Group Policy is the primary mechanism within the Windows Operating System for managing security configuration. It generally does this in a scalable and reliable fashion.
It also provides an extensibility model such that third-party vendors can extend what security settings (or other settings) can be configured using Group Policy. In this whitepaper, we will cover the following areas related to Group Policy and security configuration management:
- How Group Policy works to enforce security configuration on Windows servers and desktops
- How you can configure security based on “best-practice” baselines
- The benefits and challenges of using Group Policy as your security configuration tool
- Learn how third-parties leverage and extend Group Policy to provide value-added security configuration features
Group Policy as a Security Configuration Tool
As you know, Group Policy, or related technologies, have been in Windows for a long time. The ability to push registry values that lockdown a user’s desktop (e.g. by hiding certain Explorer elements or configuring Internet Explorer restrictions) have been around since NT 4.
But the ability to manage Windows security configuration through Group Policy was first introduced in Windows 2000 when Group Policy itself became a reality.
Since then, the security configuration capabilities of Group Policy have grown with every new release of Windows. Most of the features related to security configuration in a Group Policy Object (GPO) are defined on a “per-computer” basis.
If you remember how Group Policy works, you can target GPOs at either computer objects or user objects in Active Directory. Thus most security policy is targeted at computer objects, and applies regardless of who is logged into a given computer. You’ll find most of the security-related policy settings within the Group Policy Editor namespace under Computer ConfigurationPoliciesWindows SettingsSecurity Settings, as shown in Figure 1.