'System' is another Group Policy section where every administrator will benefit from
restricting the users, if only by stopping them hacking the registry.
Before you start, compare and contrast the settings here with those in the
Computer Configuration \ Administrative Templates \ Windows Components \
System folder.
These are settings that 'Mr Nasty' will love. 'Prevent Access to
the Command Prompt'. Perhaps you have already removed the run command,
now you want to bolt the back door to the 'Dos Box'.
I cannot think of a good reason why ordinary users need Regedit, so I would enable
* 'Prevent Access to
Registry editing tools'. Be careful with your logic here, the risk
is that you have a double negative. For instance, 'Disable' the Prevent access
to Registry, would
allow Regedit to run, which may be the reverse of what you intended.
'Don't run specified Windows application', is another setting where you
should double check your logic. Here you are making a list of the
bad guys, programs that ordinary users have no business running.
'Run only allowed Windows programs', takes locking down the desktop one
stage further, in this case you specify only programs that your people
really need, for example, Excel and Winword. Remember that this is a
list of a few essential programs.
* 'Restrict
these Programs from being run from help'. This policy neatly closes a back door
which savvy users exploit to sneakily run programs that they should not be using.
Be on your guard, and choose the executables wisely.
Take a view on what should be done about 'Windows Automatic Updates'.
Again, here is a policy to fit into your broader corporate network strategy.
Two settings which could slightly improve users experience are 'Configure
Driver search locations' and 'Century Interpretation for year 2000'.
The latter may be more relevant as we approach 2029!
* 'Code signing for drivers', this
is not a setting that you should leave to chance, I would Enable, then
'Block' drivers without digital signatures. Ask yourself, 'What are
users doing installing device drivers anyway?'.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
I am a great fan of roaming profiles, especially for we administrators.
With these settings you can alleviate worries that roaming profiles generate
too much network traffic by imposing limits on the size of the profiles and
the directories to include in the roaming profile.
Nothing much here, perhaps you would want to run script visibly if you
are testing, or if it had information for the users, but otherwise a section to
ignore. By all means run legacy scripts hidden, but why not upgrade
those Batch files to VBScript?
The most controversial decision here is the Task Manager (not Taskbar).
My view is to leave it enabled. Would it not save work all round if
users could zap their own programs which are not responding?
I can think of only a few specialist situations where you would want to
deny users Change password, and Lock Workstations tabs. Kiosk
computers or communal internet machines would benefit from this policy.
However, for the rest, leave the Ctrl Alt Del GPO as the default - not
configured.
There are two ideas here that are worth a look. Firstly, would
there be any programs that clients always need? If so, then configure the 'Run Programs at Logon' setting. Secondly, have you been
caught by viruses exploiting the 'Run Once' registry setting? Well if
so then you can
block the registry RunOnce key with this policy.
* 'Group Policy Slow Link
Detection', people often ask me what is a slow link? 56K, 256K?
Well here you can decide, based on the experience of how long Group Policy settings
take to apply when a client logs on remotely. The other settings here are to assist administrators who are configuring
Group Policies.
See Windows 8 Group
Policy Settings
Just one policy here - Prompt for Password on Resume from Hibernate.
This is
the classic trade-off, security versus convenience. I do believe that
hibernating rather turning machines off will be the way of the future.
However, at present few people trust 'Hibernate' so this setting is not needed
- yet!
If you are fed up with those Win32 Time errors in the Event Log then why
not use a Group Policy to configure the Time Servers. In Windows
Server 2003 domains Kerberos relies on time synchronization between servers,
otherwise it thinks that a hacker has intercepted a packet and then put it
back on the network 10 minutes later.
The Dsacls.exe Tool
Dsacls.exe is a command-line tool that you can use to query the
security attributes and to change permissions and security attributes of
Active Directory objects. It is the command-line equivalent of the
Security tab in the Windows Active Directory snap-in tools such as Active
Directory Users and Computers and Active Directory Sites and Services. You
can use Dsacls.exe to lock out Terminal Services end-users from files and
folders on a Windows Server 2003-based computer or a Microsoft Windows
2000-based computer.
»
Summary of System Group Policies
Start with the 'Root' section of Administrative Templates, Windows Components, System. Then follow through and
investigate the folders for example, Logon where you can block the RunOnce command.
If you like this page then please share it with your friends
*
Custom Search
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
