Top/Must Have Group Policies in an environment
halaakajan
Member Posts: 167
Hello Guys,
We just recently discovered that our administrative shares were shared so anyone can practically go \\computername\c$ and view the contect of the partition.
What are the best group policies which are must in a AD domain environment? for security and non-security purposes.
Your answers will be much appreciated.
Regards!
We just recently discovered that our administrative shares were shared so anyone can practically go \\computername\c$ and view the contect of the partition.
What are the best group policies which are must in a AD domain environment? for security and non-security purposes.
Your answers will be much appreciated.
Regards!
Comments
-
sh run Member Posts: 10 ■□□□□□□□□□This is a basic permissions thing, not a problem with insufficient group policy rules - you've got Domain Users in the Administrators group on your local machines. Anybody with local admin rights can \\ to c$. I wouldn't recommend trying to remove the $ shares with group policy; just fix your Admin groups if this is a problem.
-
crrussell3 Member Posts: 561That is really an open ended question that all depends on how your network is setup. What maybe top/must haves in my network would be disastrous in your network.
Using group policy to secure and manage end points is a give and take sort of dance. You want to make sure you efficiently manage and secure them, but you don't want to go too overboard where you lock down your users so much that it hinders their day to day productivity.
As sh run said, the reason everyone can \\<hostname>\<admin$> is your users are part of the local admin group. First step should be determining why this is so and if you can change it. Do they need admin access to run a particular application? Can that application be made to run as a standard user (a lot of times this can be accomplished simply by giving users read/write access to the install directory for the application and perhaps a few reg keys).
I would suggest you audit your current network, security and group policies, then sit down with your CIO and other managers to really determine what level of access people should have and why. Be prepared to tell them why you want to make these changes and have a valid reason for it. Then you can start developing policies that reflect the outcome of the meetings. Make sure you test, test, and test these newly created policies on a few test machines or lab before deploying them in the wild though!
I will give you one generic top/must haves though. Group Policy Preferences. If you still use logon/startup scripts, you should really look into turning them into gpp.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
halaakajan Member Posts: 167Thanks for the feedback guys, You guys were right only a users from a security group which was member of the local admin group had that functionality.