• Creating a Server Management Group Policy on Windows Server 2003

    Creating a server management group policy is a critical task that needs to be completed before allowing users access to any Terminal Server or XenApp Server.  By default, any user who can login to the server can do many dangerous things.  For example, the user can:

    • Shutdown the server
    • Reboot the server
    • Use Internet Explore to install Windows Updates
    • Access the server’s hard drives

    Note:  Instead of saying Terminal Server and or XenApp Server throughout this article, I will use the term Server or Servers.

    Many administrators refer to this as “locking down the Server”.  I prefer to use “managing the Server”.  Many administrators add other group policy items that do not add to “locking down” a Server but add to the management of a Server.

    Just like there is no one way to design Active Directory (AD), there is no one way to design a Server management group policy.  What works for high security environments would probably be overkill for a small business.  If you were to gather ten network administrators in a room there will probably be ten different viewpoints on the “proper and secure” way to manage a Server.

    From this article you will learn the basics of creating a group policy for managing your Server.  This article will be using Windows Server 2003 R2 with SP2 with all Windows Critical, or High Priority, Updates, except Internet Explorer 8, as of May 2009.  The following assumptions are made:

    • The Group Policy Management Console is installed.  If not, please see this Microsoft site.
    • Your Servers are in their own Organizational Unit (OU)
    • You are familiar with the concept of Loopback Processing Mode
    • You know how to create a Group Policy Object (GPO) and link it
    • Internet Explorer 7 is installed on the Server

    Note:  This article uses the terms “expand” and “collapse”.  Expand means to click the “+” sign next to a node in the GPO (Figure 1).  Collapse means to click the “-” sign next to a node in the GPO (Figure 2).

    Figure 1 (Expand a GPO node)

    Figure 1

    Figure 2 (Collapse a GPO node)

    Figure 2

    Start the Group Policy Management tool, navigate to the Group Policy Objects node and create a GPO (Figure 3).

    Figure 3

    Figure 3

    The first setting that needs to be configured is to set the loopback processing mode.

    In Computer Configuration, expand Administrative Templates, expand System, click on Group Policy, double-click User Group Policy loopback processing mode, select Enabled, change Mode to Replace and then click OK (Figure 4).

    Figure 4

    Figure 4

    Collapse System, expand Windows Settings, expand Security Settings, expand Local Policies, click Security Options and Enable the following Settings (Figure 5):

    • Devices: Restrict CD-ROM access to locally logged-on user only
    • Devices: Restrict floppy access to locally logged-on user only
    • Interactive logon: Do not display last user name

    Figure 5

    Figure 5

    Collapse Local Policies, click System Services and Disable the following service (Figure 6):

    • Help and Support

    Figure 6

    Figure 6

    Collapse Windows Settings, expand Administrative Templates, expand Windows Components, click Windows Installer and Enable the following setting (Figure 7):

    • Allow admin to install from Terminal Services session

    Figure 7

    Figure 7

    Collapse Computer Configuration.

    In the User Configuration section, expand Administrative Templates, expand Windows Components and click on Internet ExplorerEnable the following settings (Figure 8):

    • Disable “Configuring History”
      • Days to keep pages in History: 20 (Default number)
      • Disable changing Advanced page settings
      • Disable changing Automatic Configuration settings
      • Disable changing Calendar and Contact settings
      • Disable changing certificate settings
      • Disable changing connection settings
      • Disable changing default browse check
      • Disable changing home page settings
        • Home Page http://www.dabcc.com/Webster (set to your company standard)
        • Disable changing Messaging settings
        • Disable changing Profile Assistant settings
        • Disable changing proxy settings
        • Disable changing ratings settings
        • Disable changing Temporary Internet files settings
        • Disable Internet Connection wizard
        • Disable the Reset Web Settings feature
        • Do not allow users to enable or disable add-ons
        • Prevent participation in the Customer Experience Improvement Program
        • Prevent performance of First Run Customize settings
          • Select your choice: Go directly to home page
          • Search: Disable Find Files via F3 within the browser
          • Turn off Managing Phishing filter
            • Select phishing filter mode: Off
            • Use Automatic Detection for dial-up connections

