Securing workstations

[supportahm1980]

Hello all. Just wondering what steps you take to secure your workstations.

I am trying to come up with a GP to deploy.

I have listed the following:

rename local admin account
screen saver timeout
remove last user logged from user name field.
enable firewall when not logged on to the domain
Do not store passwords in IE




There are probably a ton. Thanks.

 

[djtech2k]

There are tons of guides and things from Microsoft available. I would also point out that in your security template mmc for XP, there are several templates in there with various levels of security. I would caution you heavily with doing this stuff if you do not have significant experience doing it. A minor change in GPO and you can lock yourself out of a great deal of resources.

The best advice is to do your research and rollout changes to a small group of computers at a time and do it slowly.

Here is a start:

http://www.microsoft.com/downloads/...BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en

 

[markdmac]

You left out using complex passwords, setting password history etc. Note that the password policies can only be set in the default domain policy.

Beyond this your list is good. Consider also making your users just Users and not Power Users or Admins of their local machines.

Applications that require admin rights can be overcome by manually allowing rights to registry keys and NTFS permissions.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[djtech2k]

Hey mark, just a question, but didn't the password policy change in 2003? I say that because I am using a second GPO with a different password policy and applying that to my DC's. It works fine for me and it reflects the policy from my 2nd password policy rather than the first. I would add though that if you run multiple DC's, it will only show up in RSOP on one DC, and will show undefined on all the rest.

 

[markdmac]

Nope, has not changed. It can only be set at the domain level and only in one policy. All other policies are ignored. You can override the Default Domain Policy and have another as you are doing at the domain level. But only the one takes affect.

This is changing in Longhorn where you will be able to set seperate password policies on security groups. I was hoping for OU level support but the developers tell me that isn't planned at this time.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[djtech2k]

I agree with what you are saying. I misunderstood what you were saying before. I thought you were saying that the default policy is the only policy that will work for setting the password policy.

I have also heard about this change in Longhorn. I have not yet installed it myself, but I am pleased with many overdue changes. There is an excellent conference at the end of this month in Las Vegas that will be geared on Longhorn. Microsoft has a string presence there. I went last year. All the big server/AD guys from Microsoft and all the top tech guys from around the globe go. Last year I was able to meet and talk with people like Stuart Kwan and Wook Lee. Some of those speakers and attendees are outstanding.

In case you are interested, it is

http://www.dec2007.com.

Its one of the better conferences/training that I have ever attended.

 

[ncolsgk]

As a side note, if you set an explicit deny on the gpt.ini file for a specific user, they will not be affected by gpo changes.