Using Group Policies to Lock Down user PC's

[David92595]

Basics:

Server Windows SBS 2008 R2

User Computers: Windows 7

One of our clients is now requiring us to harden (I think is the correct term) our network and user PC's. More specifically our client PC's, I need to find a guide to lock down everything from screen savers to access to the control panel and network tree.

Does anyone know of a reputable site that explains how to do this? Or even a good youtube video… Also, my supervisor is adamant that I make sure that any group policy put in place will not affect any unintended functions. Which is in itself quite hard, as I know very little about group policies, but i will once again ask for any information the tech community has on this subject.

As always any help is greatly appreciated,

David92595

[cluberti]

Microsoft has a utility called Security Compliance Manager (SCM), with baselines that you can download covering all sorts of secure scenarios across different products and operating system combinations. The policies are fully tested and supported by Microsoft, so you should be safe even if you're unsure how some of them work (and if you run into issues - they're supported by Microsoft, so you can always reach out to them without worry you've broken something in an unsupported way that's causing it). Be aware that security lock down can affect functionality, so knowing WHY you're locking things down beyond what is done out of the box is always the best place to start.

[Psycholiquid71]

Also if possible I would personally setup a virtual DC on your PC using NAT and a client ot test everything before pushing it out to the network. some of the GPOs can get unruly even with good test enviro.

It is always best to test them out and watch the rsop.msc / gpresult to see if anything is conflicting or just not working for whatever reason.

This is starting to sound like a diatribe but I want to make sure I steer you in the right direction and not to make some of the same mistakes a lot of us have with GPOs.

Get Group Policy Manager Console (GPMC) for your domain control if your on 2003 if your on 2008 I believe it already comes installed by default.

Also do not ever change the default domain GPO or the domain GPO. This is just a rule of thumb as they are basically templates for the DC. I personally make separate GPOs for different things such as servers, client PCs, Users, and other various things, keeping in mind that to many GPOs can clog up the users log on time. This is true for either large GPOs or to many while logging in. You can always alleviate this by writing scripts that run from a GPO after login, but all in all you don't want to affect the user experience to much or you will start getting calls like crazy.

Good luck with the GPO implementing.