Group Policy - 16 Mar 2000

I'm excited about all the new security features in Windows 2000 (Win2K) and the opportunity to analyze them. Starting with this column, I'll take an in-depth look at some part of Win2K security and how it helps keep your systems secure. I'll share how-to information and highlight plenty of caveats and vulnerabilities. Because most of you have a Windows NT background, I'll show you where Win2K's features match its predecessor's and where they differ.

Securing today's complicated environments can be tedious, laborious, and error-prone, so I'll also show you how to automate bothersome security tasks using Win2K tools. Finally, although Win2K has many possible techniques for every task, not every technique is secure. Thus, I'll try to illuminate what's possible, but I'll focus on best-practice. (If you are completely new to Win2K security, here are a few articles I'd recommend you read: Active Directory in Windows 2000 and Windows 2000 Security Gains. Let's start by looking at Win2K's Group Policy.

What Is Group Policy?
Group Policy makes Win2K's Active Directory (AD) useful, even if you don't need a corporate directory or public key infrastructure (PKI). NT isolated individual systems fairly well in terms of configuration. However, maintaining each system separately was laborious and error-prone, to say the least.

In Win2K newsgroups, I repeatedly see the same questions: Where do I configure a system's audit policy or assign user rights? Where did Microsoft put account policy? This confusion is understandable because NT's User Manager and Server Manager no longer exist in Win2K. But the difference isn't just interface changes; the way you configure Win2K is very different from how you configured NT.

Configuring Windows 2000
Group Policy lets you control all the security settings for each computer in your network from a central, but granular, database. This enhancement is important because administrators often leave many systems weakly configured for want of the thousands of tweaks involved in fully hardening a system. Win2K lets you collect all these scattered security tweaks together into Group Policy Objects (GPOs).

A GPO is an AD object that functions as a master recipe for configuring a system, including its security settings. GPOs link to AD container objects—organizational units (OUs), sites, and domains. Win2K applies a GPO's settings to each computer in the container. When the system boots, the OS first applies the system's local GPO, then any GPOs linked to that system's site, domain, and OUs, from highest to lowest.

The sequence is important because multiple GPOs might define different values for the same setting. The last GPO applied is the one that matters. Thus, you can specify general security settings higher in the OU hierarchy and exceptions lower. For a more extensive introduction to Group Policy, see "Introducing Group Policy."

The Hunt for Win2K Security Settings
Although Group Policy and AD are major advances for security and manageability, figuring out where Microsoft put some settings in Win2K can be a challenge. The primary tool for Win2K security administration is Active Directory Users and Computers, as Screen 1 shows. This tool is where you manage user accounts, groups, computer accounts, and GPOs within your OU hierarchy.

A Win2K domain has two pre-built GPOs: Default Domain Policy, linked to the domain and applied to all computers in the domain, and Default Domain Controller Policy, linked to the Domain Controllers folder. You can modify these GPOs or create new ones and link them to your OUs.

To manage the security configuration for all the computers in a given OU, go to the OU, open Properties, and click the Group Policy tab. Click New, and enter the name of the new GPO, as Screen 2 shows. Open the desired GPO, and go to Computer Configuration, Windows Settings, Security Settings. This section of the GPO, as Screen 3 shows, is where you configure computer security. Remember that changes made here apply to all computers in this OU and below.

The first subfolder under Security Settings is Account Policies, which covers the same password and account lockout policies that you find in NT's User Manager at Policy/Account Policy. The second subfolder, Local Policies, has three folders: Audit Policy, User Rights Assignments, and Security Options, as Screen 4 shows. Audit Policy covers the same audit category options that you find in User Manager under Policy/Audit Policy and some others (that I'll discuss in a future column). User Rights Assignments corresponds to User Manager under Policy/User Rights.

Security Options is a collection of security-related Registry values scattered throughout HKEY_LOCAL_MACHINE, most of which are also in NT. The brief description for each value might help you understand some of them, but unfortunately nothing explains exactly which Registry value corresponds to which option and what the effect is. You might look at %systemroot%\security\templates\basicsv.inf under the Registry Values heading. The Security Options displayed in Group Policy are based on template files such as basicsv.inf. These template files reveal the actual registry keys and values behind the Security Options folder in Group Policy.

The next subfolder under Security Settings is Event Log, where you can define maximum log size and retention settings for your event logs. These settings correspond to the same settings in NT's Event Viewer. The Restricted Groups subfolder controls the membership in each computer's local groups. The System Services subfolder controls each service's start-up mode; for example, all workstations in the R&D OU should have the Server service disabled. Unfortunately, you can't use Group Policy to control which user account the service runs under; instead, you must go to the MMC.

The Registry and File System subfolders under Security Settings control Registry, directory, and file permissions and audit settings. This functionality has all kinds of possibilities, including implementing standard permissions on the WINNT directory and vulnerable Registry keys for all computers in your domain. For further help in finding your way around Win2K, see "Windows 2000 Security Gains".

Central Control
As you can see, the way you configure security has changed from NT to Win2K. Instead of directly modifying a computer's settings in Win2K, you modify the appropriate GPO that links to that computer through its domain, site, or OU. Instead of managing each system individually with many scattered dialog boxes, in Win2K you define all settings from one MMC and apply those settings to many computers at once via your OU hierarchy.

Although Group Policy is a major improvement, its power can be a liability if you don't fully understand its intricacies. In my next column, I'll alert you to several important caveats in Group Policy that you need to understand to prevent some serious vulnerabilities.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.