Group Policies: Understanding the Tool
The world we live in today is all about security. As system admins we have to protect our user's information at all costs. Sometimes we have to protect the computer from the users. Security has to go both ways. If you've tried to lock down a image, you know that it's not a task for the weary. There are thousands (or it seems to be that way) of settings hidden throughout Windows.
During the image creation process, do you get tired of scouring through Windows settings to make your image more secure? Or, have you deployed an image that needs more security in it? The answers to these burning questions are below.
Group Policy Editor (GPE)
The answer to securing your Windows image is the use of the Group Policy Editor (GPE). The GPE is like a one-stop-shop for setting a myriad of settings.
Here are some useful links (to answer all of your GPE questions):
- How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
- Group Policy Editor
- Group Policy Collection
- How to use the Group Policy Editor to change default systems settings
- GPEDIT - Group Policy Editor
To get access to the GPE, go to Start >> Run, and type in "GPEDIT.MSC" (without the quotes). The following screen will open:
When you open the GPE for the first time, the following folder will appear in C:\Windows\System32\:
As you can see, after running GPEDIT.MSC, a "Group Policy" folder that is created. It is a hidden folder. The files that are in this folder are what set the Group Policy of the machine. If the Group Policy folder and files inside that folder don't exist you have not Group Policies.
If we double click on the Group Policy folder, the following will appear:
You can see that there are folder coinciding with the categories found in the GPE (with the exception of the "Adm" folder - this folder contains system settings).
Setting Group Policies
Most of the Group Policies that I set can be found in User Configuration >> Administrative Templates (see picture below):
There are loads of different settings found in the Administrative Templates. Here are is a few examples of what types of settings are found in the GPE, how to enable the settings, and how to find out more information on them:
Internet Explorer
Why would you want to set Internet Explorer policies? There are some things that you don't want the user messing with. If the image is intended for a public computer you don't want the user to change the book marks, default proxy settings, or bypassing the security settings.
To edit Internet Explorer Group Policies, navigate to the following location:
GPE >> User Configuration >> Administrative Templates >> Windows Components >> Internet Explorer
Here is one example:
Turn off the auto-complete feature...
If double click on "Turn off the auto-complete feature for web addresses" you will see the following window:
If you need to find out more information on the policy, click on the Explain tab, there is an example below:
The Explain tab is very important when it comes to trying to figure out what the policy will do. Some of the language found in the GPE is very confusing. If you run into something that you don't understand, it is a really good thing to look at the help.
So, according to the Explain tab:
If you enable this policy setting, user will not be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
If you disable this policy setting, user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.
Windows Explorer
There are some surprising policies that you can set that deal with Windows Explorer. This is one of the most components of the computer. Windows Explorer allows us to file access control, file organization, and much more.
To edit Windows Explorer Group Policies, navigate to the following location:
GPE >> User Configuration >> Administrative Templates >> Windows Components >> Windows Explorer
Here is one example:
Hide these specified drives in My Computer
According to the explain tab, enabling this policy:
Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.
This is a pretty handy policy. As you can see below, once you enable the policy, it gives you several drive restriction options:
Microsoft Management Console (MMC)
If you right click on My Computer, and navigate down to manage you will open the Microsoft Management Console. You are able to do tons of things from within this menu. Locking down this tool is vital to the securing your image.
To edit the Microsoft Management Console Group Policies, navigate to the following location:
GPE >> User Configuration >> Administrative Templates >> Windows Components >> Microsoft Management Console
Here is an example:
Restrict users to the explicitly permitted list of span-ins
The first thing that we need to do is enable "Restrict users to the explicitly permitted list of span-ins." Do do that, double click on "Restrict users to the explicitly permitted list of span-ins," and select the "Enabled" radio button.
Now we need to navigate to GPE >> User Configuration >> Administrative Templates >> Windows Components >> Microsoft Management Console >> Restricted/Permitted snap-ins
Now that we are here, you can disable over 30 different options that appear in the MMC. The following snippet from the "Explain" tab will help you understand what you are doing here.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If you want the item to show up in the MMC, enable the item. If you don't want it to show up, disable it. This is one of the more important areas when securing your system. If a malicious user relizes they have free reign inside the MMC, they will take advantage of your mistakes. Take some time in this area of the Group Policies, and make sure you set things up the way you want. It will save you some headaches in the future.
Start Menu
The Start Menu is the users door to using Windows. Most of the Start Menu policies deal with what you want on the Start Menu and how the user interacts with it.
To edit Start Menu Group Policies, navigate to the following location:
GPE >> User Configuration >> Administrative Templates >> Start Menu
This section is pretty self explanitory. Remember how I mentioned earlier that some of the language in the GPE is confusing. Here is a really good example.
One of the options is: "Remove My Documents from Start Menu." If you double click on this option, it gives you three options: Not Configured, Enabled, or Disable. If you don't want My Documents shown on the Start Menu, you need to enable this option. What does Disable do, well it leaves it alone, which is the same thing that Not Configured does. It is pretty confusing.
If you have several users that are built into your image, using the GPE can save you tons of time. If you want all of their settings to be the same all you have to to is enable or disable the right settings. If you don't use the GPE, you have to log into each account and configure them separately. The GPE is a very good way to make everything in your image consistent (and it saves you some time).
Control Panel
The Control Panel is the hub to configuring the computer. Most users do not need access to the Control Panel.
To edit Control Panel Group Policies, navigate to the following location:
GPE >> User Configuration >> Administrative Templates >> Control Panel
Dig through these settings. The easy way to restrict access to the Control Panel would be to enable "Prohibit access to the Control Panel." One thing to keep in mind is that "Accessibility Options" are found there. If you remove access to the Control Panel, you will remove access to "Accessibility Options."
With every option, you need to take a step back and consider who will be using your computer.
One policy that I would enable is "Force classic Control Panel." If you are going to leave access to the control panel, I think that the "classic" view is much more useful.
There Are Many More
If you are interested in using Group Policies on your image, make sure you spend some time digging around in the GPE. There are tons of settings. Some of them will make sense for your environment, and some won't. It seems to me that every time I open the GPE, I find more settings that I could use to help secure and configure my image.
The great thing about these settings is that they greatly reduce the amount of settings you have to go and configure for your computer. This makes things really easy. Your other options are not as easy as this one-stop-goodness. The only alternative that I found was to find registry keys on the internet. After I found the keys that I thought I needed, I would go and change/add the key. That was very confusing, cumbersome, and time consuming. This is a much cleaner solution.
I would suggest using a test computer. You know, just in case...
Conclusion
The Group Policy Editor is a great tool to help system admins customize and secure an image before deployment. Using the Group Policy Editor, you can secure your system. It also allows you to configure all of the accounts in the image. In short, the Group Policy Editor will give you the power to make a better image faster.
There is one very important thing to remember. Group Policies are applied to every account, including the Administrator account. In my next article: Group Policies: SVS, I will talk about how to have custom policies for each account.