    Figure 8

    Figure 8

    Under Internet Explorer, double-click Internet Control Panel and Enable the following settings (Figure 9):

    • Disable the Advanced page
    • Disable the Connections page
    • Disable the Content page
    • Disable the Privacy page
    • Disable the Programs page
    • Disable the Security page

    Figure 9

    Figure 9

    In the Settings column, double-click Advanced Page and Enable the following setting (Figure 10):

    • Empty Temporary Internet Files folder when browser is closed

    Figure 10

    Figure 10

    Under Internet Explorer, expand Security Features, click on Restrict ActiveX Install and Enable the following setting (Figure 11):

    • Internet Explorer Processes

    Figure 11

    Figure 11

    Under Internet Explorer, click Toolbars and Enable the following settings (Figure 12):

    • Configure Toolbar Buttons
      • Enable (Check) the following buttons (Figure 13)
        • Show Back button
        • Show Forward button
        • Show Stop button
        • Show Refresh button
        • Show Home button
        • Show Favorites button
        • Show History button
        • Disable customizing browser toolbar buttons

    Figure 12

    Figure 12
    Figure 13

    Under Internet Explorer, click Browser menus and Enable the following settings (Figure 14).

    • Disable Context menu
    • Disable Save this program to disk option

    Figure 14

    Figure 14

    Collapse Internet Explorer, click on Windows Explorer and Enable the following settings (Figure 15):

    • Do not request alternate credentials
    • Hide these specified drives in My Computer (Select one of the following)
      • Restrict A and B drives only
      • Restrict C drive only
      • Restrict D drive only
      • Restrict A, B and C drives only
      • Restrict A, B, C and D drives only
      • Restrict all drives
      • Do not restrict drives
      • Hides the Manage item on the Windows Explorer context menu
      • Prevent access to drives from My Computer (Select one of the following)
        • Restrict A and B drives only
        • Restrict C drive only
        • Restrict D drive only
        • Restrict A, B and C drives only
        • Restrict A, B, C and D drives only
        • Restrict all drives
        • Do not restrict drives
        • Remove CD Burning features
        • Remove Hardware tab
        • Remove Search button from Windows Explorer
        • Remove Security tab
        • Remove Windows Explorer’s default context menu
        • Turn off Windows+X hotkeys

    NOTE:  When the Hide these specified drives in My Computer and Prevent access to drives from My Computer settings are enabled, there is a drop down box that allows the selection of various drive combinations.  What if the drives you need hidden are not on the list?  See the companion article How To Hide Additional Drive Letters On A Server.

    Figure 15

    Figure 15

    Click Microsoft Management Console and Enable these settings (Figure 16):

    • Restrict the user from entering author mode
    • Restrict users to the explicitly permitted list of snap-ins

    Figure 16

    Figure 16

    Click Task Scheduler and Enable the following settings (Figure 17):

    • Prevent Task Run or End
    • Prohibit New Task Creation

    Figure 17

    Figure 17

    Click Windows Messenger and Enable the following settings (Figure 18):

    • Do not allow Windows Messenger to be run
    • Do not automatically start Windows Messenger initially

    Figure 18

    Figure 18

    Click Windows Update and Enable the following settings (Figure 19):

    • Do not adjust default option to “‘Install Updates and Shutdown’ in Shut Down Windows dialog box
    • Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box
    • Remove access to use all Windows Update features

    Figure 19

    Figure 19

    Click Windows Movie Maker and Enable the following setting (Figure 20):

    • Do not allow Windows Movie Maker to run

    Figure 20

    Figure 20

    Collapse Windows Components, click Start Menu and Taskbar and Enable the following settings (Figure 21):

    • Add Logoff to the Start Menu
    • Force classic Start Menu
    • Lock the Taskbar
    • Prevent changes to Taskbar and Start Menu Settings
    • Remove and prevent access to the Shutdown command
    • Remove Balloon Tips on Start Menu items
    • Remove Drag-and-drop context menus on the Start Menu
    • Remove Help menu from Start Menu
    • Remove links and access to Windows Update
    • Remove My Music icon from Start Menu
    • Remove Run menu from Start Menu
    • Remove Set Program Access and Defaults from Start menu
    • Remove the “Undock PC” button from the Start Menu
    • Turn off notification area cleanup
    • Turn off personalized menus
    • Turn off user tracking

