You should always run Group Policy on your Active Directory-based systems. If you don't, plenty of attacks are just waiting to happen inside your network, as you can see from the following column, which first appeared on SearchWindowsSecurity.com.
Let's play pretend.
Pretend you've got a malicious insider on your network with a bone to pick. We'll call him Eddie. Perhaps Eddie is a consultant or even a salesperson. He might even come in during off hours to work his "security" shift. Regardless of what he does, he knows it is pretty simple to connect to someone's network and do just about anything he wants. Why? Default Windows settings, that's why.
Eddie doesn't know about the wonders of Group Policy Object (GPO) in Windows 2000 and later. However, thanks to his malicious mindset and quest for information, he knows that most Windows systems aren't hardened from common threats and realizes there are plenty of goodies in the form of 1s and 0s on your network for the taking.
Now this Eddie doesn't need a wireless LAN connection to get into your network. He can plug right into one of the dozens of live network drops throughout the building -- in empty cubicles and meeting rooms. As a fallback plan, Eddie knows he will likely succeed in attaching to an unsecured Wi-Fi access point just as easily if he needs to. He also knows that having physical access to your systems is invaluable.
Based on my experience, Eddie will do several things on your Windows systems -- most likely on 2000, probably even XP and quite possibly on Server 2003. (The sad thing is that all of these breaches could be prevented by simply tightening your Group Policy settings.)
How can you stop folks like Eddie? Group Policy is a good start. They are easy to implement at the local computer, domain and domain control levels. They can help keep out attackers consistently across all your Windows 2000 and above systems -- and certainly make your job (and life) much easier.
Nearly every network I test has at least a few Windows systems that either do not have Group Policy running or it's not running properly. Although managing Group Policy can be cumbersome at times, there's no good reason not to implement them on standalone and Active Directory-based systems. Get to know the Group Policy Editor (gpedit.msc) and associated tools such as the Group Policy Management Console (GPMC). You'll be amazed at what you can do to lock down your Windows systems.
Check out Roberta Bragg's checklists on hardening Windows systems for all the details you need. Just be careful when making changes -- especially at the domain or domain controller level. You can easily lock yourself out or otherwise break the systems if you don't fully understand what you're changing.
All pretending aside, the truth of the matter is, unless and until we take advantage of Windows Group Policy, Eddie and others like him will continue their dastardly ways against our Windows systems -- a war that's silly for us to lose.
About the author: Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic LLC, as well as a resident expert on SearchWindowsSecurity.com. He specializes in information security assessments and incident response and is the author of the new book Hacking for Dummies (John Wiley & Sons). Kevin can be reached at firstname.lastname@example.org or ask him a question on Windows security threats today.
Do you have comments on this tip? Let us know.