In Part 1 of this series, I discussed the basics involved in securing a few key Windows 2000 areas. In Part 2, I cover the fundamentals of using Active Directory's (AD's) Group Policy to implement basic security features. AD is a huge topic, and I can't cover it all in this article. If you haven't installed or even looked at AD, read Microsoft's online documentation, peruse the information in Win2K Server Help, or pick up a book about AD. AD is important for properly deploying such Win2K security features as Encrypting File System (EFS), public key infrastructure (PKI), and Group Policy. I'll cover EFS and PKI in an upcoming article.
AD provides a more convenient way to manage your domain than Windows NT's primary and secondary domain management, which in large organizations, can be troublesome and time consuming. To install AD on a Win2K Server machine, click Start, Programs, Administrative Tools, Configure Your Server. Then, select Active Directory from the choices on the left. Follow the wizard steps, and in about 30 minutes to 1 hour, you'll have AD installed and ready to use. Now, let's look at Group Policy and the considerations involved in implementing this important AD feature.
Group Policy—AD Cornerstone
Group Policy is an important part of AD and Win2K security. With Group Policy, you can implement many of the same security features that I covered in Part 1, including the options in Local Security Policy, but you can implement these features for users and systems across the entire domain from a single point. In NT, you must manage all these security options on each system separately. Quite often, the task becomes so time-consuming that many administrators give up or apply the security to only the most important systems or accounts.
To get started with Group Policy, on a domain controller (DC), open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (click Start, Programs, Administrative Tools, then select Active Directory Users and Computers), which Figure 1, page 2, shows. In the window's left pane is a list of folders for built-in user accounts, computers that are members of the domain, DCs, foreign security principals, and users. Right-click the domain or the organizational unit (OU) that you want to manage, then select Properties. The Properties dialog box, which Figure 2, page 2, shows, has three tabs: General, Managed By (which lets you document a resource group's business owner), and Group Policy. Click the Group Policy tab to see a list of the policies that exist on the domain or OU you selected. The default policy that shows up the first time you click the Group Policy tab is Default Domain Policy. You can edit, add, delete, or view the policies' properties. You can click Options to see choices for disabling the policy in this domain or OU and for setting the policy so that another, higher policy can't override it. The windows that pop up when you go through these option menus can be daunting, and some windows look the same as those in other areas but don't have the same options. Look through the menus and get oriented before making any changes.
On the Group Policy tab, click Add, enter a new group policy called Test, then click Enter to return to the Group Policy tab. Click Edit, and you see the window that Figure 3 shows. Let's look in more detail at the Group Policy options in the Computer Configuration and User Configuration folders.
Computer Configuration options. The Computer Configuration folder contains options for software settings, Windows settings, and administrative templates. In Software Settings, you can implement domainwide software distribution for a group. (For more information about implementing domainwide software distribution, see Win2K Server Help.) Windows Settings contains options to implement startup and shutdown scripts that you can use for a variety of security-related tasks. Windows Settings also contains standard security options (i.e., options that you would find on a system that doesn't have AD installed), such as account lockouts, auditing, and event logging. To define a setting, double-click an option, select the Define this policy setting check box, then make the changes you want. Figure 4 shows the window you get when you double-click the Security Policy Setting option. Note that any options that you choose not to define won't override existing system policies that you or someone else might have defined elsewhere.
The Administrative Templates folder contains options to apply policies to Windows components, system settings, network settings, and printers. To set an option, double-click it, and choose one of the three radio buttons (i.e., not defined, enabled, or disabled). Click the Explain tab to see a short description of the policy. I recommend reading the description before you change an option so that you don't make a change that causes problems. An important folder to note is the Group Policy folder (i.e., \Computer Configuration\Administrative Templates\System\Group Policy), in which you can set how and when Win2K propagates group policies to the systems in the domain or OU.
User Configuration options. On the surface, the options in the User Configuration folder might appear to be the same as the options in the Computer Configuration folder, but if you look closer, you'll see that the folders' options are quite different. An obvious difference is that in the Computer Configuration folder, you can implement the policies to entire domains, whereas in the User Configuration folder, you implement policies only directly to users. The options available here that aren't in the Computer Configuration folder are the options for setting how users can view or control the system folders, Control Panel, Start menu, desktop, network, and many other items. The settings you choose depend on your needs and on how much time you want to spend implementing the multitude of features available. You can go as far as limiting a user's control to a narrow selection of options, which can be helpful because users can cause security concerns or technical-support problems by installing unsupported software or by changing important system settings. Before implementing a setting, make sure you understand its function.
With this introduction to Group Policy basics, you can now see Group Policy's benefits and how much easier it makes administering your company's systems. For a couple of other tips that make AD administration easier, see the sidebar "Two Handy Win2K Features."
I've introduced you to AD's cornerstone, Group Policy. Now let me share some tips to follow when implementing AD and group policies.
Remember RAS. Keep RAS in mind when you implement AD on a mixed network—especially if your users use RAS from NT systems. Not all Group Policy security options are compatible with RAS. When implementing group policies that might affect how users view files or access network components, watch how the policies affect RAS operation, perhaps by performing tests as you apply various settings. You can compromise backward compatibility if you're not careful.
Remember AD's hardware requirements. Be aware that AD puts an extra load on a server. The extra boot time and added processing requirements might interfere with other duties on the server, so dedicating a system to AD is wise.
Delete unnecessary AD icons. One tip that I've found useful comes from Randy Franklin Smith (Security Administrator's technical editor and a Windows 2000 Magazine contributing editor). Delete AD management icons and maintain policy from the Active Directory Users and Computers snap-in. In particular, Administrative Tools contains two icons, Domain Security Policy and Domain Controller Security Policy, that you should delete. Because they're shortcuts, someone could inadvertently redirect or rename them, causing you to think you're changing one area when you're actually changing another area.
Maintain your AD system's physical security. Physical security of Win2K AD systems is as important as it is for NT systems. With a reboot into Directory Service (DS) repair mode, a malicious user can access sensitive DS settings and user password hashes. L0phtCrack still works on Win2K password hashes, although you must have Pwdump2 and administrative access. (For information about Pwdump2 and about using L0phtCrack with Win2K, see Randy Franklin Smith, "Access Denied," March 2001.)
Understand how setting override works. Because you're applying domainwide security, remember that as you set up OUs with group policies, they might override lower OUs' settings. In Group Policy, the highest policy overrides all the policies below it. You must plan your OU security implementation because some policies might have different options set for the same item than a policy below and therefore might restrict access that would otherwise be granted, or vice versa. Remember that the final settings are the combination of all policies that you've set from the domain level down to the OU.
I've touched only briefly on AD and Group Policy tips here. For more information, see Randy Franklin Smith, "Reducing the Risks Associated with Windows 2000's Group Policy," http://www.WindowsITsecurity.com, InstantDoc ID 9193.
AD All the Way
An AD environment offers more settings and options than I can cover in this article, but I've shown you how useful AD can be for easing administrative burdens and for providing security to the domain, its users, and its systems. Group Policy lets you enforce strong security policies companywide without having to spend hours implementing them on each system individually. Remember that as with any other Windows subsystem, vulnerabilities exist, and more will continue to crop up over time. Keeping abreast of the latest information will help you maintain security. AD facilitates the use of other great Win2K security features; watch for the next article in this series, which will cover PKI—which you can now implement, thanks to AD.