book

Microsoft® Windows® Group Policy Guide

by The Microsoft Group Policy Team, Darren Mar-Elia, Derek Melber, William R. Stanek

June 2005

Intermediate to advanced

800 pages

24h 32m

English

Microsoft Press

Read now

Unlock full access

What It DoesHow It Works
Using Group Policy in Workgroups and DomainsWorking with Group Policy Objects
Understanding Group Policy Settings and OptionsUsing Group Policy for Administration
DNS and Active DirectoryApplying Active Directory Structure to Inheritance
Understanding GPO LinksWorking with Linked GPOs and Default PolicyWorking with the Default Domain Policy GPOWorking with the Default Domain Controllers Policy GPO
Connecting to and Working with GPOsApplying Group Policy and Using Resultant Set of PolicyRSoP Walkthrough
Managing Local Group PolicyAccessing Local Group Policy on the Local ComputerAccessing Local Group Policy on a Remote MachineManaging Active Directory–Based Group PolicyInstalling the GPMCUsing the GPMCConnecting to Additional ForestsShowing Sites in Connected ForestsAccessing Additional DomainsSetting Domain Controller Focus Options
Creating and Linking GPOs for SitesCreating and Linking GPOs for DomainsCreating and Then Linking a GPO for a DomainCreating and Linking a Domain GPO as a Single OperationCreating and Linking GPOs for OUsCreating OUs in the GPMCCreating and Then Linking a GPO for an OUCreating and Linking an OU GPO as a Single Operation
Determining and Assigning GPO Creation RightsDetermining Group Policy Management PrivilegesDelegating Control for Working with GPOsDelegating Authority for Managing Links and RSoP
Removing a Link to a GPODeleting a GPO Permanently
Filtering Policy SettingsFiltering Techniques for Policy SettingsFiltering Policy Settings by Operating System and Application ConfigurationSearching Policy Objects, Links, and SettingsSearch Techniques for Policy Objects, Links, and SettingsBeginning Your Policy Object, Link, or Setting SearchFiltering by Security Group, User, or Computer
Changing Link Order and PrecedenceOverriding InheritanceBlocking InheritanceEnforcing Inheritance
Changing the Refresh IntervalEnabling or Disabling GPO ProcessingChanging Policy Processing PreferencesConfiguring Slow Link DetectionSlow Link DetectionConfiguring Slow Link Detection and Slow Link Policy ProcessingConfiguring Slow Link and Background Policy ProcessingRefreshing Group Policy Manually
Modeling Group Policy for Planning PurposesCopying and Importing Policy ObjectsCopying Policy Objects and Their SettingsImporting Policy Objects and Their SettingsBacking Up GPOsRestoring Policy Objects
Active Directory Design ConsiderationsActive Directory Database Storage LocationActive Directory Operating System File Storage LocationReplicationOrganizational Unit DesignSite DesignPhysical Design ConsiderationsRemote Access Connection Design ConsiderationsGPO Application Design ConsiderationsSite, Domain, and OU LinkingGPOs Have Two Distinct SectionsInteraction of GPO Application When Linked to Sites, Domains, and OUsCross-Domain GPO LinkingSynchronous and Asynchronous ProcessingFast Logon OptimizationGPO Inheritance ModificationAdditional GPO Design ConsiderationsMonolithic vs. FunctionalAdditional GPO Settings
Common Performance IssuesPerformance TipsReduce the Number of Group Policy ObjectsLink GPOs to Organizational UnitsDisable Unused Sections of GPOsOptimize the Background Refresh IntervalConfigure a Reasonable Timeout for ScriptsConfigure Asynchronous ProcessingLimit Use of LoopbackFilter GPOs Based on Group Membership
Choosing the Best Level to Link GPOsGPOs Linked to SitesGPOs Linked to DomainsGPOs Linked to OUsResources Used by GPOsSoftware InstallationDesigning GPOs Based on GPO CategoriesLimit Enforced and Block Policy Inheritance OptionsWhen to Use Security FilteringWhen to Use WMI FiltersNetwork Topology ConsiderationsLimiting Administrative PrivilegesNaming GPOs
