A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network. Download FREE
trial
Windows 2003 - Group Policy -> System
'System' is another Group Policy section where every administrator will benefit from
restricting the users, if only by stopping them hacking the registry.
Before you start, compare and contrast the settings here with those in the
Computer Configuration \ Administrative Templates \ Windows Components \
System folder.
Troubleshooting Group Policies is tricky. As an MCT trainer, I can thoroughly recommend TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Group Policy or go for
a combination of modules.
See more about Group Policy training here
These are settings that 'Mr Nasty' will love. 'Prevent Access to
the Command Prompt'. Perhaps you have already removed the run command,
now you want to bolt the back door to the 'Dos Box'.
I cannot think of a good reason why ordinary users need Regedit, so I would enable
* 'Prevent Access to
Registry editing tools'. Be careful with your logic here, the risk
is that you have a double negative. For instance, 'Disable' the Prevent access
to Registry, would
allow Regedit to run, which may be the reverse of what you intended.
'Don't run specified Windows application', is another setting where you
should double check your logic. Here you are making a list of the
bad guys, programs that ordinary users have no business running.
'Run only allowed Windows programs', takes locking down the desktop one
stage further, in this case you specify only programs that your people
really need, for example, Excel and Winword. Remember that this is a
list of a few essential programs.
* 'Restrict
these Programs from being run from help'. This policy neatly closes a back door
which savvy users exploit to sneakily run programs that they should not be using.
Be on your guard, and choose the executables wisely.
Take a view on what should be done about 'Windows Automatic Updates'.
Again, here is a policy to fit into your broader corporate network strategy.
Two settings which could slightly improve users experience are 'Configure
Driver search locations' and 'Century Interpretation for year 2000'.
The latter may be more relevant as we approach 2029!
* 'Code signing for drivers', this
is not a setting that you should leave to chance, I would Enable, then
'Block' drivers without digital signatures. Ask yourself, 'What are
users doing installing device drivers anyway?'.
I am a great fan of roaming profiles, especially for we administrators.
With these settings you can alleviate worries that roaming profiles generate
too much network traffic by imposing limits on the size of the profiles and
the directories to include in the roaming profile.
Nothing much here, perhaps you would want to run script visibly if you
are testing, or if it had information for the users, but otherwise a section to
ignore. By all means run legacy scripts hidden, but why not upgrade
those Batch files to VBScript?
The most controversial decision here is the Task Manager (not Taskbar).
My view is to leave it enabled. Would it not save work all round if
users could zap their own programs which are not responding?
I can think of only a few specialist situations where you would want to
deny users Change password, and Lock Workstations tabs. Kiosk
computers or communal internet machines would benefit from this policy.
However, for the rest, leave the Ctrl Alt Del as the default - not
configured.
There are two ideas here that are worth a look. Firstly, would
there be any programs that clients always need? If so, then configure the 'Run Programs at Logon' setting. Secondly, have you been
caught by viruses exploiting the 'Run Once' registry setting? Well if
so then you can
block the registry RunOnce key with this policy.
* 'Group Policy Slow Link
Detection', people often ask me what is a slow link? 56K, 256K?
Well here you can decide, based on the experience of how long Group Policy settings
take to apply when a client logs on remotely. The other settings here are to assist administrators who are configuring
Group Policies.
Just one policy here - Prompt for Password on Resume from Hibernate.
This is
the classic trade-off, security versus convenience. I do believe that
hibernating rather turning machines off will be the way of the future.
However, at present few people trust 'Hibernate' so this setting is not needed
- yet!
If you are fed up with those Win32 Time errors in the Event Log then why
not use a Group Policy to configure the Time Servers. In Windows
Server 2003 domains Kerberos relies on time synchronization between servers,
otherwise it thinks that a hacker has intercepted a packet and then put it
back on the network 10 minutes later.
Summary of System Group Policies
Start with the 'Root' section of Administrative Templates, Windows Components, System. Then follow through and
investigate the folders for example, Logon where you can block the RunOnce command.
