 |
Redspin SMA Sign Up!
|
|
Sign yourself or a colleague up for our free Redspin Security Management Advisory monthly newsletter. We will not share your email address.
|
|
* = Required Information
|
 |
|
|
Three Reasons Why You Should Care About Group Policy
|
|
Microsoft Group Policy Objects (GPOs) represent a great opportunity to centrally manage corporate-wide security policy and to fully take advantage of the many Microsoft security features. Full utilization and proper configuration of GPOs have three important benefits:
1. Risk Management:
Many risks observed in our day-to-day practice as well as security incidents making headline news could be mitigated with proper GPO configurations.
2. Cost Savings:
Numerous vendors sell security hardware and software to mitigate risk that can be addressed simply with correct GPO configuration.
3. Microsoft Security Features:
A review of GPO configuration options provides an excellent overview of the Microsoft built-in security features - see the WinCAT-AD security template provided with the download for some example configurations settings to benchmark your systems against.
|
|
|
|
 |
|
|
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 4 | July 1, 2008
|
 |
|
Executive Summary — How secure are the Group Policies that your organization has set?
Microsoft's Active Directory is a central component of most network environments, and it offers a rich array of security choices for protecting your network. Setting Group Policy is a key task for many Domain Administrators, and there are a huge number of configuration options available for them to do so. In fact, there may well be too many choices, which brings us to one of Redspin's favorite questions:
Are you doing what you think you're doing?
|
Redspin often sees multiple password policies applied to different groups; however, in reality only the password policy applied at the domain level is applied and will overrule every other policy.
In addition, many administrators aren't taking advantage of all the security options that Microsoft offers. For example, a current challenge for organizations is preventing sensitive data from being copied onto portable media, such as USB drives, and taken outside of the institution. The ability to write data to these drives can be disabled for specific people or groups using GPOs (Group Policy Objects). Many expensive software solutions are currently marketed to solve this problem, even though GPOs are free and can provide the same result.
"Do you remember that room in your house when you were growing up where there were two light switches that controlled the same light?" asks Redspin CEO John Abraham. "One of the switches was always down and the other one was up, and it always felt weird to push the one that was up back down to turn the light on, or maybe you even had a quick moment of panic that the light was burnt out. Group Policy settings in Active Directory are just like that, only there are hundreds, sometimes even thousands of possible switches. How do you know if the light is on?"
Because multiple Group Policies can be applied to the same person - at a bank, for instance, an employee in the teller group may have the default domain policy, a department policy, and a user policy all applied at the same time - there are a lot of opportunities for conflicting levels of access to be created. Do employees have the appropriate password rules? Have guest access restrictions been set correctly on all the networked machines? Are the different User Groups creating countermanding or incompatible rules?
Redspin, Inc. has developed an excellent new tool in order to answer these questions, and to let you know exactly if the rules you think you're setting are actually applied correctly on your network. WinCAT-AD (Windows Configuration Analysis Tools - Active Directory) will show you a list of all the Group Policy settings that have been configured on your network, after resolving any conflicts, and compare them to a user-supplied template.
This will help smaller organizations discover additional GPO settings that are not currently used, while a large institution will be able to discover conflicting GPO settings in their environment.
The Redspin Active Directory Group Policy security analysis tool takes a picture of all your settings as they currently are, and then outputs it into an easy-to-understand, browser-based report. This comprehensive review of Active Directory settings is an invaluable resource - and can be downloaded for free for a limited time only at www.redspin.com/tools.
"We're excited to be able to offer this tool to all of our customers, and for now, other security auditors," says Abraham. "It's one of the first things we use when we do a security audit. And to answer my own question - 'How do you know if the light is on?' - all you have to do is look. And WinCAT-AD is the only tool out there that let's you see the whole picture."
|
|
|
|
Speak with a Redspin Security Consultant Today!
|
* = Required Information
|
|
|
|
|
|
|
 |
