Internal Security 

hen talking about IT security to anyone, the most common picture that comes to mind is of a hacker sitting in some dark, leery room trying to steal your secrets from across the world, a la Neo from The Matrix. However, the real truth is that far more company secrets are revealed to the outside world by people within the organization. Internal security is probably the weakest link in the chain and the most ignored as well. 

One can, of course, create a very strict AUP (more about them in another article in this story) that all your users need to adhere to failing which penalties can be placed on them. However, it is also necessary to remove the temptation and the opportunity for any such behavior by enforcing technical rules in a managed network environment. This is done by using Group Policies in a Windows network.

Group Policies are a set of "rules" that are applied to different parts of a Windows-based network. These rules exist in what are called "Group Policy Objects" (GPOs), each of which can hold a large number of settings that affect Windows components such as security, interface, customization, deployment etc. 

GPOs can be attached to different parts of an Active Directory network - such as Sites, Domains, Organizational Units (OU), Users and Groups. As with most other cascade settings, GPOs also travel downwards in the network with the most local policy taking precedence over a more remote policy. For instance, if a Domain level policy for a particular setting is defined, it applies to everyone in that domain. However, setting the same policy setting with a different value at a group level will change the setting for all the users within that group. 

There are a large number of policies that you can control using GPOs. The following are the main ones.

Registry settings: You can control different registry settings that get deployed - such as the turning off the Start>Run menu, or the display properties window.

Security settings: You can set Internet Explorer restrictions (in terms of zones), URLs, etc.

Restrict software: The admin can restrict the software that is allowed to run on computers. For instance you can go ahead and restrict instances of Kazaa to even execute, effectively blocking usage of the application itself, rather than blocking its use at the proxy/firewall/gateway level.

Deploy Software & Updates: You can create GPOs that distribute software (such as MS Office) and updates (such as Service Packs, etc.) to client computers. You can even set options such as whether the software installation is mandatory (the user cannot cancel installation), optional (the user can cancel installation), or available (the user can install this package manually). 

Scripts: You can deploy different login and logoff scripts to computers and users.

Roaming users & folders: With GPOs you can set information about users who do not sit on one computer and require their data and settings from any computer. Folders like My Documents can be redirected to a folder on the server so that their data is always available. Offline folders can be made available so that users can work on their documents even when disconnected from the network. 

Using group policies



Creating and deploying GPOs has become much easier with the advent of Windows Server 2003. Not only does it contain more than 200 new policies that you can control easily out of the box, but the new and free Group Policy Management Console (GPMC) lets you create, test and deploy these policies very quickly.

The GPMC is available at the Microsoft TechNet site. It installs on Windows 2003 or Windows XP (with SP1 and .NET framework) and can manage both Windows 2000 and Windows 2003 domains. Once installed the GPMC allows you to easily manage the different GPOs in all the domains you have. 

The first thing to do would be creating a list of different "units" of users or computers that you wish to manage with different settings. Go into the GPM>Forest>Domains >Your Domain>Group Policy Objects and create the different GPOs here.

Once you create a GPO, create its scope by adding users or groups into the security filtering option. Once that is done, right-click the GPO and select Edit. This opens the Group Policy Editor within which you can set the different settings for that GPO. 

There are a large number of such settings that you can do - which would be too lengthy to get into. Suffice to say that you can control all the things mentioned above and more. 

However, one of the problems that administrators face is that it sometimes becomes difficult to predict how the different GPOs would affect a particular user or group due to the cascading effect. To solve this the GPMC also contains a Group Policy Modeling wizard that lets you find the resultant policies effective on a particular unit. It also allows you to do what-if analysis on these - such as adding or changing the groups that a user belongs to and what the changes in that user's policies would be.

Summary and detailed reports are available for all the different tasks that can be performed in the GPMC. This lets you have a quick overview or drill down to any level for any policy setting that you make and how it affects your network. 

Overall, Group Policy is an important and useful addition to your Active Directory deployment. Managing your internal network and ensuring compliance with your company policies can be made much easier with this free tool and technology.

Vinod Unny Enterprise InfoTech