Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Sign in to follow this  
Followers 0
David92595

Using Group Policies to Lock Down user PC's

3 posts in this topic

Basics:

Server Windows SBS 2008 R2

User Computers: Windows 7

One of our clients is now requiring us to harden (I think is the correct term) our network and user PC's. More specifically our client PC's, I need to find a guide to lock down everything from screen savers to access to the control panel and network tree.

Does anyone know of a reputable site that explains how to do this? Or even a good youtube video… Also, my supervisor is adamant that I make sure that any group policy put in place will not affect any unintended functions. Which is in itself quite hard, as I know very little about group policies, but i will once again ask for any information the tech community has on this subject.

As always any help is greatly appreciated,

David92595

0

Share this post


Link to post
Share on other sites

Microsoft has a utility called Security Compliance Manager (SCM), with baselines that you can download covering all sorts of secure scenarios across different products and operating system combinations. The policies are fully tested and supported by Microsoft, so you should be safe even if you're unsure how some of them work (and if you run into issues - they're supported by Microsoft, so you can always reach out to them without worry you've broken something in an unsupported way that's causing it). Be aware that security lock down can affect functionality, so knowing WHY you're locking things down beyond what is done out of the box is always the best place to start.

0

Share this post


Link to post
Share on other sites

Also if possible I would personally setup a virtual DC on your PC using NAT and a client ot test everything before pushing it out to the network. some of the GPOs can get unruly even with good test enviro.

It is always best to test them out and watch the rsop.msc / gpresult to see if anything is conflicting or just not working for whatever reason.

This is starting to sound like a diatribe but I want to make sure I steer you in the right direction and not to make some of the same mistakes a lot of us have with GPOs.

Get Group Policy Manager Console (GPMC) for your domain control if your on 2003 if your on 2008 I believe it already comes installed by default.

Also do not ever change the default domain GPO or the domain GPO. This is just a rule of thumb as they are basically templates for the DC. I personally make separate GPOs for different things such as servers, client PCs, Users, and other various things, keeping in mind that to many GPOs can clog up the users log on time. This is true for either large GPOs or to many while logging in. You can always alleviate this by writing scripts that run from a GPO after login, but all in all you don't want to affect the user experience to much or you will start getting calls like crazy.

Good luck with the GPO implementing.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.