Photo by Jack Carter on Unsplash
Group policies on Windows Server 2022
Simple and Effective
Every admin knows group policies inside out. Group policy objects (GPOs) are still the most effective means of centrally managing and, above all, protecting clients. They play a crucial role, especially when it comes to protection against ransomware.
Generally speaking, Windows Server 2022 reveals no technical innovations in the area of group policies for local installations. The GPO infrastructure and the available feature set are static, with no more development in this area. However, some innovation and change is emerging in the cloud, but only if you sign up for the right plan. Still, there's nothing out of the box in a plain vanilla Azure Active Directory (AD) that controls the client as extensively as group policies can locally. With this in mind, I look at new or changed approaches that have emerged over 20 years of group policy design and structure, with an emphasis on rules that should always be implemented, even if nothing has changed technically and the best practices have been valid for years.
GPOs in the Light of Ransomware
Where admins struggled with desktop configurations in the early days of AD, today the greatest effort is put into defending the environment against ransomware and the sword of Damocles called the General Data Protection Regulation (GDPR) in the event of a possible data loss. Surprisingly, very few ADs are up to these requirements in terms of delegation and group policies.
The companies affected by ransomware attacks often have many things in common, but the main similarity is an IT structure built 20 years ago. Admins have neglected to change fundamentals and keep structures current, instead focusing on issues other than AD as a core login resource. User login works fine, why should there be a problem? This way of thinking is now getting in the way. After ransomware has made it into an organization, it spreads with PsExec and a batch file
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Optimizing domain controller security
Configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory. -
Lithnet Password Protection for Active Directory
Lithnet Password Protection for Active Directory provides flexible rules beyond that possible with group policies alone and prevents the use of previously compromised passwords. -
Monitoring changes in Active Directory with built-in tools
Monitoring with built-in Windows tools can prevent the worst from happening after an attempted attack. -
Advanced Windows security using EMET
Although attacks on computers are numerous and varied, they are predominantly based on the same techniques. Microsoft closes these vulnerabilities on Windows computers using the Enhanced Mitigation Experience Toolkit (EMET). -
Integrating scripts into Group Policy
Incorporating scripts into Group Policy can make a sys admin's job much easier.