Best Practices for Microsoft Windows Group Policy and Processes
Group Policy is an important component of secure Windows environments. Many resources are available to help you follow established best practices for secure systems. You’ll learn about a few of the recommended guidelines and available resources in this section.
Group Policy Design Guidelines
While there are many ways to design Group Policy for your organization, a few guidelines can help focus your efforts. Follow these guidelines to design a Group Policy that will minimize administrative effort while satisfying your security policy. Most important, don’t make your Group Policy overly complex. Simplicity is always an asset in any policy. Keep your security policy and Group Policy as simple as possible while still fulfilling your goals. Here are a few additional guidelines that should result in simple and effective Group Policy:
Define OUs that reflect your organization’s functional structure.
Create OU GPOs for controls required in your security policy.
Use meaningful names for GPOs to make maintenance and administration easier.
Deploy GPOs in a test environment before deploying to your live environment.
Use security filtering and WMI filters to restrict settings when necessary.
Back up your GPOs regularly.
Do not modify the default policies—instead, create new GPOs.
Ensure your Group Policy is both effective and easily maintainable. Only define and deploy the GPOs you actually need to meet the goals of your security policy. Extra GPOs will only complicate administrative tasks and may get in the way of completing primary business functions. The process of migrating from an environment with few controls to a secure environment can be frustrating both for end users and administrators. Make sure you test all GPOs before deploying them to a live environment. Conduct tests that will allow you to evaluate how each GPO will affect your users’ abilities to do their jobs. New security settings that stop people from doing their jobs are harmful to your business. Be aware of any new policies that may result in a negative business impact. When security requirements conflict with business requirements, it is up to the organization’s management to resolve the conflict. The best security solutions always support both security and business concerns.
There are several other resources listed in TABLE 6-3 that make designing and implementing Group Policy across a domain easier. Use these resources as well as the tools and resources you have already seen. They keep you from reinventing the wheel. They also provide input on solving issues that you may not have encountered yet.
TABLE 6-3 Group Policy Best Practices Resources |
||
|---|---|---|
| RESOURCE | DESCRIPTION | WHERE TO FIND IT |
| Group Policy Best Practices Analyzer | Helps you identify Group Policy configuration errors or dependency issues that may prevent settings from functioning as you expected. | In Server Manager, select a server role group and select Start BPA Scan in the Best Practices Analyzer. |
| Group Policy Settings Reference | Spreadsheets that list the policy settings included in the Administrative template files that are delivered with the Windows operating systems. | http://www.microsoft.com/downloads (Search for Group Policy Settings Reference) |
| Windows 8.1 and Windows Server 2012 R2 Security Baseline | Resources for planning, deploying, and monitoring the security baselines of servers running Windows 8.1 and Windows Server 2012 R2. | https://blogs.technet.microsoft.com/secguide/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-beta/ |
| Windows 10 and Windows Server 2016 Security Baseline | Resources for planning, deploying, and monitoring the security baselines of servers running Windows 10 and Windows Server 2016. | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines |
| Windows 10 v1809 and Windows Server 2019 Security Baseline | Resources for planning, deploying, and monitoring the security baselines of servers running Windows 10 v1809 and Windows Server 2019. | https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows=-server-2019/ |
| Security Compliance Toolkit (SCT) | A set of tools used to acquire, test, and deploy configuration baselines recommended by Microsoft. The security guides in the toolkit recommend Group Policy configurations and Security Template configurations that are enforced via Active Directory Domain Services. | https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10 |
© Jones & Bartlett Learning. |
||