Managing Security Through Group Policy and Security Templates

Managing Security Through Group Policy and Security Templates
Group Policy is a feature of Microsoft Windows XP Professional and Microsoft Windows 2000 that lets an administrator configure a computer and, optionally, prevent users from changing that configuration. Administrators can use Group Policy to set standard desktop configurations; restrict what settings users are allowed to change; specify scripts to run at startup, shutdown, logon, and logoff; redirect users' special folders (such as My Documents) to network drives; and more. In addition—and more pertinent to the topic of this book—administrators can use Group Policy to control a number of security settings.

NOTE
--------------------------------------------------------------------------------

To manage Group Policy in Windows XP Professional or Windows 2000, you must be logged on as a member of the Administrators group. Group Policy is not available in Windows XP Home Edition.
The ideal environment for using Group Policy is a Microsoft Windows .NET Server or Microsoft Windows 2000 Server domain, in which administrators can centrally configure computers throughout sites, domains, or organizational units. In a domain environment, administrators can specify unique policies for different computers, users, or security groups. Managing Group Policy in an Active Directory domain environment is well documented in a number of books about administering Windows servers; two good examples are Microsoft Windows 2000 Server Administrator's Companion by Charlie Russel and Sharon Crawford (Microsoft Press, 2000) and Microsoft Windows 2000 Server Resource Kit (Microsoft, 2000).

In this book, however, we focus on using Group Policy to make settings on a computer running Windows XP Professional or Windows 2000 in a workgroup environment. We further narrow our focus by concentrating on security-related policy settings. Our earlier book, Microsoft Windows XP Inside Out (Microsoft Press, 2001), provides more general information about using Group Policy in a workgroup environment.

In this chapter, we first examine the security settings you can make through Group Policy and explain how to apply these settings using Microsoft Management Console (MMC) snap-ins. In a workgroup, you must make Group Policy settings on each computer where you want such restrictions imposed; you can't apply Group Policy settings to all computers, users, or groups on the network in a single operation, as you can in a domain. However, by using security templates—another subject covered in this chapter—you can store all your security-related settings in a file that you can then use to apply the settings on each computer. The final topic of this chapter is Security Configuration And Analysis, an MMC snap-in that allows you to compare your current security settings with those of a security template and apply the template settings if you choose.

Security Checklist: Group Policy and Security Templates
--------------------------------------------------------------------------------

Although the default configuration for Windows is reasonably secure for most situations, you should consider taking the following steps to tighten your computer's security:

Learn about the available security-related policies.
Use Group Policy to apply settings in the Administrative Templates folders.
For a one-time configuration of a single computer, use Local Security Settings (or Group Policy) to apply security settings.
Consider making different security settings for different groups of users. (Using a workaround described in this chapter, you can do that even on computers that are not part of an Active Directory domain.)
Modify or create a security template to incorporate the security settings you want to apply to multiple computers (or multiple times to a single computer).
Perform a security analysis to see how your current security settings compare with those in your security template.
Apply the settings from your security template.