1. Home
  2. Server Administration
  3. Securing Windows Server 2003

5.1 What Is Group Policy?

Group Policy is a collection of configuration settings and instructions that can apply to user accounts or to computers. Group Policy allows you to manipulate an almost unlimited array of configuration settings and provides a flexible model for applying those configuration settings to specific users or computers within your organization. Many of those settings are completely unrelated to security. For example, you can use Group Policy to deploy a single, corporate-approved desktop wallpaper bitmap to all client computers or to force all users in your organization to use a particular screensaver. Group Policy does contain security-related settings and as I mentioned previously can be used to deploy security templates for comprehensive security control of an entire enterprise. Group Policy also contains instructions to computers that can perform tasks such as installing software or running a script. Although these are technically just one-time settings, they are a bit different in their functionality.

Every Windows 2000, Windows XP, and Windows Server 2003 computer has its own Group Policy, referred to as Local Group Policy, or just local policy. Active Directory domains allow policies to be stored on and applied by the domain. These policies are collectively called domain policy. Both local and domain policies allow you to configure many of the same settings as Group Policy. The difference is that local and domain policies are configured on individual computers and domain controllers. If you change your mind about a configuration setting, you have to modify it on every computer, which can be an administrative nightmare. Figure 5-1 shows the Local Security Policy console, which you can find in the Administrative Tools section of the Start menu. You use this tool to configure the local policy of a single computer.

Figure 5-1. The Local Security Policy console
figs/sws_0501.gif


Group Policy provides a solution to the nightmare of managing distributed computers by allowing you to centrally configure settings in Active Directory. When computers and users log on to an Active Directory domain, the computers download and apply the appropriate Group Policy. Group Policy settings always override any local policy settings, allowing you to centrally manage the policy settings that affect each computer and user in your domain. As a result, Group Policy provides a perfect way to centrally configure security settings for all the computers in your organization. Any administrator with a need to centrally configure security on an organization's computers should be using Group Policy to do so.



    		Securing Windows Server 2003
    		Preface
    		Chapter 1. Introduction to Windows Server 2003 Security
    		Chapter 2. Basics of Computer Security
    		Chapter 3. Physical Security
    		Chapter 4. File System Security
    		Chapter 5. Group Policy and Security Templates
    		5.1 What Is Group Policy?
    		5.2 How Group Policy Works
    		5.3 How Do Security Templates Work?
    		5.4 Using Group Policy to Enforce Security
    		5.5 Using Security Templates to Deploy Secure Configurations
    		5.6 Summary
    		Chapter 6. Running Secure Code
    		Chapter 7. Authentication
    		Chapter 8. IP Security
    		Chapter 9. Certificates and Public Key Infrastructure
    		Chapter 10. Smart Card Technology
    		Chapter 11. DHCP and DNS Security
    		Chapter 12. Internet Information Services Security
    		Chapter 13. Active Directory Security
    		Chapter 14. Remote Access Security
    		Chapter 15. Auditing and Ongoing Security
    		Appendix A. Sending Secure Email
    		Colophon