Creating a Server Management Group Policy on Windows Server 2003

Creating a server management group policy is a critical task that needs to be completed before allowing users access to any Terminal Server or XenApp Server.  By default, any user who can login to the server can do many dangerous things.  For example, the user can:

  • Shutdown the server
  • Reboot the server
  • Use Internet Explore to install Windows Updates
  • Access the server’s hard drives

Note:  Instead of saying Terminal Server and or XenApp Server throughout this article, I will use the term Server or Servers.

Many administrators refer to this as “locking down the Server”.  I prefer to use “managing the Server”.  Many administrators add other group policy items that do not add to “locking down” a Server but add to the management of a Server.

Just like there is no one way to design Active Directory (AD), there is no one way to design a Server management group policy.  What works for high security environments would probably be overkill for a small business.  If you were to gather ten network administrators in a room there will probably be ten different viewpoints on the “proper and secure” way to manage a Server.

From this article you will learn the basics of creating a group policy for managing your Server.  This article will be using Windows Server 2003 R2 with SP2 with all Windows Critical, or High Priority, Updates, except Internet Explorer 8, as of May 2009.  The following assumptions are made:

  • The Group Policy Management Console is installed.  If not, please see this Microsoft site.
  • Your Servers are in their own Organizational Unit (OU)
  • You are familiar with the concept of Loopback Processing Mode
  • You know how to create a Group Policy Object (GPO) and link it
  • Internet Explorer 7 is installed on the Server

Note:  This article uses the terms “expand” and “collapse”.  Expand means to click the “+” sign next to a node in the GPO (Figure 1).  Collapse means to click the “-” sign next to a node in the GPO (Figure 2).

Figure 1 (Expand a GPO node)

Figure 1

Figure 2 (Collapse a GPO node)

Figure 2

Start the Group Policy Management tool, navigate to the Group Policy Objects node and create a GPO (Figure 3).

Figure 3

Figure 3

The first setting that needs to be configured is to set the loopback processing mode.

In Computer Configuration, expand Administrative Templates, expand System, click on Group Policy, double-click User Group Policy loopback processing mode, select Enabled, change Mode to Replace and then click OK (Figure 4).

Figure 4

Figure 4

Collapse System, expand Windows Settings, expand Security Settings, expand Local Policies, click Security Options and Enable the following Settings (Figure 5):

  • Devices: Restrict CD-ROM access to locally logged-on user only
  • Devices: Restrict floppy access to locally logged-on user only
  • Interactive logon: Do not display last user name

Figure 5

Figure 5

Collapse Local Policies, click System Services and Disable the following service (Figure 6):

  • Help and Support

Figure 6

Figure 6

Collapse Windows Settings, expand Administrative Templates, expand Windows Components, click Windows Installer and Enable the following setting (Figure 7):

  • Allow admin to install from Terminal Services session

Figure 7

Figure 7

Collapse Computer Configuration.

In the User Configuration section, expand Administrative Templates, expand Windows Components and click on Internet ExplorerEnable the following settings (Figure 8):

  • Disable “Configuring History”
    • Days to keep pages in History: 20 (Default number)
    • Disable changing Advanced page settings
    • Disable changing Automatic Configuration settings
    • Disable changing Calendar and Contact settings
    • Disable changing certificate settings
    • Disable changing connection settings
    • Disable changing default browse check
    • Disable changing home page settings
      • Home Page http://www.dabcc.com/Webster (set to your company standard)
      • Disable changing Messaging settings
      • Disable changing Profile Assistant settings
      • Disable changing proxy settings
      • Disable changing ratings settings
      • Disable changing Temporary Internet files settings
      • Disable Internet Connection wizard
      • Disable the Reset Web Settings feature
      • Do not allow users to enable or disable add-ons
      • Prevent participation in the Customer Experience Improvement Program
      • Prevent performance of First Run Customize settings
        • Select your choice: Go directly to home page
        • Search: Disable Find Files via F3 within the browser
        • Turn off Managing Phishing filter
          • Select phishing filter mode: Off
          • Use Automatic Detection for dial-up connections

