1. Home
  2. Applications
  3. Creating a Server Management Group Policy on Windows Server 2003

Creating a Server Management Group Policy on Windows Server 2003

0
0

Edited June 19, 2009 to create the initial group policy in the Group Policy Objects node in the Group Policy Management Console.  Too many group policy novices were locking themselves out of their Servers before I could finish Part 3.

Creating a server management group policy is a critical task that needs to be completed before allowing users access to any Terminal Server or XenApp Server.  By default, any user who can login to the server can do many dangerous things.  For example, the user can:

  • Shutdown the server
  • Reboot the server
  • Use Internet Explore to install Windows Updates
  • Access the server’s hard drives

Note:  Instead of saying Terminal Server and or XenApp Server throughout this article, I will use the term Server or Servers.
 

Many administrators refer to this as "locking down the Server".  I prefer to use "managing the Server".  Many administrators add other group policy items that do not add to "locking down" a Server but add to the management of a Server.
 

Just like there is no one way to design Active Directory (AD), there is no one way to design a Server management group policy.  What works for high security environments would probably be overkill for a small business.  If you were to gather ten network administrators in a room there will probably be ten different viewpoints on the "proper and secure" way to manage a Server.
 

From this article you will learn the basics of creating a group policy for managing your Server.  This article will be using Windows Server 2003 R2 with SP2 with all Windows Critical, or High Priority, Updates, except Internet Explorer 8, as of May 2009.  The following assumptions are made:

  • The Group Policy Management Console is installed.  If not, please see this Microsoft site.
  • Your Servers are in their own Organizational Unit (OU)
  • You are familiar with the concept of Loopback Processing Mode
  • You know how to create a Group Policy Object (GPO) and link it
  • Internet Explorer 7 is installed on the Server

Note:  This article uses the terms "expand" and "collapse".  Expand means to click the "+" sign next to a node in the GPO (Figure 1).  Collapse means to click the "-" sign next to a node in the GPO (Figure 2).

Figure 1 (Expand a GPO node)

 

Figure 2 (Collapse a GPO node)

 

Start the Group Policy Management tool, navigate to the Group Policy Objects node and create a GPO  (Figure 3).

Note: Do NOT create the GPO and link it to the OU containing your Servers unless you know how to Deny applying the GPO to your Server Administrators.  If you create the GPO, link it to your Server’s OU and you do not Deny the GPO to your Server Administrators, you could lock yourself out of making any changes to your Servers.
 

Figure 3

 

The first setting that needs to be configured is to set the loopback processing mode.
 

In Computer Configuration, expand Administrative Templates, expand System, click on Group Policy, double-click User Group Policy loopback processing mode, select Enabled, change Mode to Replace and then click OK (Figure 4).
 

Figure 4

 

Collapse System, expand Windows Settings, expand Security Settings, expand Local Policies, click Security Options and Enable the following Settings (Figure 5):

  • Devices: Restrict CD-ROM access to locally logged-on user only
  • Devices: Restrict floppy access to locally logged-on user only
  • Interactive logon: Do not display last user name

Figure 5

 

Collapse Local Policies, click System Services and Disable the following service (Figure 6):

  • Help and Support

Figure 6

 

Collapse Windows Settings, expand Administrative Templates, expand Windows Components, click Windows Installer and Enable the following setting (Figure 7):

  • Allow admin to install from Terminal Services session

Figure 7

 

Collapse Computer Configuration.
 

 

In the User Configuration section, expand Administrative Templates, expand Windows Components and click on Internet ExplorerEnable the following settings (Figure 8):

  • Disable "Configuring History"
    • Days to keep pages in History: 20 (Default number)
  • Disable changing Advanced page settings
  • Disable changing Automatic Configuration settings
  • Disable changing Calendar and Contact settings
  • Disable changing certificate settings
  • Disable changing connection settings
  • Disable changing default browse check
  • Disable changing home page settings
  • Disable changing Messaging settings
  • Disable changing Profile Assistant settings
  • Disable changing proxy settings
  • Disable changing ratings settings
  • Disable changing Temporary Internet files settings
  • Disable Internet Connection wizard
  • Disable the Reset Web Settings feature
  • Do not allow users to enable or disable add-ons
  • Prevent participation in the Customer Experience Improvement Program
  • Prevent performance of First Run Customize settings
    • Select your choice: Go directly to home page
  • Search: Disable Find Files via F3 within the browser
  • Turn off Managing Phishing filter
    • Select phishing filter mode: Off
  • Use Automatic Detection for dial-up connections

Figure 8

 

Under Internet Explorer, double- click Internet Control Panel and Enable the following settings (Figure 9):

  • Disable the Advanced page
  • Disable the Connections page
  • Disable the Content page
  • Disable the Privacy page
  • Disable the Programs page
  • Disable the Security page

