Group Policies

By /

There are several ways users in a network can be assigned access to network resources. Access can be done on a case-by-case basis, but for every new employee, every employee promoted/demoted or any other change in circumstances requires the network administrator to reassign each employee’s access. This can exponentially increase the time needed to change network privileges. In such conditions the creation of vulnerabilities via administrative errors is almost guaranteed.

Another system is attribute access control. Here privileges are assigned to attributes, e.g. Human resources, or London Office. Then the administrators assign the relevant attribute to each user. Whilst better than individual assignment, assigning privileges is still dependent on network administrators, and there’s still a high risk of errors.

Active Directory uses a role-based access system. Users or computers within a network are grouped together in Organizational Units (OU). OUs can be based on departments within an organization e.g. Sales, Human Resources, Administration, etc. or locations e.g. New York office, Paris office, London office, Munich office or other subsets within the organization. Group Policy Objects are then applied to each OU.

Group Policy Objects are a set of permissions and restrictions that are applied to OUs. So rather than setting each individual employee’s network privileges, the administrator can place an employee in a relevant OU and their privileges are automatically initiated.

Why bother with OUs and GPOs?

In November and December of 2013, the Target Corporation’s network was breached via a third-party vendor. Target’s network had very limited network segmentation, which the attackers exploited, and were able to upload credit card skimming malware into Target’s POS machines across the United States(Shu et al., 2017). Over 40 million credit and debit card numbers were stolen and it cost over $200 million to replace affected credit cards.

How can we prevent a similar situation occurring at Vanderlay Industries. The answer: we use OUs and GPOs.

This is Elaine Benes. She is Vanderlay’s new head of Human Resources. As such Elaine will need access to all the employees’ personal information, performance reviews and workplace health and safety. We want to prevent a similar situation to the Target hack, where a successful phishing attack created a foothold into Target’s entire network. So, we will also have to place restrictions and denials to network resources that aren’t necessary for Eliane to do her job.

We can ask the administrator to create the HR GPO. HR’s GPO will allow her to access resources such as employee performance records, personal information, dispute resolutions, and workplace health and safety documents. It can also deny her access to other resources, such as information about sales, financial and banking records.

The advantage of using GPOs is that when Vanderlay Industries hires another HR employee, the network administrator doesn’t have to assign all of the same permissions again. They can instead assign them the HR GPO and each new HR employee will have the same permissions and restrictions as Elaine.

Different programs can also be automatically installed on computers via the GPO. For instance, Elaine will need email access, Word and PowerPoint, but may not need Excel. HR’s GPO could specify that these programs be automatically installed on to each of their hosts’ devices.

Creating an OU

  1. In the start bar type Active Directory Users and Computers
  2. Right click on the domain, go to New and select Organizational Unit. Type in the name of the Organizational unit.

Adding users/computers to the OU

Right click on the OU and click on New User or drag and drop an existing user into the OU folder

Creating a GPO

  1. First log into the administrator account.
  2. Go to tools and click on group.
  3. In the next window click to on Forest>> Domains>>[Your AD directory]
  4. Click on GROUP POLICY OBJECTS
  5. The next window should show the Default Domain Controllers Policy and Default Domain Policy
  6. Right click on Group Policy Objects and then select New, and name the new GPO.
  7. Right click on your new GPO and then select edit.
  8. For the purposes of this webpage,All Programs list  from the Start menu will be removed.
  9. Click on the Windows settings under computer configuration and then Start Menu and Taskbar.
  10. Then click on Remove all programs from the Start Menu and Taskbar.
  11. Go back to the GPO management page and click on Settings for Sample GPO, it will generate a report Click on add and close.
  12. Go to the OU you want to apply your new policy to, and right click on it. Select Link an Existing GPO