Figure 8

Figure 8

Under Internet Explorer, double-click Internet Control Panel and Enable the following settings (Figure 9):

  • Disable the Advanced page
  • Disable the Connections page
  • Disable the Content page
  • Disable the Privacy page
  • Disable the Programs page
  • Disable the Security page

Figure 9

Figure 9

In the Settings column, double-click Advanced Page and Enable the following setting (Figure 10):

  • Empty Temporary Internet Files folder when browser is closed

Figure 10

Figure 10

Under Internet Explorer, expand Security Features, click on Restrict ActiveX Install and Enable the following setting (Figure 11):

  • Internet Explorer Processes

Figure 11

Figure 11

Under Internet Explorer, click Toolbars and Enable the following settings (Figure 12):

  • Configure Toolbar Buttons
    • Enable (Check) the following buttons (Figure 13)
      • Show Back button
      • Show Forward button
      • Show Stop button
      • Show Refresh button
      • Show Home button
      • Show Favorites button
      • Show History button
      • Disable customizing browser toolbar buttons

Figure 12

Figure 12

Figure 13

Under Internet Explorer, click Browser menus and Enable the following settings (Figure 14).

  • Disable Context menu
  • Disable Save this program to disk option

Figure 14

Figure 14

Collapse Internet Explorer, click on Windows Explorer and Enable the following settings (Figure 15):

  • Do not request alternate credentials
  • Hide these specified drives in My Computer (Select one of the following)
    • Restrict A and B drives only
    • Restrict C drive only
    • Restrict D drive only
    • Restrict A, B and C drives only
    • Restrict A, B, C and D drives only
    • Restrict all drives
    • Do not restrict drives
    • Hides the Manage item on the Windows Explorer context menu
    • Prevent access to drives from My Computer (Select one of the following)
      • Restrict A and B drives only
      • Restrict C drive only
      • Restrict D drive only
      • Restrict A, B and C drives only
      • Restrict A, B, C and D drives only
      • Restrict all drives
      • Do not restrict drives
      • Remove CD Burning features
      • Remove Hardware tab
      • Remove Search button from Windows Explorer
      • Remove Security tab
      • Remove Windows Explorer’s default context menu
      • Turn off Windows+X hotkeys

NOTE:  When the Hide these specified drives in My Computer and Prevent access to drives from My Computer settings are enabled, there is a drop down box that allows the selection of various drive combinations.  What if the drives you need hidden are not on the list?  See the companion article How To Hide Additional Drive Letters On A Server.

Figure 15

Figure 15

Click Microsoft Management Console and Enable these settings (Figure 16):

  • Restrict the user from entering author mode
  • Restrict users to the explicitly permitted list of snap-ins

Figure 16

Figure 16

Click Task Scheduler and Enable the following settings (Figure 17):

  • Prevent Task Run or End
  • Prohibit New Task Creation

Figure 17

Figure 17

Click Windows Messenger and Enable the following settings (Figure 18):

  • Do not allow Windows Messenger to be run
  • Do not automatically start Windows Messenger initially

Figure 18

Figure 18

Click Windows Update and Enable the following settings (Figure 19):

  • Do not adjust default option to “‘Install Updates and Shutdown’ in Shut Down Windows dialog box
  • Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
  • Remove access to use all Windows Update features

Figure 19

Figure 19

Click Windows Movie Maker and Enable the following setting (Figure 20):

  • Do not allow Windows Movie Maker to run

Figure 20

Figure 20

Collapse Windows Components, click Start Menu and Taskbar and Enable the following settings (Figure 21):

  • Add Logoff to the Start Menu
  • Force classic Start Menu
  • Lock the Taskbar
  • Prevent changes to Taskbar and Start Menu Settings
  • Remove and prevent access to the Shutdown command
  • Remove Balloon Tips on Start Menu items
  • Remove Drag-and-drop context menus on the Start Menu
  • Remove Help menu from Start Menu
  • Remove links and access to Windows Update
  • Remove My Music icon from Start Menu
  • Remove Run menu from Start Menu
  • Remove Set Program Access and Defaults from Start menu
  • Remove the “Undock PC” button from the Start Menu
  • Turn off notification area cleanup
  • Turn off personalized menus
  • Turn off user tracking

