Using Microsoft Tools for Policy-driven Security
Here is how to use Microsoft tools, including Group Policy ADMX and Group Policy Preferences, to assure policy-driven compliance and security.
By Jeremy Moskowitz, PolicyPak
The much publicized ransomware attack on Hollywood Presbyterian Medical center in February shows just how vulnerable the enterprise can be. Hospital services came to a virtual stop for several days. Surgeries were cancelled; patients were transported and diverted to other facilities. Operations didn't return to normal until a $17,000 ransom was paid.
Security professionals have traditionally relied on the feudal approach to protecting the network. Like the medieval king protecting his castle, 80 percent of IT security resources are spent protecting the LAN from infiltration using a walled perimeter. The problem is, many vulnerabilities are generated from within the network by your users.
The key is to implement a policy-driven network which ensures that:
- User-generated security loopholes are circumvented through locked-down settings and auto-remediation
- Devices are kept in constant compliance with IT and corporate security settings and preferences
- Exposed vulnerabilities of off-the-shelf applications are prevented
Fortunately, there are three tools readily available from Microsoft that will assure policy-driven compliance and security:
- Group Policy ADMX
- Group Policy Preferences
- Group Policy Security Settings
Microsoft Group Policy ADMX
Group Policy is about performing desktop and settings management for users, computers or both. You create a Group Policy Object (GPO) to enforce a policy. Once a GPO is provisioned, the delivered settings are enforced.
A large part of what Group Policy does is centered around Administrative Templates, which enable administrators to deliver registry settings that affect operating system and security settings (for both user and system security).
Group Policy Admin Templates can be seen in Figure 1.
The templates provide administrators the ability to secure the desktop and designated applications. Some of the common policy settings which are implemented are:
- Hide the "Run command"
- Prevent users from initiating the "Regedit" command
- Hide various controller panel applets
- Configure the Trust Center settings within your Microsoft Office suite applications, such as disabling all macros or enforcing "Protected View" of Office files
The Administrative Templates are supplied by ADMX files which are in the box, but also upgradable from Microsoft. Every operating system and every Office Suite release has settings that are unique to it, which is why each release has its own designated ADMX files.
In order to fully enforce the settings of each OS or Office suite, you need to download its required ADMX files. For instance, if you are using the out-of-the-box templates from Server 2012 R2 to create your Group Policy Objects, you won’t be able to manage settings for Microsoft Edge because you are missing the Microsoftedge.Admx, one of several ADMX files that apply only to Windows 10 machines.
To manage Windows 10 settings, download the Windows 10 ADMX files as an MSI file that you can simply click to extract into a folder on your machine. Then simply copy the ADMX files and paste them to the central store where all of your other ADMX files (and legacy ADM files) are located.
Even if you don’t have Windows 10 machines in your network, you should always download the most up-to-date ADMX files.
Microsoft Group Policy Preferences
Group Policy isn't just about the administrative templates. Group Policy Preferences (GPP) can help deliver both look-and-feel settings as well as power and security settings.
Some of the popular security related-policies that GPP can deliver are:
- Controlling membership for the local administrators’ groups on all of your client machines
- Reducing your attack surface by disabling unnecessary services
- Provisioning VPN connections for mobile or remote users
While not every setting you might want to configure is available using Group Policy Preferences, it does get you started down the road to better security.
Group Policy Security Settings
Group Policy has an entire section of applicable security settings that you can use to better secure your devices and network. For instance, you can configure password policies, account lockout durations and assign user rights. You can also enable auditing for network logins, object access and privilege use.
An example of these and other options are seen in Figure 2.
AppLocker and Software Restriction Policies
Another example of enforcing security through Group Policy is either Software Restriction Policies or AppLocker.
Your organization may have a content filtering server that prevents users from accessing sites that go against your web security policy. A common way that users avoid content filtering is to download proxy clients in the form of an executable such as Psiphon or Ultrasurf. The user simply clicks on the file and a private browsing window is launched, which could sidestep your own proxy or security settings.
Using Software Restriction Policies or Applocker will prevent users from launching these or any executable file that subverts your company security policies.
AppLocker is stronger than Software Restriction Policies because it can be used to whitelist instead of only blacklist applications. That being said, AppLocker is only available for Enterprise versions of your client operating systems while Software Restriction Policies is available on all operating systems.
Final Thoughts on Policy Enforcement
Using Group Policy ADMX, Group Policy Preferences and Group Policy Security settings (like Software Restriction Policies and AppLocker) enable you to be in charge, and not your users.
It's up to you to:
- Limit users to applications that have been approved by the organization
- Restrict access to outdated software that isn't up-to-date and can be vulnerable
- Prevent the use of unlicensed software
- Blacklist or whitelist specific applications
Remember, Windows is great for being a free range for applications and lets users do what they want. It's up to you to restrict it and make it a secure managed desktop.
Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem: they couldn't manage their applications using the technology they already had. His solution: PolicyPak Application Manager, the flagship product of PolicyPak Software. He's still busy providing ever-better and more tailored solutions to that basic problem through PolicyPak Software.
He also founded GPanswers.com, a community portal for all things Group Policy. Jeremy's best-selling Group Policy books are on the desks of happy administrators everywhere. Learn more at www.GPanswers.com/books.
Jeremy holds a Computer Science degree from the University of Delaware, was one of the first MCSEs in the world, and has been designated an MVP in Group Policy by Microsoft for the last several years running.