Windows 2003 – Group Policy -> System
‘System’ is another Group Policy section where every administrator will benefit from restricting the users, if only by stopping them hacking the registry. Before you start, compare and contrast the settings here with those in the Computer Configuration \ Administrative Templates \ Windows Components \ System folder.
Group Policy Topics for System Folder
* Guy’s Top Five System Group Policies
- Prevent Access to Registry editing tools
- Restrict these Programs from being run from help
- Code signing for drivers
- Group Policy Slow Link Detection
These are settings that ‘Mr Nasty’ will love. ‘Prevent Access to the Command Prompt’. Perhaps you have already removed the run command, now you want to bolt the back door to the ‘Dos Box’.
I cannot think of a good reason why ordinary users need Regedit, so I would enable * ‘Prevent Access to Registry editing tools‘. Be careful with your logic here, the risk is that you have a double negative. For instance, ‘Disable’ the Prevent access to Registry, would allow Regedit to run, which may be the reverse of what you intended.
‘Don’t run specified Windows application’, is another setting where you should double check your logic. Here you are making a list of the bad guys, programs that ordinary users have no business running.
‘Run only allowed Windows programs’, takes locking down the desktop one stage further, in this case you specify only programs that your people really need, for example, Excel and Winword. Remember that this is a list of a few essential programs.
* ‘Restrict these Programs from being run from help‘. This policy neatly closes a back door which savvy users exploit to sneakily run programs that they should not be using. Be on your guard, and choose the executables wisely.
Take a view on what should be done about ‘Windows Automatic Updates’. Again, here is a policy to fit into your broader corporate network strategy.
Two settings which could slightly improve users experience are ‘Configure Driver search locations’ and ‘Century Interpretation for year 2000’. The latter may be more relevant as we approach 2029!
* ‘Code signing for drivers‘, this is not a setting that you should leave to chance, I would Enable, then ‘Block’ drivers without digital signatures. Ask yourself, ‘What are users doing installing device drivers anyway?’.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
I am a great fan of roaming profiles, especially for we administrators. With these settings you can alleviate worries that roaming profiles generate too much network traffic by imposing limits on the size of the profiles and the directories to include in the roaming profile.
Nothing much here, perhaps you would want to run script visibly if you are testing, or if it had information for the users, but otherwise a section to ignore. By all means run legacy scripts hidden, but why not upgrade those Batch files to VBScript?
The most controversial decision here is the Task Manager (not Taskbar). My view is to leave it enabled. Would it not save work all round if users could zap their own programs which are not responding?
I can think of only a few specialist situations where you would want to deny users Change password, and Lock Workstations tabs. Kiosk computers or communal internet machines would benefit from this policy. However, for the rest, leave the Ctrl Alt Del GPO as the default – not configured.