Figure 9

 

In the Settings column, double-click Advanced Page and Enable the following setting (Figure 10):

  • Empty Temporary Internet Files folder when browser is closed

Figure 10

 

Under Internet Explorer, expand Security Features, click on Restrict ActiveX Install and Enable the following setting (Figure 11):

  • Internet Explorer Processes

Figure 11

 

Under Internet Explorer, click Toolbars and Enable the following settings (Figure 12):

  • Configure Toolbar Buttons
    • Enable (Check) the following buttons (Figure 13)
      • Show Back button
      • Show Forward button
      • Show Stop button
      • Show Refresh button
      • Show Home button
      • Show Favorites button
      • Show History button
  • Disable customizing browser toolbar buttons

Figure 12

 

Figure 13

 

Under Internet Explorer, click Browser menus and Enable the following settings (Figure 14).

  • Disable Context menu
  • Disable Save this program to disk option

Figure 14

 

 

Collapse Internet Explorer, click on Windows Explorer and Enable the following settings (Figure 15):

  • Do not request alternate credentials
  • Hide these specified drives in My Computer (Select one of the following)
    • Restrict A and B drives only
    • Restrict C drive only
    • Restrict D drive only
    • Restrict A, B and C drives only
    • Restrict A, B, C and D drives only
    • Restrict all drives
    • Do not restrict drives
  • Hides the Manage item on the Windows Explorer context menu
  • Prevent access to drives from My Computer (Select one of the following)
    • Restrict A and B drives only
    • Restrict C drive only
    • Restrict D drive only
    • Restrict A, B and C drives only
    • Restrict A, B, C and D drives only
    • Restrict all drives
    • Do not restrict drives
  • Remove CD Burning features
  • Remove Hardware tab
  • Remove Search button from Windows Explorer
  • Remove Security tab
  • Remove Windows Explorer’s default context menu
  • Turn off Windows+X hotkeys

NOTE:  When the Hide these specified drives in My Computer and Prevent access to drives from My Computer settings are enabled, there is a drop down box that allows the selection of various drive combinations.  What if the drives you need hidden are not on the list?  See the companion article How To Hide Additional Drive Letters On A Server.
 

Figure 15

 

Click Microsoft Management Console and Enable these settings (Figure 16):

  • Restrict the user from entering author mode
  • Restrict users to the explicitly permitted list of snap-ins

Figure 16

 

Click Task Scheduler and Enable the following settings (Figure 17):

  • Prevent Task Run or End
  • Prohibit New Task Creation

Figure 17

 

Click Windows Messenger and Enable the following settings (Figure 18):

  • Do not allow Windows Messenger to be run
  • Do not automatically start Windows Messenger initially

Figure 18

 

Click Windows Update and Enable the following settings (Figure 19):

  • Do not adjust default option to "’Install Updates and Shutdown’ in Shut Down Windows dialog box
  • Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
  • Remove access to use all Windows Update features

Figure 19

 

Click Windows Movie Maker and Enable the following setting (Figure 20):

  • Do not allow Windows Movie Maker to run

Figure 20

 

 

Collapse Windows Components, click Start Menu and Taskbar and Enable the following settings (Figure 21):

  • Add Logoff to the Start Menu
  • Force classic Start Menu
  • Lock the Taskbar
  • Prevent changes to Taskbar and Start Menu Settings
  • Remove and prevent access to the Shutdown command
  • Remove Balloon Tips on Start Menu items
  • Remove Drag-and-drop context menus on the Start Menu
  • Remove Help menu from Start Menu
  • Remove links and access to Windows Update
  • Remove My Music icon from Start Menu
  • Remove Run menu from Start Menu
  • Remove Set Program Access and Defaults from Start menu
  • Remove the "Undock PC" button from the Start Menu
  • Turn off notification area cleanup
  • Turn off personalized menus
  • Turn off user tracking

Figure 21

 

Click Desktop and Enable the following settings (Figure 22):

  • Do not add shares of recently opened documents to My Network Places
  • Prevent adding, dragging, dropping and closing the Taskbar’s toolbars
  • Prohibit adjusting desktop toolbars
  • Prohibit use from changing My Documents path
  • Remove Properties from the My Computer context menu
  • Remove Properties from the Recycle Bin context menu
  • Remove the Desktop Cleanup Wizard

Figure 22

 

Double-click Active Desktop and Enable the following setting (Figure 23):

  • Disable Active Desktop

Figure 23

 

Collapse Desktop, click Control Panel and Enable the following settings (Figure 24):

  • Prohibit access to the Control Panel
  • Show only specified Control Panel applets

Figure 24

 

Note: To specify Control Panel applets, click the Show button after Enabling the setting (Figure 25):
 

