop, or modify those services. If you remember the Code Red and Nimda worms, they attacked many workstations that had the IIS services installed. In many cases, the owners of these workstations didn't even know that their machines were running an instance of the IIS web server, and so were taken completely by surprise when these network attacks hit. You can use the System Services node to universally disable a service like World Wide Web Publishing, Telnet, or any other service that really shouldn't be running on a workstation. That way, even if a virus or spyware program attempts to start the service, the malicious software will be unable to do so.
The Registry and File System nodes allow you to set NTFS permissions on specific registry keys or file/folder paths. Simply add the full name of the Registry key or the folder path that you want to secure, and you'll see a familiar Properties sheet that will allow you to specify permissions just as though you were sitting at the console of the workstation itself. You'll also have the option to propagate the permissions to any subfolders or subkeys of the folder or key you specify.
CAUTION: Note that none of these settings will create a service, Registry key, or file system path. These GPO settings are simply used to configure security on existing workstation configurations.
Using Restricted Groups
When you're protecting your domain and local user accounts, restricting membership to sensitive groups like Domain Admins, Enterprise Admins, and the like is absolutely critical. If malicious users, either external or internal, can somehow create an account for themselves that is a member of one of these groups, then the security of your entire Active Directory infrastructure can become irrevocably compromised. The solution to this is the use of restricted groups within Group Policy. By right-clicking the Computer Configuration Windows SettingsSecurity SettingsRestricted Groups node and selecting Add Group, you can specify the following information:
Which users or groups should belong to the restricted group, and
Which users or groups should not belong to the group
Let's say you've restricted the Domain Admins group so that it can only contain the user accounts for yourself and two of your staff members. If you accidentally add (or delete) an account from Domain Admins membership, the Restricted Groups policy will re-create the membership list the next time that the policy is applied: every 90 minutes by default. You can also use this setting to restrict local group memberships on member servers and workstations.
Click for the next excerpt in this series: SQL injection
Click for the complete book excerpt series.
This was first published in October 2005