Use a group policy to control group policies

by Brien M. Posey MCSE | Sep 22, 2003 7:00:00 AM

Tags: Brien M. Posey MCSE, Group Policy Console, group policy

Takeaway: Group policies give you a lot of control over your users. But when you implement lots of group policies, what's the best way to control them? More group policies of course. Here's how.

Group policies are Windows 2000 Server and Windows Server 2003's primary security mechanisms. However, there are times when group policies just don't get the job done. It's too easy to manipulate the way that more complex group policies are applied, thus manipulating the overall security policy for a computer or for a user. Ironically, the solution for overcoming the inherent weaknesses associated with group policies is to create a group policy that regulates group policies.

Why create extra group policies?
If you've never had a group policy-related security breach within your organization, then you might be wondering why you should go through the trouble of creating a separate group policy to control group policies. The truth is, though, that group policy-related group policies aren't for everyone. They're only intended for organizations that are using the more complex group policy structures.

As you may know, group policies are hierarchical in nature. There may be separate group policies for a domain, an OU, a local computer, etc. When a user logs on, Windows collects all of these policies and then combines them together to form the resultant set of policies for that user and machine. The problem is that it is sometimes possible to manipulate the system in a way that causes Windows to ignore one or more of the policies that would normally go into the resultant set of policies for a specific user or computer.

That's where a group policy-related group policy comes into play. This type of group policy can more tightly regulate how the resultant set of policies is formed, and make sure that nothing falls through the cracks.

---

Take note
Before I begin showing you all of the elements that go into a group policy-related policy, there are a couple of things that need to be explained. First, as I discuss this special group policy, you should keep in mind that you probably won't be creating an entirely new special policy. Instead, it's usually more appropriate to blend the policy elements that I'm going to show you with your existing policy elements. It's up to you to figure out at what level to place these new elements within the group policy hierarchy. I'll try to suggest a level when I can, but ultimately it's up to you to figure out what will work best for your own individual network.

The other thing that I need to explain is that although I will be showing you a lot of different group policy elements, you probably won't use them all. Instead, I'm simply showing what is available to you. It's up to you to decide which combination of these policy elements will work best on your network.

For the purposes of this article, I'll focus on Windows 2000 Server, not Windows Server 2003, but the principles apply equally to both versions.

---

Computer configuration settings
The Group Policy Console is divided into two main sections: computer configuration and user configuration. I'll begin my discussion by examining settings found within the Computer Configuration section. All of the settings that I will talk about in this section may be found by navigating through the group policy console tree to Console Root\your policy\Computer Configuration\Administrative Templates\System\Group Policy. You can see these settings shown in Figure A.


As you look at Figure A, you will notice that none of the group policy elements that I'm about to discuss are configured by default. Windows does this for two reasons. First, the design philosophy behind Windows 2000 is to leave security wide open and to leave it to the Administrator to lock down the network. The other reason that these elements are not configured by default is to reduce login time.

When a user logs in, all of the group policy elements at the various levels must be read, applied, and processed. It takes time to process each group policy element. Therefore, if there is a setting that I show you that you don't plan on using, it's better to leave the setting as Not Configured rather than just assigning the setting a null value or setting a policy element to Disabled.

Disable Background Refresh Of Group Policy Properties
There may be times when you make a change to a group policy element during the middle of the day when users are logged on and working. Depending on the nature of the change that you have made, you may want the new policy setting to go into effect immediately. Of course you may not want the policy to take effect until each user logs off, because of adverse effects that the new policy may have on the user's current work. This is where the Disable Background Refresh Of Group Policy Properties setting comes into play.

Normally, during the course of a day, group policies are refreshed and reapplied to both users and computers. Any changes that have been made to the group policies since the last refresh are applied at this time. However, if you enable this group policy element, you can prevent any changes from being applied to users or computers until the current user logs off.

Apply Group Policy For Computers Asynchronously During Startup
The Apply Group Policy For Computers Asynchronously During Startup setting is a dangerous setting that I recommend staying away from. If you enable this particular policy setting, Windows won't wait for all of the group policy settings to be applied before allowing users to login. Instead, the login prompt is displayed and a user may log in even though the group policy is incomplete. I strongly recommend setting this policy as either Not Configured or as Disabled.

Apply Group Policy For Users Asynchronously During Logon
Like the Apply Group Policy For Computers Asynchronously During Startup, the Apply Group Policy For Users Asynchronously During Logon group policy element is one that you should probably leave alone. This group policy element is actually an extension of the last group policy element that I talked about. If the last group policy element that I discussed were enabled, users would be allowed to log in before the computer group policy is applied.

This group policy element controls whether Windows will display the computer desktop before the computer group policy is applied. If this group policy element and the group policy element above are both enabled, a user could theoretically log in and begin working before a group policy is even applied to the computer. This particular group policy element has no effect if the Apply Group Policies For Computers Asynchronously During Startup option is disabled because, obviously, the desktop can't be displayed if a user has not even logged in yet.

User Group Policy Loopback Processing Mode
The Group Policy Loopback Processing Mode policy element is a little tricky. As I explained earlier, policies are normally applied at the computer level and at the user level and are then combined to form the resultant set of policies. However, there may be times when you want the computer policy to override the user policy. This is especially true if a computer is publicly accessible.

