Академический Документы
Профессиональный Документы
Культура Документы
Page 1 of 16
Computer games
Life topics
Hillbilly physics
Greatest sites
3D art
Model planes
Group Policies are one of the most useful, complex and overlooked tools available in Windows XP Pro. Group Policies are rules that can be applied to a machine every time the operating system starts up. These rules can be used to significantly improve the baseline security of the operating system, on the global or local level. Although primarily intended for use in corporate environment, there is no reason why a home user should not benefit from them. Group Policies allow you to control the registry, security options, scripts, folders, and software installation and maintenance. The last set of rules is called the Software Restriction Policies. In fact, Software Restriction Policies are a subset of the Group Policies. Group Policies can be enforced per computer or per user. This means that you will be able to use certain accounts with full privileges while others will have limited options and usability. Software Restriction Policies can only be set globally. Do note that Group Policies cannot be set or edited when running under a limited user account.
Advertise! Would you like to advertise your product/site on Dedoimedo? Read more
Donate to Dedoimedo! Do you want to help me take early retirement? How about donating some dinero to Dedoimedo? Read more
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 2 of 16
might feel slightly overwhelmed or even discouraged from exploring it. Luckily, things are not as frightening as they seem. Besides, hopefully, this mine article will be able to help you take the first few steps. That said, I wish to emphasize that this article is by no means a full, comprehensive formula for making it right. There are virtually limitless possibilities when it comes to configuring the Group Policies, especially bearing in mind that they should be set to suit YOUR needs. My surfing habits are most likely different from yours (unless you are my brother), which means that you should not blindly take my examples as the holy grail of security. Instead, you should use this guide to familiarize with Group Policies, learn how to use them and from there, develop your own strategies. Before we start, a few useful tips: Do not apply more than a few settings at once! If something goes wrong, you might not be able to easily isolate the source of the problem. You should backup your data before trying for the first time. You should probably set a System Restore point. You need lots of patience. Optional but warmly recommended: If you can, install VMware Player or Server. Learning about Group Policies and Software Restriction Policies can be rather harmless if you do it in a virtual machine running a guest Windows XP Pro operating system. Of course, I leave the matter of legalities to you. If you are interested in learning more about virtualization, you might want to read my VMware Player - A great friend article.
This command will open the Group Policies Object Editor. You can identify the running process as mmc.exe in the Task Manager. This process belongs to Microsoft Management Console; Group Policy Object Editor is a part of the MMC.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 3 of 16
For the time being, nothing special is happening. On the left side, you have the tree of available settings, in the hierarchal (pyramidal) structure. This is the Console Tree. If you select an option on the left, it will be presented in detail in the right pane, including a brief if very useful description of its basic parameters. The right pane is called the Details Pane. The Group Policies can be applied on global level (Computer Configuration) or user level (User Configuration). Most options are identical for the two. Certain options will be available only globally or locally.
What now?
It is very easy to get lost even before you start. You need to have a CLEAR idea what you wish to do. If you are just starting and wish to experiment, then go ahead. However, if you are setting your machine for a working environment, I suggest you carefully plan your goals. You might even consider using pen and paper to organize your setup.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 4 of 16
If you're only starting, I suggest you try the default Unrestricted security level and build specific rules for the undesired applications. Once you master the use of Policies, you might
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 5 of 16
want to try the Disallowed level. Additional rules allow you to specify executables that you wish to exclude from the default level. In other words, specify the whitelist or the blacklist, depending on your choice. To keep you from locking yourself out of the system, the core Windows processes are listed as Unrestricted. Nevertheless, you should be careful, because there might be additional programs, like your firewall or anti-virus, that are most likely located elsewhere and will require their own rules, should you opt for Disallowed level. Another very important process that you would want to keep unrestricted is the Microsoft Management Console (mmc.exe), without which you will not be able to edit the Group Policies!
Adding a rule
There are several ways to create new rules: 1. Highlight Additional Rules > right-click > choose a rule 2. Highlight Additional Rules > right click in the Details Pane > choose a rule 3. Highlight Additional Rules > Menu > Action > choose a rule There are four types of rules - Hash, Certificate, Path, and Zone. These rules determine what files may or may not be run. For example, you can disallow a certain executable in one folder but allow it in another or block it completely using its hash value.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 6 of 16
Example
I have create a file called virus.bat. It's on the desktop. For all practical purposes, this file could be malicious. I will define a rule that will prevent it from running.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 7 of 16
Technically, your imagination is the limit. You can read in full detail about Software Restriction Policies in a very nice Microsoft's how-to Using Software Restriction Policies to Protect Against Unauthorized Software.