Migrating GPOs from Test to ProductionMigrating GPOs from Production to ProductionUsing Migration TablesDomain-Specific GPO SettingsMigration Table StructureSource TypeSource NameDestination Name
Default Security TemplatesCompatws.infDC security.infIesacls.infSecuredc.infSecurews.infHisecdc.infHisecws.infNotssid.infRootsec.infSetup Security.infSections of the Security TemplateAccount PoliciesLocal PoliciesEvent LogRestricted GroupsSystem ServicesRegistryFile SystemTools for Accessing, Creating, and Modifying Security TemplatesSecurity Templates Snap-inSecurity Configuration and Analysis Snap-inSecurity Configuration WizardUsing the Security Configuration WizardAccessing the Security Configuration WizardSections of the Security Configuration WizardRole-Based Service ConfigurationNetwork SecurityRegistry SettingsAudit PolicyIncorporating Security Templates into Security PoliciesBest Practices for Using the Security Configuration Wizard
Importing Security Templates Into GPOsUsing the Security Configuration and Analysis ToolUsing the Secedit.exe Command-Line ToolUsing the Security Configuration Wizard and the scwcmd Command
Closing Unnecessary PortsDisabling Unnecessary ServicesTools Used in Hardening ComputersNetstatPortqry
Member ServersOU Design ConsiderationsMember Server Security Environment LevelsSecurity Settings for Member ServersPorts Required for Member ServersDomain ControllersDomain Controller Security Environment LevelsSecurity Settings for Domain ControllersPorts Required for Domain ControllersFile and Print ServersWeb ServersSecurity Settings for Web ServersPorts Required for Web Servers
Ports Required for ClientsRestricted Groups for ClientsClient Computers for IT Staff and AdministratorsSecurity Settings for IT Staff and AdministratorsLocal Services and SoftwareLocal Group ConfigurationClient Computers for Help Desk StaffSecurity Settings for Help Desk StaffLocal Group Configuration
Security Areas and Potential ProblemsToolsSeceditSecurity Configuration and AnalysisGpresultResultant Set of Policy
Optimizing Application Compatibility Through Group PolicyConfiguring Additional Application Compatibility Settings
Working with Attachment ManagerConfiguring Risk Levels and Trust Logic in Group Policy
Using Event Viewer Information RequestsCustomizing Event Details Through Group Policy
Blocking Author Mode for MMCDesignating Prohibited and Permitted Snap-insRequiring Explicit Permission for All Snap-Ins
Configuring NetMeeting Through Group Policy
Hiding Drives in Windows Explorer and Related ViewsPreventing Access to Drives in Windows Explorer and Related ViewsRemoving CD-Burning and DVD-Burning Features in Windows Explorer and Related ViewsRemoving the Security Tab in Windows Explorer and Related ViewsLimiting the Maximum Size of the Recycle Bin
Controlling System Restore Checkpoints for Program InstallationsConfiguring Baseline File Cache UsageControlling Rollback File CreationElevating User Privileges for InstallationControlling Per-User Installation and Program OperationPreventing Installation from Floppy Disk, CD, DVD, and Other Removable MediaConfiguring Windows Installer Logging
Enabling and Configuring Automatic UpdatesControlling Auto Download and Notify for InstallSetting the Automatic Updates Detection FrequencyOptimizing Notify User InstallsOptimizing Scheduled InstallsBlocking Access to Automatic UpdatesDesignating an Update Server
Configuring the Network Share for Roaming ProfilesConfiguring User Accounts to Use Roaming Profiles
Modifying the Way Local and Roaming Profiles Are UsedOnly Allow Local User ProfilesDelete Cached Copies of Roaming ProfilesDo Not Detect Slow Network ConnectionLog Users Off When Roaming Profile FailsPrompt User When Slow Link Is DetectedSlow Network Connection Timeout for User ProfilesTimeout for Dialog BoxesWait for Remote User ProfileModifying the Way Profile Data Is Updated and ChangedModifying the Way Profile Data Can Be AccessedLimiting Profile Size and Included FoldersLimiting Profile SizeLimiting Folders Included in Profiles
