S 2.231 Planning of group policy under Windows

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

The group policies available in Windows 2000 are a powerful mechanism for configuring Windows computers. Windows NT also had a mechanism similar to the group policies, but it was much less powerful. Group policies are used in the Active Directory to apply a set of configuration settings, and especially security settings, to a group of objects. A Group Policy Object (GPO) is a collection of predefined configuration parameters (over 700 parameters by default). Each parameter can be set to a specific value that can only be selected from a limited range of possible values under some circumstances. In general, it is also possible to set a parameter to the value not defined, in which case the default Windows settings automatically apply to this parameter. The default settings are documented in the group policy help file, which is available in the Windows 2000 Server Resource Kit, among other documents.

The parameters in a group policy object are organised by subject in a tree structure or a structure similar to a file system. At the top level, the parameters are generally divided between settings for computers and settings for users. The following settings in particular are interesting from a security perspective. They can be found in the following "paths":

• Computer Settings\Windows Settings\Security Settings
• Computer Settings\Administrative Settings\Windows Components\Windows Installer
• Computer Settings\Administrative Templates\System\Group Policy
• User Settings\Administrative Templates\Windows Components\Microsoft Management Console
• User Settings\Administrative Settings\Windows Components\Windows Installer

The Windows 2000 Server and Windows Server 2003 operating systems (these two server operating systems are collectively referred to as Windows Server in the following) generally calculates the currently valid setting of each group policy parameter for every computer logged in to a domain and every user logged in. This calculation is necessary because the specifications for the parameter settings can be defined by different group policy objects, and these settings can overlap. The following group policy objects can be defined:

• Every computer has a locally defined group policy object. It allows parameter settings to be defined locally on the computer, for example when there is no connection to a network.
• Group policy objects can be defined using Windows Server sites. This option allows settings to be adapted to a specific site.
• Group policy objects can be defined within the Active Directory structure for the domain objects so that it is possible to control the parameter settings for computers and users throughout the entire domain.
• Group policies can be defined for every OU object. These settings then take effect on all computers and for all users below this OU object in the tree.

The following calculation schema or superposition schema (Local <- Site <- Domain <- Organisational Unit, LSDO) is used to calculate the parameter settings currently valid for a specific computer or user: The local settings are taken into account first (L = local). These settings are then superimposed with the settings of the group policy object defined for the corresponding site (S = site). After that, the group policy objects defined in the relevant domain object are superimposed over these settings (D = domain). Finally, the group policy objects of the OU objects are applied in the order in which they were defined in the path from the domain object to the OU object containing the corresponding computer or user (O = organisational unit).

The superposition can be influenced using the block and enforce options. If the settings of the block and enforce options conflict with each other, then the enforce setting overrides. In addition, it is possible at the OU level to define several group policy objects for an OU object. In this case, the settings are superimposed according to the order specified. It is also possible in this case to enable or disable every group policy object individually for a given OU object.

Group policy objects can only be defined in the Active Directory for OU objects and not for individual computers or user objects. The locally defined group policy object is not stored in the Active Directory. If a group policy object defined for an OU object that groups computer objects together is not intended to take effect on all computer objects, then it is possible to prevent the access authorisations to the group policy object of the application from being assigned to a specific computer object. The apply access right to the group policy object must be removed from this computer object to do this.

The previously used representation of the definition of group policy objects for OU objects has been simplified, however: Group policy objects are stored separately in the Active Directory and form a pool of objects. Every group policy object defined can now be associated with one or more OU objects. In this case, such an association is referred to as a link. Marking a link as enabled or disabled means the corresponding group policy will or will not be taken into account, respectively, when calculating the rights for the OU object (see above). It is possible in the Properties dialogue to determine the OU objects to which there is a link for every group policy object, i.e. it is possible to determine which objects they could potentially affect.

The following aspects must be taken into account from a security perspective when planning and handling group policy objects:

• The group policy concept must be kept as simple as possible. Complex structures consisting of multiple overlaps are to be avoided. In particular, the ability to grant access rights to group policy objects should only be utilised in exceptional cases. In general, the group policy concept must be documented so that the exceptions are easy to recognise.

• The group policy concept and the OU object structure mutually influence each other, because group policy objects can only be applied to OU objects in the Active Directory and not to computer or user objects. When designing the OU groups, it is therefore necessary to ensure that only objects which will be assigned the same GPO settings are placed in an OU object or lower-level OU objects.

• By calculating the applicable rights, it is possible to distribute the administration of the parameter settings between different "locations" (local, site, domain object, OU objects). For this reason, it must be decided where each parameter will be defined. When defining the parameters, it must be taken into account that some parameters only take effect when they are defined at certain sites. Password settings, for example, can only be defined in domain objects.

• Group policy objects must be protected against unauthorised changes. To do this, it is necessary to assign the corresponding authorisations in the Active Directory (see also S 2.230 Planning of Active Directory administration and S 3.27 Training to Active Directory administration), and on the other hand, it is possible to prohibit users from using corresponding administrative tools such as MMC Group Policy snap-ins or registry editors.

• It is especially important to specify values for the security-related parameters in a group policy object. In addition to the settings listed above, there may also be other security-related parameters, depending on the application scenario. Such parameters include the Internet Explorer settings, for example.

In general, the settings of the various group policy objects must be specified based on the security policies of the company or government agency and must enforce these policies. Corresponding specifications for security settings that could serve as a starting point in a group policy can be found in the Resources for the Active Directory module document in the Security settings for group policies section.

Review questions:

• Is there a concept specifying how group policies need to be set up in Windows?
• Were multiple overlaps avoided in the group policy concept?
• Is it possible to recognise the exceptions to the group policy concept in the documentation?
• Are all group policy objects protected using restrictive access rights?
• Have values been specified for the parameters in each single group policy object?