October 23, 2012

Group Policy Objects: The Secret Weapon for Controlling a Windows Environment

Hidden under the hood of Microsoft Windows is a remarkable tool for centrally controlling the settings used on the computers throughout your law office. From managing security to deploying applications, it’s worthwhile knowing what Group Policy Objects can do.

First off, you’re probably wondering what the heck a Group Policy Object is. Basically, in a Windows environment you can define user and computer configurations for an entire group using what’s called a group policy, and then those configurations are stored in a Group Policy Object, or GPO. GPOs can be configured at the site, domain or organizational unit level. They work by forcibly setting user and computer registry values—and because almost all of a Windows computer system is controlled through the registry, there are all kinds of ways to put GPOs to use.

If reading paragraph one has already caused your eyes to glaze over, be forewarned that GPOs are not a sexy topic. But they are doggone useful, so get yourself a double shot of espresso and read slowly to get information of real use in your law office. The following covers some common uses for GPOs and even some standard controls that should be implemented in law firms. The focus here is on using GPOs in a domain environment—which means you are running Windows Server software on your network. However, many of the things that will be mentioned are options for stand-alone computers running XP, or Windows 7, too.

What to Do with GPOs: Types of Control
Obviously, if you have a server-based environment, the preference is to centrally manage users, computers and applications. And it’s much more time- and cost-effective to do that using Group Policies through Windows Active Directory rather than running around to set the local policy on every computer. These Active Directory-based GPOs are also known as nonlocal GPOs. They are created in Active Directory and stored on your domain controller, such as a Windows 2000, 2003 or 2008 server. GPOs can do a lot to automate activity and control configurations of your computers. These are some of the things that can be achieved:

  • Configuring users’ desktops. This could include all sorts of things like device installations (e.g., printers or scanners), setting display colors and the like.

  • Configuring local security on computers. For example, you can restrict access to specific folders on a computer or whether the last logon name appears on the machine.

  • Installing applications. This is a great option for deploying new applications or sending out updates to multiple computers simultaneously. GPOs can also be configured to remove the ability to run certain programs, like the built-in games that come with Windows.

  • Running startup/shutdown or logon/logoff scripts. You can have certain activities occur when the machine is started or shut down by configuring a corresponding GPO. As one example, each user’s temporary files can be cleared when the user logs off the computer.

  • Configuring Internet Explorer settings. A prime example is setting the default home page for each user’s browser.

  • Redirecting folders. By assigning drive letters to specific folders, the user’s files can be redirected to special areas on the network

Administrative Tools: The GPO Editor
So how are these magic GPOs created and managed? To be clear, GPOs can get very complicated, so you may be best served by using your IT staff or IT consultant to define or troubleshoot configurations on your system. However, if you’re the tech-savvy kind, or you just appreciate knowing how things work, here are the access steps.

For Windows Server 2000 and 2003 domains, you use the Group Policy Object Editor from the Active Directory Users and Computers console following these steps:

  • Click Start, then Administrative Tools, and select Active Directory Users and Computers.

  • In the console tree, locate and right-click the domain to which you want to link a GPO, and click Properties on the shortcut menu.

  • When the Properties dialog box for the domain opens, click the Group Policy tab.

  • In the Group Policy Object Links list, click New and then click Edit to create a new GPO—or choose an existing GPO in the Group Policy Object Links list and then click Edit.

  • The Group Policy Object Editor opens for the domain GPO.

If you’ re running a Windows 2008 domain, it’s a little different:

  • Click Start, All Programs, AdministrativeTools, and then click the Group Policy Management icon.

  • Expand the domain name.

  • Expand Group Policy Objects.

Generally, you would edit the default domain policy. The default domain policy already has a lot of built-in objects that can be edited very easily to control the computing environment in your office. A wealth of technical details on what they are and how to edit, implement and troubleshoot them can be found on the Microsoft site at technet.microsoft.com/en-us/library. But again, especially in larger environments, it is not for the faint of heart. Be sure you’re very comfortable with the tools before tackling it yourself.

Common GPOs for Law Offices
Now let’s get to the more interesting items—some standard controls that we recommend for all law offices. Several of these are commonly implemented for security and confidentiality reasons. Others tend to be for application management or standardization within the firm.

  • Last logon ID. One highly recommended GPO involves removing the default display of the last ID that was used to log on to a computer. And here’s why: Typically, you need to log on to a computer using a user name and a password. But by default, Windows will leave the box for the user name populated with the last user’s ID. This means that only one more piece of information (the password) is needed to gain access to the computer and, therefore, the data on the network. Removing the display of the last logged on user means two pieces of information (user ID and password) are needed, which makes it harder for an unauthorized person to compromise your systems.

  • Password length. Another object you should define on your network is password length. At present, passwords that are at least 8 characters in length are typically required. However, recent research on password-cracking results finds that requiring passwords that are 12 characters in length should be the standard.

  • Password expiration. For proper security, you should have a GPO that ensures passwords expire after a certain period of time, thereby requiring that they be reset. You’re familiar with this concept if you do any online banking. Periodic password changes help maintain the security of the system. A good policy is to set the password expiration at 45 days.

  • Password history. This registry value defines how much time must pass before you can reuse a password. It prevents a user from changing the password (because it expired) back to a previous password value—which, of course, would defeat the purpose of the expiration period. A smart policy sets this value at 24 months, which means you’ll never see the same password being used again for at least two years. Some users will likely object to this and complain that they can’t remember their passwords, but resist the temptation to soften this policy. Teaching users to implement pass-phrases can help overcome resistance to mandatory password updating.

  • Account lockout threshold. This defines the number of times an incorrect user ID or password can be typed in before the account is locked out—which is important in stopping attempts by a computer program or person trying to gain access to your systems. Setting the threshold at a number between 3 and 5 should be sufficient to account for honest mistakes and typographical errors.

  • Account lockout duration. This defines the period of time that the account remains locked following the number of invalid logon attempts defined in the threshold value. If you use a value of 0, the account will remain locked until it is manually unlocked by the administrator. A lockout duration of 30 to 60 minutes, though, will be sufficient to stop hackers or botnet computers from guessing user ID and password combinations.

  • Folder redirection. Via this GPO, the system folder contents for individual users are redirected to a central storage area on the server. This allows them to use any computer and have their information stay consistent. For example, by redirecting a user’s Application Data folder, which contains the user configuration files, user-specific data that’s utilized by applications and PKI files, the user’s applications will work in exactly the same way on another computer on the system. Similarly, by redirecting the Desktop folder, which contains the files and shortcuts that appear on the user’s desktop, or the My Documents folder, which contains the user’s files and pictures, the user can access any of these items from any computer.

  • Browser settings. Many firms like consistency among workstation browsers. A GPO to change the default home page for each user’s Internet Explorer home page can easily bring some uniformity by setting it to be the home page for the firm’s Web site. This GPO will override any subsequent user changes. So, if a couple of associates change their home page to CNN, too bad. The next time they log on and launch Internet Explorer, they’re right back to the firm’s home page.

  • Application deployment. This valuable feature can be used for things like rolling out new versions of MS Office to every computer, and distributing antivirus software and software patches within the firm. While it’s probably not worth the effort to implement a GPO to distribute QuickBooks to two computers, pushing out a Tabs3 update to 14 computers is worth it.

Now that you know some of their common uses, you can imagine how GPOs can benefit your firm. Clearly, while GPOs are not for the faint of heart, they offer great value in terms of consistency, in time and money savings and in many levels of security.