Understanding Folder RedirectionConfiguring Folder RedirectionUsing Basic Folder RedirectionUsing Advanced Folder RedirectionConfiguring Setup, Removal, and Preference Settings for Redirection
Working with Computer and User ScriptsConfiguring Computer Startup and Shutdown ScriptsConfiguring User Logon and Logoff ScriptsControlling Script VisibilityControlling Script TimeoutControlling Script Execution and Run Technique
Customizing the Title Bar TextCustomizing LogosCustomizing Buttons and Toolbars
Customizing Home, Search, and Support URLsCustomizing Favorites and LinksCreating Individual Favorites and LinksImporting Favorites and Links Lists
Deploying Connection Settings Through Group PolicyDeploying Proxy Settings Through Group Policy
Working with Security Zones and SettingsRestricting Security Zone ConfigurationDeploying Security Zone ConfigurationsConfiguring the Internet Security ZoneConfiguring the Local Intranet ZoneConfiguring the Trusted Sites Security ZoneConfiguring the Restricted Sites Security ZoneImporting and Deploying the Security Zone Settings
How Software Installation WorksWhat You Need to Know to PrepareHow to Set Up the Installation LocationWhat Limitations Apply
Creating Software Deployment GPOsConfiguring the Software Deployment
Deploying Software with Windows Installer PackagesGetting the Necessary Windows Installer FileDeploying the Software Using a Windows Installer FileDeploying Software with Non–Windows Installer PackagesCreating the ZAP FileDeploying the Software Using a ZAP File
Viewing and Setting General Deployment PropertiesChanging the Deployment Type and Installation OptionsDefining Application CategoriesAdding, Modifying, and Removing Application CategoriesAdding an Application to a CategoryPerforming UpgradesPatching or Installing an Application Service PackDeploying a New Version of an ApplicationCustomizing the Installation Package with TransformsControlling Deployment by Security GroupSetting Global Deployment Defaults
Deploying Office Through PolicyChoosing a Package Distribution TechniqueUsing Transforms to Customize an Office DeploymentSelecting a Deployment ModeKeeping Office UpdatedDeploying Windows Service Packs Through Policy
Removing Deployed ApplicationsRedeploying ApplicationsConfiguring Software Restriction PoliciesGetting Started with Software Restriction PoliciesConfiguring Enforcement PolicyViewing and Configuring Designated File TypesConfiguring Trust Publishers PolicyConfiguring Disallowed and Unrestricted ApplicationsConfiguring Security RulesUsing Certificate RulesUsing Hash RulesUsing Internet Zone RulesUsing Path RulesTroubleshooting Software Installation PolicyTroubleshooting StepsCommon Software Installation Policy Problems
Downloading and Installing the ToolsWorking with the Custom Installation WizardStep 1: Create the Administrative Install of Office’s .msi FileStep 2: Use the Custom Installation Wizard for Office ConfigurationStep 3: Deploy the Transformed Office ConfigurationWorking with the Custom Maintenance WizardStep 1: Update the Microsoft Office ConfigurationStep 2: Deploy the New Configuration of OfficePreparing the Policy EnvironmentDeploying Office Administrative Template FilesDeploying Office Administrative Template Files for the First TimeUpdating Previously Deployed Office-Related Policy TemplatesCreating Office Configuration GPOsManaging Multiple Office Configuration Versions
