What important group-policy settings should I configure in Active Directory? [closed]

active-directory

We have a number of important settings enabled (password changes, screen-locks etc), but I'm sure there's loads more really useful settings that we could enable.

Any suggestions would be gratefully appreciated... particularly in the security area.


The above are usualy the starting point

Computer Policies:

  • Review Account Policies/Audit Policy
  • Review Local Policies/User Rights Assignment
  • Local Policies/Security Options/Shutdown/Shutdown: Clear virtual memory page file = Enabled
  • System Services\Messenger\Startup Mode = Disabled
  • Public Key Policies/Encrypting File System/Allow users to encrypt files using EFS = disabled (unless you have a PKI and accounts in place to allow decryption)

User Policies:

  • Review Administrative Templates\Control Panel
  • Administrative Templates\System\Prevent access to registry editing tools = enabled
  • Administrative Templates\System\Prevent access to the command prompt = enabled

There are many more useful and important ones, but those cover most of the XP/Vista/2003 gotchas. It sounds painful but the only thing you can do is make sure you have the latest .adm files loaded into group policy management console and go through each and every one making a decision based upon the business needs.


Oft-overlooked Windows Settings/Internet Explorer Maintenance/URLs/Favorites and Links/ - with all the corporate links (a 'Helpdesk Ticket' link that they cannot lose being crucial to my sanity).

Server OU - Most of my GPOs have to do with making my RDC sessions into servers more consistent, useful, and simple.

Administrative Templates/Windows Components/Terminal Services/Client/Server data redirection/Do not allow LPT port recirection ... keeps the driver install failure spam out of my event logs.

Force bginfo (from Sysinternals) upon login - to paint the server/ip/etc name on the desktop. Anything to help me out in not rebooting / changing settings on the wrong server (again).

Administrative Templates/Start Menu and Taskbar - remove baloon Tips, Remove... Shut Down (I'd prefer this is kept to commandline), Remove Search/Help.

Note: Not to insult anybody's intelligence, but make sure you're using the Group Policy Management Console (if 2003, SP specific) instead of the godawful built in interface.

The Jeremy Moskowitz book has been a huge help to me.


Admin Templates/System/Internet Communication Management - there's a LOT of stuff in there you may want to disable.

Admin Templates/Desktop/Prohibit user from changing My Documents path - oh yes.

Otherwise, I've gone from keeping everything tight to leaving it fairly loose. Technology is supposed to empower people after all, and while you can disable stuff like Start Menu right-clicking, what are you really gaining from it?

Finally, never forget: policy is not the same as security.

Related

How can I rewrite urls (ala mod_rewrite) for free in IIS 6?
What are the pros and cons of enabling the root account on OS X?
Force install updates on WSUS server
Why can't I connect to some ftp servers from behind my win2008 NAT?
Port 135 / epmap
What "FreeBSD for Linux Geeks" Guides Exist? [closed]
How can I speed up file transfers over VPN?
How easy/expensive is it to adopt Google Mini/Google Appliance for intranet search?
Any tips for planning a (self-inflicted) software audit? [closed]
Automated VM's provisioning
Any good tool for continous backup? [closed]
Licensing of Windows in backed-up virtual machines [duplicate]