Windows Server 2012 : Planning, implementing, and managing Group Policy (part 5) - User Rights Assignment, Security Options

2. Configuring security settings

As Figure 4 shows, Group Policy for Windows 8 and Windows Server 2012 includes numerous types of security settings. Most of these policies are per-machine settings found under Computer Configuration\Policies\Windows Settings\Security Settings in the Group Policy Management Editor, but there are also two types of policies found under User Configuration\Policies\Windows Settings\Security Settings as the figure shows.

The following sections briefly discuss some of these categories of security settings, including

• User Rights Assignment

• Security Options

• User Account Control

• Audit Policy

• Advanced Audit Policy Configuration

• AppLocker

• Software Restriction Policies

• Windows Firewall

Figure 4. Group Policy security settings for computers (above) and users (below).

User Rights Assignment

User Rights Assignment settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and you can use them to control the user rights assigned to users or security groups for computers targeted by the GPO. You can use these policies to specify users and security groups who should have rights to perform different kinds of tasks affecting the security of your Windows clients and servers. For example, you can control who can

• Access computers from the network

• Log on locally

• Shut down the system

You can also specify who should have rights to perform critical administrative tasks, such as backing up and restoring files and directories, taking ownership of files and objects, and forcing the shutdown from a remote computer.

User Rights Assignment settings for Windows 8 and Windows Server 2012 are unchanged from those in Windows 7 and Windows Server 2008 R2.

Security Options

Security Options settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, and you can use them to control a wide variety of security options for computers targeted by the GPO. For example, you can

• Force users to log off when their logon hours expire

• Disable Ctrl+Alt+Del for logon to force smartcard logon

• Force computers to halt when auditing cannot be performed on them

Windows 8 and Windows Server 2012 include four new policies in this category:

• Accounts: Block Microsoft accounts This policy prevents users from adding new Microsoft accounts on this computer.

• Interactive logon: Machine account threshold The computer lockout policy is enforced only on computers that have BitLocker enabled for protecting operating system volumes. You should ensure that appropriate recovery password backup policies are enabled.

• Interactive logon: Machine inactivity limit Windows notices the inactivity of a logon session and if the amount of inactive time exceeds the inactivity limit, the screen saver will run, locking the session.

• Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is used to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain.