First, it is management’s responsibility to ensure the security of an organization’s assets, including information. All actions IT security personnel take to secure information occur within the authority granted by management to do the job. IT security controls that exceed management’s security goals also exceed granted authority. Technically, management authorizes IT security to do only what the security policy states. It is important that management include all necessary security goals in your organization’s security policy. The policy provides the direction for creating controls to secure information. A strict security policy interpretation means that any control that the security policy does not address is not important to the organization.

Second, your Group Policy definition should satisfy your security policy goals and not add any arbitrary controls. Your primary goal for designing Group Policy should be to ensure your Group Policy does not leave any gaps in your security policy. The GPOs you create and implement should meet all the goals in your security policy. It shouldn’t add any controls that are not covered in the policy. When your environment’s Group Policy conforms to your security policy, you create a validation method of your security policy. You can record the existence and performance of GPOs as evidence that you are complying with your security policy. You’ll learn how to audit how your Group Policy is functioning later in this chapter.

Making Group Policy conform to your security policy is a three-step process. First, examine a list of GPO settings that already exist in the default Windows templates. The Group Policy Settings Reference from Microsoft is an excellent resource for this task. Identify any GPO settings that satisfy parts of your security policy. Activate all settings that are appropriate for your policy.

The second step is to identify any elements in your security policy that do not already exist in default Windows templates. Then, list the elements that new GPO settings can address. For example, suppose you want to hide the Recycle Bin on every user’s desktop. You can easily create a new GPO with this setting.

The third step in making Group Policy conform to your security policy is to create new GPOs for each of the remaining goals in your security policy that you identified in the second step.

Group Policy allows you to define the specific targets for each rule. Some rules on your security policy apply to all users on all machines while others do not. For example, the rule “All users must create passwords for user accounts that conform to the strong password policy” applies to all users. The rule “Members of the Database Administrator group must change passwords at least every 90 days” applies only to users who are members of the Database Administrator user group. Windows provides you with the ability to specify GPO scope, which defines how Windows enforces security rules.

Active Directory provides the ability to define Group Policy at different levels. Windows looks up all applicable GPOs when a computer boots or a user logs on. Windows applies multiple GPOs in the following order (lower to higher) (FIGURE 6-2):

• Local GPOs—GPOs defined and stored on the local computer

• Site GPOs defined in Active Directory (AD)—GPOs defined in AD for a specific site

• Domain GPOs—Domain-wide GPOs defined in AD

• Organizational unit GPOs—OU GPOs defined in AD

Any setting in a higher-level GPO will override a lower-level GPO setting. For example, a setting in a domain GPO will override a conflicting setting in a local GPO. This behavior applies only if a GPO setting contains a specific value. If the higher-level GPO setting value is “Not Configured,” then Windows applies the value of the lower-level GPO setting.

Creating GPOs that conform to your security policy enables you to validate and evaluate each part of the policy. You’ll learn later in this chapter how to list and audit GPOs. Reporting on GPOs makes it easy to evaluate how well your organization is complying with your security policy.