Windows Server Guides

Group Policy User Security

• Woodworking Plans With Step-by-step Instructions

You can find associated security policies in the Computer Configuration section I Policies I Windows Settings I Security Settings I Account Policies, which contain three main groups of settings: Password Policy, Account Lockout Policy, and Kerberos Policy. Let's reiterate once again, that these settings cannot be modified on an organizational unit or site level; settings defined in the domain policy will become effective. Password policy, account lockout policy, and Kerberos policy were reviewed in detail in previous chapters.

Software Restriction Policy

E-mail and the Internet have become the lifeblood in most companies. Unfortunately, attackers are aware of that, and successful attacks are often launched using harmful attachments in e-mail messages, or using executable components on malicious web sites. While some viruses may be nothing more than pranks, others may prove to be very disruptive. The average user, unfortunately, will have a difficult time distinguishing between harmful and legitimate attachments. For this reason, many companies employ various content filtering / spam / virus scanning gateways and software.

However, antivirus software also has its problems; some vendors are better at keeping up to date with the emerging threats, but overall it is next to impossible to protect from malicious code that may have originated within the company's network and is not known to antivirus companies. Administrators can take advantage of software restriction implemented via group policies to allow only certain types of applications, or specific applications, to be executed. Using software restriction policies, administrators define a common security level (either Disallowed or

Unrestricted or Basic User) and then create rules to define exceptions from a given security level. These custom rules can be based on one of the following four categories:

■ Hash rule Administrators can set up rules that allow users to execute certain applications with a known hash. Hashes for each application are calculated when you create this rule, and for as long as executable files remain unchanged, users will be able to launch applications that have matching hashes in the policy.

■ Certificate rule Using certificate rules, administrators can identify code signing certificates, which are considered safe for the organization. Applications signed with this certificate will be allowed.

■ Path rule Path rules are used to define locations of applications deemed to be safe. As with certificate rules, applications installed in directories that match this setting will be allowed.

■ Internet zone rule These rules can be used to restrict software according to where it was downloaded from. Zones available for this rule are the same as those defined in the Internet Explorer settings: trusted sites, restricted sites, local intranet, local computer, and the Internet.

If you select the Disallowed security level for your software restriction policy, user applications will not be allowed unless they are specifically permitted by one of the rules. If you select Unrestricted, user applications will be allowed unless specifically prohibited by one of the rules.

By default, when you install Windows, software restriction policies are not created within group policy objects, and the Software Restriction Policies container is empty. Using the context menu of this container in either the User or Computer Configuration section, Policies, Windows Settings, Security Settings, you can create a new software restriction policy.

Each one of the rules administrators create also has its own security levels. Thus, if your default security level is Disallowed, you will need to create rules with the Unrestricted security level. The opposite is true—if your default security level is Unrestricted, you will need rules with the Disallowed security level. Each category of rules has its own priority, which is used in case there is a rule conflict. Hash rules have the highest priority, followed by certificate rules, then path rules, and finally, Internet zone rules. This means that if the same application falls under the scope of more than one rule, the higher-priority rules will become effective.

By default, the system creates additional rules, which allow running programs and system utilities that are part of the operating system. This prevents situations in which you accidentally set the security level to Disallowed and forget to define rules for the operating system files. (This would prevent your computers from booting properly.) Default rules use system variables and wildcards to ensure that they will work regardless of where the operating system is installed.

In addition to rules and default security levels, you can also configure three additional settings:

■ Enforcement This setting allows administrators to define the scope of the software restriction policy as it applies to restricted applications. Specifically, you can configure whether a software restriction should be applied to all files of the application in question, or if dynamic link libraries (DLLs) should be excluded from the scope. Controlling access to libraries may be important if you suspect that the system is infected with a virus that targets these files. The downside is that protecting DLLs will slow down application performance, because every time a function stored in a DLL is executed, this policy has to be verified. The Enforcement setting also allows you to exclude local administrators from the scope of this policy. It is not uncommon for companies to have a practice of adding domain user accounts to the local administrators group on workstations, as this may be necessary to support legacy applications.

■ Designated File Types Here, you can define which file types are considered to be executable. For example, files such as VBS, BAT, CMD, and EXE are known to be executable, but depending on how you configure restriction policies, you may need to add or remove file types from this list.

■ Trusted Publishers This setting should be configured if you are using certificate rules. You can specify which of the three categories of users (domain administrators, local administrators, and users) can add software publishers into the trusted publishers list. Software distributed by companies that were added to the trusted publishers list will not be considered harmful. This applies to Internet downloads as well as ActiveX components that were signed with digital certificates. Certificate authorities maintain Certificate Revocation Lists (CRLs). Using the Trusted Publishers setting, you can also specify whether this revocation list should be checked. But leaving this option disabled speeds up access to applications.

0 0