Group policy is a feature of Microsoft Windows Active Directory that adds additional controls to user and computer accounts. Group policies provide centralized management and operating systems configurations of user’s computing environments. Group policies are another method of securing user’s computers from infiltration and data breaches.
If you care about data security, you need to understand group policies. We will discuss what group policies and GPOs are and how system administrators use them to protect, secure, and lock down computers and user accounts. We will also discuss how attackers can disable group policies as part of their infiltration.
Get the Free Pen Testing Active Directory Environments EBook
What is Group Policy Object (GPO)?
A Group Policy Object is a collection of settings systems administrators create with the Microsoft Management Console (MMC) Group Policy Editor. The GPO can be associated with one or more of the Active Directory containers, such as sites, domains, or organizational units (OUs).
How Group Policy Objects Are Processed
Active Directory applies GPOs in the following predictable and logical order.
- Local policies
- Site policies
- Domain policies
- OU policies
GPOs in nested OUs apply from the OU closest to the root first, and then continue from there
Do I Need a Group Policy?
Assuming the goal of your organization is to become more secure, then yes, you need to understand and implement group policies.
Out-of-the-box Windows isn’t secure. Shocking.
There are ways to rectify those deficiencies through GPOs. Microsoft didn’t assume how you wanted to secure your systems, but GPOs can move you closer.
For example, with GPOs you can completely disable Local Administrator rights globally in your network and instead, grant administrative permissions to a single individual or group based on their job. Ideally, you are implementing a least-privileged model where even the system administrators are limited to administering only the servers they are assigned.
Group policies can disable outdated protocols like SSLv2, prevent users from making changes to local group policies, and much more.
Benefits of Group Policy
There are several advantages to implementing GPOs outside of security.
- Ease of management: Setting up new users on the network used to be a long and tedious process. Pre-existing GPOs apply a standardized environment to each new user and computer that joins your domain which saves many hours of configurations.
- One-stop administration: Sysadmins can deploy patches, software, and other updates via GPO.
- Password policy enforcement: Passwords can be easily brute-forced if they aren’t changed regularly, contain simple words, or are short. GPOs establish length, reuse rules, and other requirements for passwords to keep your network safe.
- Folder redirections: Do you want users to keep important company files on a centralized and monitored storage system? Use a folder redirection GPO to redirect their user folder to your NAS.
Limitations of Group Policy
By now it sounds like GPOs are the bee’s knees. There are a few pitfalls to using GPOs you want to consider before you dive in headfirst.
GPOs update randomly every 90 to 120 minutes or so, or when the computer gets rebooted. You can specify an update rate from 0 to 64,800 minutes (or 45 days), but if you select 0 minutes, the computer tries to update GPOs every 7 seconds. That’s going to murder a network with traffic. If you must implement an emergency GPO update, you have to keep this in mind and use another method to get users to reboot.
Also, the GPO editor isn’t the best and most intuitive thing in the world. You can learn to use PowerShell instead to make all the updates, which could be easier for a command line person.
If you do implement GPOs, consider the possibility that an attacker tries to circumvent security by changing local GPOs on a computer they have infiltrated. For example, if you locked down the Local Administrator account with a GPO, an attacker can try to reverse that GPO and take over Local Admin. Or they might re-enable a less secure network protocol. Varonis monitors for changes in GPOs and warns you of those changes, which can help you stop a data breach.
Want to see how Varonis can automatically detect GPO changes and disable an attacker’s stolen account? Get a free 1:1 demo to see Varonis in action – and see how to monitor GPO changes.