Figure 25

 

Click the Add button and enter Printers (Figure 26):
 

Figure 26

 

Double-click Add or Remove Programs and Enable the following setting (Figure 27):

  • Remove Add or Remove Programs

Figure 27

 

Expand Display, click Desktop Themes and Enable the following settings (Figure 28):

  • Load a specific visual style file or force Windows Class
    • Note: leave style box blank to force Windows Classic
  • Prohibit Theme color selection
  • Remove Theme option

Figure 28

 

 

Collapse Control Panel, expand Network, click Offline Files and Enable the following settings (Figure 29):

  • Prevent use of Offline Files folder
  • Prohibit user configuration of Offline Files
  • Remove ‘Make Available Offline’

Figure 29

 

Click Network Connections and Disable the following settings (Figure 30):

  • Ability to change properties of an all user remote access connection
  • Ability to delete all user remote access connections
  • Ability to Enable/Disable a LAN connection
  • Ability to rename all user remote access connections
  • Ability to rename LAN connections
  • Ability to rename LAN connections or remote access connections available to all users

Enable the following settings (Figure 30):

  • Prohibit access to properties of a LAN connection
  • Prohibit access to properties of components of a LAN connection
  • Prohibit access to properties of components of a remote access connection
  • Prohibit access to the Advanced Settings item on the Advanced menu
  • Prohibit access to the New Connection Wizard
  • Prohibit access to the Remote Access Preferences item on the Advanced menu
  • Prohibit adding and removing components for a LAN or remote access connection
  • Prohibit changing properties of a private remote access connection
  • Prohibit connecting and disconnecting a remote access connection
  • Prohibit deletion of remote access connections
  • Prohibit Enabling/Disabling components of a LAN connection
  • Prohibit TCP/IP advanced configuration
  • Prohibit viewing of status for an active connection
  • Turn off notifications when a connection has only limited or no connectivity

Figure 30

 

Collapse Network, click System and Enable the following settings (Figure 31):

  • Don’t display the Getting Started welcome screen at logon
  • Prevent access to the command prompt
    • Disable the command prompt script processing also: No
  • Prevent access to registry editing tools
    • Disable regedit from running silently: No

Figure 31

 

Double-click Ctrl+Alt+Del Options and Enable the following settings (Figure 32):

  • Remove Lock Computer
  • Remove Task Manager

Figure 32

 

You have now learned to create a basic Group Policy to manage your Servers.  Use this Group Policy as a starting point for your environment.  Only through thorough testing will you learn what is necessary to properly and securely manage your Servers.
In future articles you will learn:

    • How to hide additional drive letters from users
    • How to keep this GPO from applying to the administrators in charge of the Servers
    • How to backup and document this management GPO
    • How to test the effect of this GPO on administrative and non-administrative users
Categories:
DABCC DABCC.com, the world leader in sharing the finest Virtualization & Cloud news and support resources. #Citrix, #VMware, #Microsoft, #Mobility and much more! Brought to you by @douglasabrown & team!

Featured Resources:

Related Articles:

| LATEST FEATURED RESOURCES

White Papers

‘All You Need to Know About Microsoft Windows Nano Server’ Veeam White Paper

Now updated for Windows Server 2016 GA release! You probably heard about Windows Nano Server already … but what is it exactly, and how do you get started with it? What value will it bring to your environment? Nano Server is a headless, 64-bit only deployment option for Windows Server 2016. Microsoft created this component specifically with […]

Downloads

Download Commvault VM Backup and Recovery: end-to-end VM backup, recovery and cloud management

Commvault’s ability to provide end-to-end VM backup, recovery and cloud management creates a significantly better way to build, protect and optimize VMs throughout their lifecycle. Our best-in-class software for VM backup, recovery and cloud management delivers a number of significant benefits, including: VM recovery with live recovery options; backup to and in the cloud; custom-fit […]

On-Demand Webinars

Architecting for today’s desktop environments – FSLogix On-Demand Webinar

October 19, 2017 Webinar with David Young, Solutions Architect and Product Champion, and Brandon Lee, Solutions Marketer. Video Recording of a live demo of FSLogix and an overview of the latest release of FSLogix Apps featuring Roaming XenApp Email Search and OneDrive App along with Skype for Business Global Address List and Device Based Licensing. […]

Latest Videos

Current State of EUC – E2EVC Video

Session from @E2EVC 2017 Orlando. For event information please visit www.e2evc.com/home. For slides, additional info etc please contact the presenter directly on Twitter. For best video and sound quality do visit the event! This video is from the fine folks at E2EVC Conference

Views All IT News on DABCC.com
Views All IT Videos on DABCC.com
Win a Tesla P100D

Visit Our Sponsors