Policies that have been
linked through Active Directory will, by default, take precedence over
any established local group policies. Local group policies are typically
applied to computers that are not part of a network or are in a network
that does not have a domain controller and thus does not use Active
Directory.
Previous versions of Windows
(before Vista) contained only one Local Group Policy Object that applied
to all of the computer's users unless NTFS permissions were applied to
the LGPO. However, Windows 7 and Windows Vista changed that with the
addition of Multiple Local Group Policy Objects (MLGPOs). Like Active
Directory GPOs, MLGPOs are applied in a certain hierarchical order:
Administrators and Non-Administrators Local Group Policy
User-Specific Group Policy
The Local Computer Policy is the
only LGPO that includes computer and user settings; the other LGPOs
contain only user settings. Settings applied here will apply to all
users of the computer.
The Administrators and
Non-Administrators LGPOs were new to Windows Vista and are still
included with Windows 7. The Administrators LGPO is applied to users who
are members of the built-in local Administrators group. As you might
guess, the Non-Administrators LGPO is applied to users who are not
members of the local Administrators group. Because each user of a
computer can be classified as an administrator or a non-administrator,
either one policy or the other will apply.
User-Specific LGPOs are also
included with Windows 7. These LGPOs make it possible for specific
policy settings to apply to a single user.
As with Active
Directory GPOs, any GPO settings applied lower in the hierarchy will
override GPO settings applied higher in the hierarchy by default. For
example, any user-specific GPO settings will override any conflicting
administrator/non-administrator GPO settings or Local Computer Policy
settings. And, of course, any AD GPO settings will still override any
conflicting LGPO settings.
NOTE
Domain administrators
can disable LGPOs on Windows 7 computers by enabling the Turn Off Local
Group Policy Objects Processing domain GPO setting, which you can find
under Computer Configuration\Admimstrative Templates\System\Group
Policy.
You apply an LGPO to a Windows 7 computer through the Group Policy Object Editor snap-in within the MMC. Figure 1 shows the Local Computer Policy for a Windows 7 computer.
Complete the following exercise to add the Local Computer Policy snap-in to the MMC.
Open the Admin Console MMC shortcut by typing MMC in the Search programs and files box. A User Account Control dialog box appears. Click Yes. Select File => Add/Remove Snap-In. Highlight the Group Policy Object Editor Snap-in and click the Add button. The Group Policy Object specifies Local Computer by default. Click the Finish button. In the Add or Remove Snap-Ins dialog box, click OK. In the left pane, right-click the Local Computer Policy and choose New Windows From Here. Choose File => Save As and name the console LGPO. Make sure you save it to the Desktop. Click Save. Close the MMC Admin console.
|
Now we will look at how to open an LGPO for a specific user account on a Windows 7 machine. Complete Exercise 1 to access the Administrators, Non-Administrators, and User-Specific LGPOs.
Open the Admin Console MMC shortcut by typing MMC in the Windows 7 Search box. Select File => Add/Remove Snap-In. Highlight the Group Policy Object Editor snap-in and click the Add button. Click Browse so that you can browse for a different GPO. Select the user you want to access and click OK. In the Select Group Policy Object dialog box, click Finish. In
the Add Or Remove Snap-Ins dialog box, click OK. You may close the
console when you are done looking at the LGPO settings for the user you
chose.
|
NOTE
Notice that the
Administrators, Non-Administrators, and User-Specific LGPOs contain only
User Configuration settings, not Computer Configuration settings.
Now let's take a look at the different security settings that can be configured in the LGPO.
1. Configuring Local Security Policies
Through the use of the Local
Computer Policy, you can set a wide range of security options under
Computer Configuration\Windows Settings\Security Settings.
This portion of the Local
Computer Policy is also known as the Local Security Policy. The
following sections describe in detail how to apply security settings
through LGPOs (see Figure 2).
The main areas of security configuration of the LGPO are as follows:
Account Policies
Account policies are used to configure password and account lockout
features. Some of these settings include password history, maximum
password age, minimum password age, minimum password length, password
complexity, account lockout duration, account lockout threshold, and
whether to reset the account lockout counter afterwards.
Local Policies Local policies are used to configure auditing, user rights, and security options.
Windows Firewall with Advanced Security
Windows Firewall with Advanced Security provides network security for
Windows computers. Through this LGPO you can set domain, private, and
public profiles. You can also set this LGPO to authenticate
communications between computers and inbound/outbound rules.
Network List Manager Policies
This section allows you to set the network name, icon, and location
group policies. Administrators can set Unidentified Networks,
Identifying Networks, and All Networks.
Public Key Policies Use the Public Key Policies settings to specify how to manage certificates and certificate life cycles.
Software Restriction Policies
The settings under Software Restriction Policies allow you to identify
malicious software and control that software's ability to run on the
Windows 7 machine. These policies allow an administrator to protect the
Microsoft Windows 7 operating system against security threats such as
viruses and Trojan horse programs.
Application Control Policies
This section allows you to set up AppLocker. You can use AppLocker to
configure a Denied list and an Accepted list for applications.
Applications that are configured on the Denied list will not run on the
system and applications on the Accepted list will operate properly.
IP Security Policies on Local Computer This section allows you to configure the IPsec policies. IPsec is a way to secure data packets at the IP level of the message.
Advanced Audit Policy Configuration
Advanced Audit Policy Configuration settings can be used to provide
detailed control over audit policies. This section also allows you to
configure auditing to help show administrators either successful or
unsuccessful attacks on their network.
NOTE
You can also access the
Local Security Policy by running secpol.msc or by opening Control Panel
and selecting Administrative Tools => Local Security Policy.
