NIST's guidance for a Zero Trust Architecture

Active Directory Policies

Different Group Policy Settings

Group Policy includes policy settings that affect both Users and Computers. The settings under Computer Configuration control how the computer is configured. The settings under User configuration control the user’s log on session. Settings configured for a computer are processed first when the computer starts, followed by the user configuration settings when the user logs on.

Both Computer and User Configuration have the following settings:

Software Settings

Software installation and upgrades are configured here. Two options are available for installing softwares:Assign – When a software package is assigned to a computer, it is automatically installed in that computer and is available for use to all the users who log on to that computer.When a software package is assigned to a user, it is automatically installed when the user logs on to a computer and is available only for that user. Softwares assigned to a user will be available on all the machines the user logs on to.Publish – Softwares can be published only to users and not computers. Published softwares are made available to the users in the Add/Remove Programs of the Control Panel. Users can install the software whenever the need arises.

Windows Settings

The following are some of the important Windows Settings that can be configured using Group Policies:Scripts – Scripts are programming codes that perform some action when executed. Startup/Shutdown scripts can be configured for the computer and Logon/Logoff scripts can be configured for the user.Security Settings – Both Computer and User configuration sections have many important security settings that can be configured here. Some of the most important settings are mentioned below:Account policies: Settings related to password complexity, password length, password age, account lockout, etc., can be configured here.Local Policies: Local Policies include Audit Policy, User Rights Assignment and Security Options.

  • Audit policy: Audit policy can record any successful or failed events which can be later viewed through an event log.
  • User Rights Assignment: Settings such as log on locally, log on through remote desktop services, etc., can be configured here
  • Security Options: It includes the settings for Interactive log on messages, user account control, etc.

Software Restriction Policies: Administrators can configure Software Restriction Policy to determine what software a user can install on a machine. By creating Hash rule, Certificate rule, Path rule, etc., administrator can restrict users from installing harmful softwares.Internet Explorer Maintenance: This setting can be used to impose organization wide internet policy by configuring proxy servers, home page, etc. This setting is available only under User configuration.Folder Redirection: This setting enables the administrator to store important user files such as profile folder and home folder in a secure, centralized location such as a file server. It results in high availability of user’s files and folders and easier management of backup and restore. This setting is available only under user configuration.

In addition to the above settings, there are other settings such as IP Security Policy, Public key policy, Windows Firewall, Registry and much more that can be configured under this section.

Administrative Templates

It contains a number of settings which can be used to customize the user/computer environment. Some of the important settings available under computer configuration:Windows Components: Contains settings related to NetMeeting, Task Scheduler, Windows Installer, etc.System: Contains settings related to Disk Quotas, Group Policy, Logon, Shutdown Options and much more.Network: Contains settings related to Network Connections, Offline Files, etc.Some of the important settings available under user configuration:Control Panel: Contains settings related to the management of Control Panel such as Remove Add/Remove Programs.Desktop: Contains settings related to the management of User’s Desktop such as Wallpaper settings, Show/Hide desktop icons, etc.Start Menu and Taskbar: Contains settings related to the configuration of start menu and taskbar such as lock taskbar, classic start menu, etc.

Related posts
Active Directory Policies

Fine-Grained Password Policies

Active Directory Policies

Account Lockout Policy

Active Directory Policies

Password Policy

Active Directory Policies

Account Policies

Leave a Reply

Your email address will not be published. Required fields are marked *