SEC 340 – Windows Server 2012 Group Policy Object and Organizational Unit Basic Practice

Windows Server 2012 Group Policy Object and Organizational Unit Basic Practice

Design a Group Policy for a Small Business Network that needs to focus strict network security. Be sure to include at least 10 GPOs and explain how and why you configured them.

References I used in addition to the book (William Panek: MCSA Windows Server 2012 R2 Complete Study Guide 70-410, 70-411, 70-412, 70-417):

Organizational Units – Sales, Billing, Technical Support, Design (linked to their respective group policy object, and the users added to the organizational object)

Organizational Units

  • Sales
  • Billing
  • Technical Support
  • Design

Group Policy Objects

  • Sales
    • Limit Task Manager/Installing Programs/Accessing Control Panel
    • Restrict Printer Access to Sales Area Printers
    • Remove Access to enable/disable antivirus
    • Access to Sales-specific Software
    • Remove Access to the c: drive and subfolders (prevent accidental deletion of necessary files)
    • Prevent Windows From Storing Lan Manager Hash (not a safe way to store passwords)
    • Restrict Command Prompt Access (causing unintended changes)
    • Disable Forced System Restarts (so it doesn’t reboot unintentionally)
    • Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives (security reasons)
    • Disable Guest (restrict access to the computer further)
    • Set Minimum Password Length to a higher number (10 or higher)
  • Billing
    • Same as sales except only access to billing software
  • Technical Support
    • Limited access to billing/sales – can assist but can’t accidentally delete/add anything.
    • Disable Forced System Restarts
    • Disallow Removable Media Drives, DVDs, CDs, and Floppy Drives
    • Disable Guest
    • Set Minimum Password Length to a higher number (10 or higher)
  • Design Department
    • Same as sales except only access to design software

 

            I restricted the various department’s abilities to make unintended changes to their operating systems for security and reliability purposes. I restricted what software they have access to for the same reason. The users may intend well but accidents can happen. That software that they think is harmless, when installed on their computer, may cause a lot of problems for themselves and other employees. Technical support in this scenario requests access to be able to do what they want with their computers as far as adding and removing software. They still have limited access to billing and sales servers in case they make mistakes during troubleshooting.