Other policies
Apart from software restrictions, you can also setup the working environment without explicitly relying on specific executables. A careless user can cause lots of damage even without running certain programs. Below is a very short and by no means an exhausting overview of some of the options that you can setup to control your machine and its human operators.
Internet Explorer
Setup Zones You can use this options to configure each of the Zones in detail. For example, you can ban a user from downloading files in the Internet Zone, but allow it for sites listed in the Trusted Zone.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 8 of 16
Disable active content on CDs Remember the story with Sony DRM rootkit? Many people running Windows machines were infected with a rootkit simply by placing the music disc in the CD-ROM tray. What happened is that active content on the CD ran without user permission. Using this option would have been a good way of preventing it.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 9 of 16
Restrict ActiveX control install One of the nemeses of a typical Internet Explorer user are the ActiveX controls. You can keep them away completely.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 10 of 16
Windows Installer
Prevent removable media source install One of the greatest dangers for any computer network is the presence of an insider, also known as Troy The Horse and Judah Iscariot. Many a wonderfully set-up network has been brought down by a careless user plugging in his USB flash disk and installing a program that he was otherwise unable to obtain from within the network.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 11 of 16
Control Panel
If you know that a certain user is going to be sorely tempted to tweak just about anything that he may find, you might want to restrict his access to the Control Panel or certain functions thereof.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 12 of 16
System
System-wise, you can prevent the user from accessing the registry, prevent access to the command prompt, run only some applications or bar him from running some others, disable autoplay of CDs, or configure Windows updates.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 13 of 16
Some other, more useful policies that I can think of at the moment: Computer Configuration > Windows Settings > Security Settings > Account Policies Password Policy > Minimum password length Password Policy > Password must meet complexity requirements Account Lockout Policy > Account lockout threshold User Configuration > Administrative Templates > Windows Components Internet Explorer > Disable external branding of Internet Explorer Internet Explorer > Pop-up allow list Internet Explorer > Do not allow users to enable or disable add-ons Internet Explorer > Internet Control Panel > Disable the ... page (any or all) Internet Explorer > Administrator Approved Controls > Configure to your liking Windows Explorer > Hide these specific drives in My Computer Windows Messenger > Do not allow Windows Messenger to be run Windows Media Player > Playback > Prevent Codec Download Start Menu and Taskbar > Do not keep history of recently opened documents Start Menu and Taskbar > Turn off user tracking Control Panel > Add or Remove Programs > Remove Add or Remove Programs Control Panel > Display > Prevent changing wallpaper Shared Folders > Allow DFS roots to be published (set to Disabled) Network > Network Network > Network Network > Network sampling is just the Connections > Prohibit TCP/IP advanced configuration Connections > Prohibit access to properties of a LAN connection Connections > Prohibit access to the New Connection Wizard The above tip of the iceberg. Going through all of them is impossible, because it
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 14 of 16
means basically configure the entire Windows operating system, which is something that requires lots of time, careful planning and a personal touch. You should carefully browse through the available settings and decide what is the best choice for you. For more information about Group Policies, you can want to try the following link: How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 15 of 16
Remember: Once you disable access to the Group Policy Editor, you will not be able to access it anymore except in the Safe Mode using the original Administrator account. This means that if you password-protect your Administrator account, you will be able to prevent other users from changing your settings. And that's it! You're set. Your computer is now protected. Your policies are protected. Leak back and enjoy the silence.
Conclusion
Group Policies are a very powerful weapon in the hands of a patient Windows user. With care, they can be setup to provide excellent, fire-and-forget security. They are freely available, use no resources whatsoever and will not clash with any program. Most importantly, by mastering their use, you will gain invaluable knowledge of the Windows operating system. It's definitely worth a try. Have fun! Cheers.
http://www.dedoimedo.com/computers/policies.html
27/12/2011
Page 16 of 16
del.icio.us
stumble
digg
slashdot
Home Loan
Home Loan Application Decision In 5 Days. Simple & Fast. Apply Now!
StandardChartered-ServiceGuarantee.co.in
Top
Home
Terms of use
Contact me
About
http://www.dedoimedo.com/computers/policies.html
27/12/2011