    Figure 21

    Figure 21

    Click Desktop and Enable the following settings (Figure 22):

    • Do not add shares of recently opened documents to My Network Places
    • Prevent adding, dragging, dropping and closing the Taskbar’s toolbars
    • Prohibit adjusting desktop toolbars
    • Prohibit use from changing My Documents path
    • Remove Properties from the My Computer context menu
    • Remove Properties from the Recycle Bin context menu
    • Remove the Desktop Cleanup Wizard

    Figure 22

    Figure 22

    Double-click Active Desktop and Enable the following setting (Figure 23):

    • Disable Active Desktop

    Figure 23

    Figure 23

    Collapse Desktop, click Control Panel and Enable the following settings (Figure 24):

    • Prohibit access to the Control Panel
    • Show only specified Control Panel applets

    Figure 24

    Figure 24

    Note: To specify Control Panel applets, click the Show button after Enabling the setting (Figure 25):

    Figure 25

    Figure 25

    Click the Add button and enter Printers (Figure 26):

    Figure 26

    Figure 26

    Double-click Add or Remove Programs and Enable the following setting (Figure 27):

    • Remove Add or Remove Programs

    Figure 27

    Figure 27

    Expand Display, click Desktop Themes and Enable the following settings (Figure 28):

    • Load a specific visual style file or force Windows Class
      • Note: leave style box blank to force Windows Classic
      • Prohibit Theme color selection
      • Remove Theme option

    Figure 28

    Figure 28

    Collapse Control Panel, expand Network, click Offline Files and Enable the following settings (Figure 29):

    • Prevent use of Offline Files folder
    • Prohibit user configuration of Offline Files
    • Remove ‘Make Available Offline’

    Figure 29

    Figure 29

    Click Network Connections and Disable the following settings (Figure 30):

    • Ability to change properties of an all user remote access connection
    • Ability to delete all user remote access connections
    • Ability to Enable/Disable a LAN connection
    • Ability to rename all user remote access connections
    • Ability to rename LAN connections
    • Ability to rename LAN connections or remote access connections available to all users

    Enable the following settings (Figure 30):

    • Prohibit access to properties of a LAN connection
    • Prohibit access to properties of components of a LAN connection
    • Prohibit access to properties of components of a remote access connection
    • Prohibit access to the Advanced Settings item on the Advanced menu
    • Prohibit access to the New Connection Wizard
    • Prohibit access to the Remote Access Preferences item on the Advanced menu
    • Prohibit adding and removing components for a LAN or remote access connection
    • Prohibit changing properties of a private remote access connection
    • Prohibit connecting and disconnecting a remote access connection
    • Prohibit deletion of remote access connections
    • Prohibit Enabling/Disabling components of a LAN connection
    • Prohibit TCP/IP advanced configuration
    • Prohibit viewing of status for an active connection
    • Turn off notifications when a connection has only limited or no connectivity

    Figure 30

    Figure 30

    Collapse Network, click System and Enable the following settings (Figure 31):

    • Don’t display the Getting Started welcome screen at logon
    • Prevent access to the command prompt
      • Disable the command prompt script processing also: No
      • Prevent access to registry editing tools
        • Disable regedit from running silently: No

    Figure 31

    Figure 31

    Double-click Ctrl+Alt+Del Options and Enable the following settings (Figure 32):

    • Remove Lock Computer
    • Remove Task Manager

    Figure 32

    Figure 32

    You have now learned to create a basic Group Policy to manage your Servers.  Use this Group Policy as a starting point for your environment.  Only through thorough testing will you learn what is necessary to properly and securely manage your Servers.

    In future articles you will learn:

    • How to hide additional drive letters from users
    • How to keep this GPO from applying to the administrators in charge of the Servers
    • How to backup and document this management GPO
    • How to test the effect of this GPO on administrative and non-administrative users
    , , ,

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    to “Creating a Server Management Group Policy on Windows Server 2003”

    1. Alicia Hurtado Says:

      Thanks for you information. Is it posible to create a directive for to run Scheduled Tasks in GPO for Windows server 2003 r2 sp2? Help me please!

      Reply

    Leave a Reply