Working with Office-Related PolicyExamining Global and Application-Specific SettingsConfiguring Office-Related Policy SettingsPreventing Users from Changing Office ConfigurationsUnderstanding How to Prevent Office Configuration ChangesDisabling Office Menu Items and Options Using Predefined OptionsDisabling Office Menu Items and Options Using Custom OptionsStep 1: Determining the Menu Item IDStep 2: Using a Custom Disable PolicyConfiguring Notification for Disabled Menu Items and OptionsControlling Default File and Folder LocationsSetting the Default Database Folder Location for Access 2003Setting the Default File Location for Excel 2003Setting Default Folder Locations for OneNote 2003Setting Default Folder Locations for Publisher 2003Setting Default Folder Locations for Word 2003Configuring Outlook Security OptionsControlling Office Language SettingsTroubleshooting Office Administrative Template Policy
How IPSec WorksHow IPSec Policy Is DeployedWhen to Use IPSec and IPSec Policy
Activating and Deactivating IPSec PoliciesCreate Additional IPSec PoliciesCreating and Assigning the IPSec PolicyDefining Security Rules and ActionsCreating and Managing IP Filter ListsCreating and Managing Filter ActionsMonitoring IPSec Policy
How Public Key Certificates WorkHow Public Key Policies Are UsedManaging Public Key Policy
How Windows Firewall WorksHow Windows Firewall Policy Is Used
Configuring IPSec BypassEnabling and Disabling Windows Firewall with Group PolicyManaging Firewall Exceptions with Group PolicyDisabling the Use of ExceptionsAllowing File and Printer Sharing ExceptionsAllowing Remote Administration ExceptionsAllowing Remote Desktop ExceptionsAllowing UPnP Framework ExceptionsDefining Program ExceptionsDefining ICMP ExceptionsDefining Port ExceptionsConfiguring Firewall Notification, Logging, and Response RequestsProhibiting NotificationsAllowing LoggingProhibiting Unicast Responses to Multicast or Broadcast Requests
Replace ModeMerge ModeTroubleshooting Loopback
Controlling Terminal Services Through Group Policy on an Individual ComputerControlling Terminal Services Through Group Policy in a DomainConfiguring Order of PrecedenceConfiguring Terminal Services User PropertiesBest PracticesConfiguring License Server Using Group Policy SettingsLicense Server Security GroupPrevent License UpgradeConfiguring Terminal Services ConnectionsLimit Number of ConnectionsSet Client Connection Encryption LevelSecure Server (Require Security)Start a Program on ConnectionSet Rules for Remote Control to Terminal Services User SessionsSet Time Limit for Disconnected SessionsSet Time Limit for Active Terminal Services SessionsTerminate Session When Time Limits Are ReachedAllow Reconnection From Original Client OnlyManaging Drive, Printer, and Device Mappings for ClientsAllow Audio RedirectionDo Not Allow COM Port RedirectionDo Not Allow Client Printer RedirectionDo Not Allow LPT Port RedirectionDo Not Allow Drive RedirectionDo Not Set Default Client Printer To Be Default Printer in a SessionControlling Terminal Services ProfilesSet Path for TS Roaming ProfilesTS User Home DirectoryRestrict Terminal Services Users To a Single Remove SessionOnly Allow Local User ProfilesDelete Cached Copies of Roaming Profiles
Default Policy Application over Slow LinksPolicies That Apply over Slow LinksSlow Link Behavior for RAS ConnectionsSlow Link Detection Group Policy SettingsGroup Policy Slow Link DetectionSlow Network Connection Timeout for User ProfilesDo Not Detect Slow Network ConnectionsPrompt User When Slow Link Is DetectedConfigure Slow Link SpeedAdditional Slow Link Detection Settings for Client-Side Extensions
Working with Group Policy ContainersExamining Attributes of groupPolicyContainer ObjectsExamining the Security of groupPolicyContainer ObjectsExamining GPO Creation PermissionsViewing and Setting Default Security for New GPOsViewing the defaultSecurityDescriptor AttributeModifying the defaultSecurityDescriptor Attribute
Working with Group Policy TemplatesUnderstanding Group Policy VersioningUnderstanding Group Policy Template Security