Figure 21

Figure 21

Click Desktop and Enable the following settings (Figure 22):

  • Do not add shares of recently opened documents to My Network Places
  • Prevent adding, dragging, dropping and closing the Taskbar’s toolbars
  • Prohibit adjusting desktop toolbars
  • Prohibit use from changing My Documents path
  • Remove Properties from the My Computer context menu
  • Remove Properties from the Recycle Bin context menu
  • Remove the Desktop Cleanup Wizard

Figure 22

Figure 22

Double-click Active Desktop and Enable the following setting (Figure 23):

  • Disable Active Desktop

Figure 23

Figure 23

Collapse Desktop, click Control Panel and Enable the following settings (Figure 24):

  • Prohibit access to the Control Panel
  • Show only specified Control Panel applets

Figure 24

Figure 24

Note: To specify Control Panel applets, click the Show button after Enabling the setting (Figure 25):

Figure 25

Figure 25

Click the Add button and enter Printers (Figure 26):

Figure 26

Figure 26

Double-click Add or Remove Programs and Enable the following setting (Figure 27):

  • Remove Add or Remove Programs

Figure 27

Figure 27

Expand Display, click Desktop Themes and Enable the following settings (Figure 28):

  • Load a specific visual style file or force Windows Class
    • Note: leave style box blank to force Windows Classic
    • Prohibit Theme color selection
    • Remove Theme option

Figure 28

Figure 28

Collapse Control Panel, expand Network, click Offline Files and Enable the following settings (Figure 29):

  • Prevent use of Offline Files folder
  • Prohibit user configuration of Offline Files
  • Remove ‘Make Available Offline’

Figure 29

Figure 29

Click Network Connections and Disable the following settings (Figure 30):

  • Ability to change properties of an all user remote access connection
  • Ability to delete all user remote access connections
  • Ability to Enable/Disable a LAN connection
  • Ability to rename all user remote access connections
  • Ability to rename LAN connections
  • Ability to rename LAN connections or remote access connections available to all users

Enable the following settings (Figure 30):

  • Prohibit access to properties of a LAN connection
  • Prohibit access to properties of components of a LAN connection
  • Prohibit access to properties of components of a remote access connection
  • Prohibit access to the Advanced Settings item on the Advanced menu
  • Prohibit access to the New Connection Wizard
  • Prohibit access to the Remote Access Preferences item on the Advanced menu
  • Prohibit adding and removing components for a LAN or remote access connection
  • Prohibit changing properties of a private remote access connection
  • Prohibit connecting and disconnecting a remote access connection
  • Prohibit deletion of remote access connections
  • Prohibit Enabling/Disabling components of a LAN connection
  • Prohibit TCP/IP advanced configuration
  • Prohibit viewing of status for an active connection
  • Turn off notifications when a connection has only limited or no connectivity

Figure 30

Figure 30

Collapse Network, click System and Enable the following settings (Figure 31):

  • Don’t display the Getting Started welcome screen at logon
  • Prevent access to the command prompt
    • Disable the command prompt script processing also: No
    • Prevent access to registry editing tools
      • Disable regedit from running silently: No

Figure 31

Figure 31

Double-click Ctrl+Alt+Del Options and Enable the following settings (Figure 32):

  • Remove Lock Computer
  • Remove Task Manager

Figure 32

Figure 32

You have now learned to create a basic Group Policy to manage your Servers.  Use this Group Policy as a starting point for your environment.  Only through thorough testing will you learn what is necessary to properly and securely manage your Servers.

In future articles you will learn:

  • How to hide additional drive letters from users
  • How to keep this GPO from applying to the administrators in charge of the Servers
  • How to backup and document this management GPO
  • How to test the effect of this GPO on administrative and non-administrative users
, , ,

About Carl Webster

Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

View all posts by Carl Webster

2 Responses to “Creating a Server Management Group Policy on Windows Server 2003”

  1. Alicia Hurtado Says:

    Thanks for you information. Is it posible to create a directive for to run Scheduled Tasks in GPO for Windows server 2003 r2 sp2? Help me please!

    Reply

Leave a Reply