For example, in my home I have a computer room with more machines than I care to count. While some of these machines are used for experimental purposes related to my writing, I do have a production network that contains data such as everything that I have ever written, bank records, etc. No one is ever allowed to touch these machines. However, I also have a computer downstairs that is also a part of my production network. This is the machine that my friends use for surfing the Internet or playing games when they come to visit.

Normally, if I wanted to keep my friends out of my more sensitive data, all I would have to do is to create user accounts for them and deny access to the more sensitive parts of the network. However, because of the "public" nature of this machine, I want to make sure that my wife doesn't open anything sensitive from this machine. Therefore, I have implemented Group Policy Loopback Processing Mode.

The idea is that when my wife or I log in up stairs, we have full administrative access to the network. However, when we log on to the system downstairs, we have basically the same restrictions as our friends. This prevents one of us from accidentally staying logged in on that machine and one of our guests exploiting the account.

Group Policy Slow Link Detection
Although I have not yet discussed any of them in this article, you have probably noticed that Windows has a lot of settings (group policy and otherwise) related to slow links. If you've ever wondered what Windows considers to be a slow link, then this setting is for you. If you enable this group policy element, then Windows will be able to differentiate between a slow and a fast link and apply policies and settings accordingly. By default, Windows considers any link with throughput below 500 Kbps to be slow. However, this group policy element actually allows you to define what link speed you consider to be slow.

Registry Policy Processing
One of the ways that a group policy might be compromised is by an application that makes changes to the group policy-related portion of the registry. This option controls whether you will allow the system to update group policy values that are stored within the registry while users affected by the update are logged in. If an update occurs while a user is working within an application relying on such a policy, the results can be disastrous. The application may crash, thus resulting in data loss and / or corruption.

Group Policy Processing
Windows has a number of subpolicies contained within the computer policy. These subpolicies control things such as folder redirection and disk quotas. It is possible for an application to configure such policies on your behalf. However, there are specific group policy settings that you can implement that will override any settings made by applications in these areas. For example, you could simply disable the policy, which would prevent it from being processed at all. Other options include whether you want to process the policy over a slow network link and whether you want to process the policy if the policy has not changed. The subpolicies that such settings can be applied to include the following:

• Folder Redirection Policy Processing
• Disk Quota Policy Processing
• Scripts Policy Processing
• Security Policy Processing
• EFS Recovery Policy Processing
• Software Installation Policy Processing
• IP Security Policy Processing

User configuration settings
Just as the computer policy settings apply to specific computers, the user configuration settings apply to users as they log in. The settings that I am going to explain in this section all pertain to individual users. You can access these settings by navigating through the Group Policy tree to Console Root\your group policy\User Configuration\Administrative Templates\System\Group Policy. You can see this section of the group policy console in Figure B.


Group Policy Refresh Interval For Users
This group policy element controls how often user-related group policies are refreshed. You can set the policy to refresh the user policy at anywhere from 0 minutes to 64,800 minutes. If you set the refresh rate to 0 minutes, the refresh will occur every seven seconds and your network will likely become overburdened by the overhead caused by the constant refreshes. If you go the other extreme and set refreshes for 64,800 minutes, then the refreshes will occur once every 45 days.

Another useful setting within this group policy element is the random timer. The random timer can be set for anything from 0 minutes to 1440 minutes (24 hours). The random timer functions as an offset. The time from the random timer is added to the time specified in the update interval. This prevents the system from becoming overburdened as it would if updates were applied to every single user simultaneously.

Group Policy Slow Link Detection
The Group Policy Slow Link Detection group policy element is used to determine what link speed Windows considers to be slow. The only difference between this setting and the slow link detection setting that I showed you earlier is that this setting applies to the user while the other slow link detection mechanism applies to the computer.

Group Policy Domain Controller Selection
This group policy setting can be used to determine what domain controller group policies are read from and written to. You have several options with this setting. The safest option is to leave the policy as unconfigured, which is the equivalent of allowing reads and writes on any available domain controller. As an alternative, you may also specify that reads and writes occur only on the PDC emulator or on another domain controller of your choice.

Normally, you would only specify a domain controller if the policy applied to an OU and the OU corresponded to an individual site. The policy could then be configured to designate a domain controller within that site. As I said, though, you are usually best off leaving this option alone because if you were to designate a specific domain controller and that domain controller went offline, then group policy reads and writes may become impossible.

Create New Group Policy Object Links Disabled By Default
If you enable this option, then any new group policy links that you create are disabled by default. If you choose to disable this option or to leave it as unconfigured, then all group policy links are enabled (active) by default.

Enforce Show Policies Only
The Group Policy Editor can normally display true group policies and preferences. If you enable the Enforce Show Policies Only option, then preferences are hidden and only actual polices are shown. Be extremely careful with this operation because once it is enabled, administrators cannot disable it.

Disable Automatic Update of ADM Files
Normally, when you open a group policy, Windows updates the .ADM files on your system. Therefore, the ADM files are always current. If, however, you enable this policy, then the ADM files will always be the version that they were just before you enabled this group policy element. If you want to update the ADM files after enabling this group policy element, you must either disable the group policy element or update the ADM files manually.

Defense in depth
Although group policies are Windows' primary security mechanism, there are weaknesses associated with the manner in which group policies are applied. Appending various administrative template settings to your existing group policies can be a great way of controlling how group policies are applied. Doing so adds to the complexities of your network administration duties, but it will also increase overall control.