Examining Group Policy LinkingViewing the gPLink AttributeExamining Inheritance Blocking on LinksUnderstanding Group Policy Security and Links
Examining Client-Side Extension ProcessingExamining Server-Side Extension ProcessingSetting Storage for Wireless Network PolicySetting Storage for Folder Redirection PolicySetting Storage for Administrative Templates PolicySetting Storage for Disk Quota PolicySetting Storage for QoS Packet Scheduler PolicySetting Storage for ScriptsSetting Storage for Internet Explorer Maintenance PolicySetting Storage for Security PolicySetting Storage for Software Installation PolicySetting Storage for IP Security PolicyUnderstanding Policy Processing EventsAsynchronous vs. Synchronous Policy ProcessingTracking Policy ApplicationTracking Slow Link DetectionModifying Security Policy ProcessingGroup Policy History and State DataGroup Policy History DataGroup Policy State DataGroup Membership Data
Understanding LGPO Creation and ApplicationUnderstanding LGPO StructureManaging and Maintaining LGPOsControlling Access to the LGPO
Default .adm FilesWorking with .adm FilesDefault Installed .adm FilesTips for Importing .adm FilesAdding .adm FilesRemoving .adm FilesManaging .adm FilesControlling Updated Versions of .adm FilesTurn Off Automatic Updates of ADM FilesAlways Use Local ADM Files for Group Policy EditorTips for Working with .adm FilesOperating System and Service Pack Release IssuesPolicies vs. Preferences
Structure of an .adm File#if versionSyntax for Updating the RegistryClassKeynameValuenameValueoff/ValueonSyntax for Updating the Group Policy Object Editor InterfaceStringsCategoryPolicyPartCheckboxClienttextComboboxDropdownlistEdittextListboxNumericTextActionlistAdditional Statements in the .adm TemplateCommentsRequiredMaxlenExplainSupported.adm File String and Tab Limits
Account PoliciesLocal PoliciesEvent LogRestricted GroupsSystem ServicesRegistryFile System
Security Templates Snap-InRaw Security Template INF Files
Copying TemplatesCreating New Security Templates
Structure of the Sceregvl.inf FileCustomizing the Sceregvl.inf FileGetting the Custom Entry to Show Up
Getting the Correct Service to Automatically DisplayAcquiring the Service Syntax for the Security Template FileManually Updating Services in the Security Template File
Verifying the Core ConfigurationVerifying the Network Connection and ConfigurationVerifying the Computer Account and TrustVerifying Time SynchronizationVerifying the Computer and User Account ConfigurationVerifying Key Infrastructure ComponentsVerifying the Scope of ManagementChecking the GPO Status and VersionChecking the GPO on the Logon Domain ControllerChecking the GPO Link Status and OrderChecking the GPO PermissionsChecking the Loopback Processing Status of the GPOChecking for Slow Links
Working with Resultant Set of PolicyNavigating the Summary TabNavigating the Settings TabNavigating the Policy Events TabNavigating the Advanced ViewViewing RSoP from the Command LineVerifying Server-Side GPO HealthChecking the GPC and GPT for ErrorsChecking the SYSVOL PermissionsVerifying Specific GPOsNavigating the GPO DetailsManaging RSoP Logs CentrallyGetting Started with Group Policy MonitorPreparing the Group Policy Monitor InstallationDeploying and Configuring Group Policy MonitorViewing Group Policy Monitor ReportsExamining Differences Between Refresh IntervalsManaging Report Log Deletion
Navigating the Application Event LogsConfiguring the Level of Application LoggingUnderstanding Group Policy EventsManaging Userenv LoggingConfiguring the Level of Userenv LoggingExamining the Userenv LogsManaging Logging for Specific CSEsEnabling Debug Logging for Windows Installer PolicyEnabling Debug Logging for Folder Redirection PolicyEnabling Debug Logging for Security Policy
