Educause Security Discussion mailing list archives
Re: Group Policy Object recommendations - newly migrating to AD
From: Aaron Wade <agw8 () CORNELL EDU>
Date: Fri, 9 Jul 2004 09:22:21 -0400
Hi Todd, I administer the academic computing center in the college of engineering and we run a fairly restrictive group policy environment. To answer your questsions: 1) Some good basic GPO's are the ones that fit best with your environment.(not the answer you were looking for, but it's true) Generic things to control are IE, registry editing tools, control panel applets, basically prevent your users from altering any configuration that you have set. We run a "student" mandatory profile and we also re-direct My documents to the users home directory Depending on what your labs are used for, I'd suggest preventing access to .vbs extensions. We have also applied the securews.inf in the security configuration and analysis utility. We only allow read/execute access to the system32 and program files directories. We apply an IPsec filter GPO to each desktop that blocks smb/ netbios connections from outside of our subnet(in case our firewall happens to go down). We are currently working on getting SMB packet signing applied to our entire domain. 2) I don't maintain the work PC's but if I did, it would be in pretty much the same manner and have in the past. 3) Since this applies to #1 as well, it has worked rather well, except for applications that don't like to cooperate. When that happens, we have to find out what files/reg keys the app is trying to access/write and give the neccessary permissions. (regmon and filemon) 4) We don't use GPO's for software, we tend to use ghost and ghost aibuilder. 5) We reserve monday mornings until 12pm for maintenance time. During which time we install software and patches on our imaging machine, and reghost the lab. HTH -Aaron -- Aaron Wade Windows and Classroom Support Specialist ACCEL/Engineering Library Cornell University MCSE,A+ mobile: 607.227.1067 office: 607.254.2721 On Thursday 08 July 2004 3:58 pm, you wrote:
We are currently in the process of migrating to Windows 2003 w/Active Directory and are looking for some basic guidance or suggestions for group policies. Our students PCs in the residence halls are not part of the domain. We are only concentrating on faculty/employee work PCs as well as our lab PCs. Students, Faculty, and employees are members of the domain. 1. Any suggestions on some basic GPOs to use? 2. How restrictive/unrestrictive are you with the work PCs? 3. How has that worked or not worked for you (regarding question #2)? 4. Do you use GPO to deploy software, updates, patches? 5. What are your basic procedures for that? (Certain nights of the week (PCs left on), during logon, etc.) In the higher ed environment things like this run hot and cold. Not much middle ground. We were just wondering how other institutions tackled these issues surrounding GPOs. I thank you for your advise in advance, Todd :)> ----------------------------- Todd Gunter Director, Management Information Systems Information Technologies Project Manager 45 Ferry St Troy, NY 12180 guntet () sage edu (work email) 518-857-6754 (cell) 518-244-2088 (office) 518-244-2460 (fax) ~~~ "If you focus on quality today, it will, in the long term, pay benefits" ~~~ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Group Policy Object recommendations - newly migrating to AD Todd Gunter (Jul 08)
- <Possible follow-ups>
- Re: Group Policy Object recommendations - newly migrating to AD Aaron Wade (Jul 09)