Microsoft’s official Group Policy blog
Lots of people ask the Group Policy Team: What are the best settings to configure? What is the most secure GPO we can deploy? I've been talking about this a lot with the Group Policy customer support folks, and the topic resulted in the following editorial. We try to provide guidance with this blog, videos we post on our main page, and the Starter GPO's that ship in the box since Server 2008 R2 (available for download here). Unfortunately, there is no right answer that will work for everyone. I hope you appreciate this somewhat editorial-styled blog post. Back to regular programming after this.
- LiliaG, aka @superlilia
The real best practice is to “go do work.” The minute you make any recommendation, it is wrong… somewhere. I know this answer is not what people want to hear. Everyone wants a template that requires no thinking—plug and play.
GP is not a cookie cutter technology. It’s not “one size fits all.” Each setting must be properly evaluated for each environment. Each policy setting should have a business requirement that justifies its existence. The whole process takes time and planning and much of what I am saying has been incorporated into the 2008 Group Policy Planning and Deployment Guide.
Anyone who tries to suggest a group of canned settings default configurations does not understand the power or depth of Group Policy. Yes, there might be settings common to “locking down a computer”, but what does “locking down” mean? Everyone is likely to have a different answer. Our best advice typically require a core understanding of Group Policy, some critical thinking, and a spoonful of common sense. Nothing we can suggest is a substitute for planning and testing… lots of testing in your environment.
Most Group Policy documentation authored for Windows Vista and 2008 is relevant for Windows 7 and Server 2008 R2. The best thing to do is learn how it works, and then apply that knowledge to scenarios for your environment. Overall, GP fundamentally works the same as it always has, with some minor tweaks along the way.
The latest GP management tools have always supported managing policies for down-level operating systems. That story has not changed either. Mixing Group Policy settings works. This is a common question that is asked after each release and the “song remains the same;” nothing new here. Older operating systems ignore newer operating system policy settings.
How you choose to deploy polices for mixed operating system should largely depend on the current Active Directory design, domain controller placement, sites, wan link speeds, current policy settings, the new settings and more. The number of successful permutations of “correct” is countless.
Good luck, check the forums, read this blog, and keep learning.
- Mike Stephens
Recently another starting point appeared for one's long journey of developing one's own set of Best Practices.
You already mentioned default Starter GPOs that are actually borrowed from Security Compliance Management Toolkit series (http://technet.microsoft.com/library/cc677002.aspx). The problem is that Starter GPOs were not updated for Windows Server 2008 R2.
And now there's also Microsoft Security Compliance Manager (currently in beta). This tool contains “the complete database of Microsoft recommended security settings”. It could help those who just want to start playing with Group Policy right now with “Plug and play” option.