Domain Controller Running the PDC Emulator Is Not AvailableNot All Settings Show Up in the Group Policy EditorCustom Administrative Template Settings Are Not VisibleAdministrative Templates and Settings Depend on the Operating System VersionSecurity Template Settings Are Not Taking EffectNew Custom Security Settings Are Not DisplayedDelegation Restrictions Within the GPMCCreating GPOsLinking GPOsManaging GPOsEditing GPOsViewing GPOs
Domain Controllers Are Not AvailableActive Directory Database Is CorruptLocal Logon vs. Active Directory LogonSYSVOL Files Are Causing GPO Application FailureGPO Files Manually Modified IncorrectlySYSVOL Share RemovedIncorrect Date and Time of GPO FilesProblems with Replication and Convergence of Active Directory and SYSVOLSyncing Group Policy GPC and GPTIntrasite ReplicationIntersite ReplicationDNS Problems Causing GPO Application ProblemsDHCP Servers Allocating Incorrect DNS InformationManual Client Configuration Is IncorrectSRV Records Have Been Deleted
Tracking Down Incorrect GPO SettingsGPO Settings That Can Be Set to Enabled or DisabledIncorrect Setting SelectedComputer Configuration vs. User Configuration SettingsGPO Links Causing GPO Application ProblemsLinking GPOs to Multiple ContainersAdministering GPOs that are Linked to Multiple ContainersAccounts Are Not Located in the Correct OUReasons That Accounts Are Placed in the Incorrect OUWrong Account in OUTrying to Apply Group Policy Settings to GroupsLinking GPOs to OUs That Contain Only GroupsSetting GPO Security Filtering to Apply GPO Settings to GroupsConflicting Settings in Two GPOsModifying Default GPO InheritanceEnforcing GPOsBlock Policy InheritanceSecurity Filtering
Managing Feature Control SettingsConfiguring Policies and PreferencesInternet Explorer Administration Kit/Internet Explorer Maintenance
Changes to Internet Explorer URL Action Security Settings
Changes to RSoP in SP1Administering Remote RSoP with GPMC SP1Delegating Access to Group Policy Results
Changes to Windows FirewallChanges for Audit LoggingChanges for Netsh HelperWindows Firewall New Group Policy Support
Understanding the GPMC Scripting Object ModelCreating the Initial GPM ObjectReferencing the Domain to ManageCreating and Linking GPOsAutomating Group Policy Security Management
Creating GPOsDeleting GPOsFinding Disabled GPOsFinding GPOs by Security GroupFinding GPOs Without Active LinksSetting GPO Creation PermissionsSetting Other GPO PermissionsBacking Up All GPOsBacking Up Individual GPOsCopying GPOsImporting GPOsGenerating RSoP ReportsMirroring Your Production EnvironmentGPMC Prebuilt Script Review

Content preview from Microsoft® Windows® Group Policy Guide

Client Hardening

Not only should servers be hardened to protect against outside intruders, but clients need the same attention. Clients also need to have services, ports, applications, groups, and so on locked down to reduce security risks as much as possible. This reduction in security risk should not compromise functionality in most cases. If the security on a client is too tight, users might not be able to use applications and network communications as needed.

To show a wide range of client configuration best practices, we will look at four common environments. The best practices focus on creating and maintaining a secure environment for desktops and laptops running Windows XP Professional. We will break down clients into two more categories: ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Windows® Group Policy Administrators Pocket Consultant

Publisher Resources

ISBN: 0735622175Supplemental Content Errata

Microsoft® Windows® Group Policy Guide

by The Microsoft Group Policy Team, Darren Mar-Elia, Derek Melber, William R. Stanek

Client Hardening

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Windows® Group Policy Administrators Pocket Consultant

Active Directory® for Microsoft® Windows® Server 2003 Technical Reference

Microsoft® Windows® 2000 Security Handbook

Internet Information Services Administration

Publisher Resources