Anyone a GPO wizard around here ?

PsyWulf

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
16,583
Based on the detailed request I'm pretty certain somebody somewhere might be able to give some kind of answer
 
S

scoobs

Well-Known Member
Joined
Sep 1, 2016
Messages
183
want to tighten up machine GPO policy, shared drive mapping etc
basically the network is a gaping hole and i want to start from the workstations up
 
R

Ryu007

New Member
Joined
Feb 21, 2017
Messages
6
scoobs said:
want to tighten up machine GPO policy, shared drive mapping etc
basically the network is a gaping hole and i want to start from the workstations up
Click to expand...

Then start with firewalls. Good firewall means no worries
 
Deadmanza

Deadmanza

Honorary Master
Joined
Sep 13, 2013
Messages
12,762
scoobs said:
want to tighten up machine GPO policy, shared drive mapping etc
basically the network is a gaping hole and i want to start from the workstations up
Click to expand...

Honestly. It is painful trying to garner information from you.

Sit down and put a list of holes you want to plug and come back to us.
 
AstroTurf

AstroTurf

Lucky Shot
Joined
May 13, 2010
Messages
30,534
What are you scare of specifically?

Or just general, I want to gpo my clients?
 
S

scoobs

Well-Known Member
Joined
Sep 1, 2016
Messages
183
@Deadmanza sorry dude, ok let me make a list and ill report back
 
R

Randy_The_Squirrel

Banned
Joined
Sep 1, 2016
Messages
2,196
Dear OP,
I drafted the IT security policy of a JSE listed company I am not permitted to mention here. Its pretty good, and the process was overseen by Wolfpack (Manny Corregedor)
 
DMNknight

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,385
scoobs said:
want to tighten up machine GPO policy, shared drive mapping etc
basically the network is a gaping hole and i want to start from the workstations up
Click to expand...

You don't need a wizard. You need standards. Against these standards, you can then have measurables, exceptions and lock downs.

Example:
Standard workstation (not a laptop) = XYZ OS
Office Installation
C: & D: drive
USB ports disallowed
Must be domain joined
Auto-renew certificate authentication based on domain membership
etc.

Standard Laptop
OS = XYZ Operating syste,
Office & Powerpoint std install
C: Drive only
C: Drive encryption
USB allowed for modem use only
Must be domain joined
Requires user based certificate for wifi auth
Auto-renew certificate authentication based on domain membership

That's just off the top of my head on some example items you want to look at.

Next, what's your OU structure like.
Which settings are you going to put into which policies?
How are you going to identify Laptops vs Workstations vs Servers? (the wrong answer is WMI Query)
Do you have a system software auditing tool in place?
Do you have a software deployment tool in place? (Say GPO and I will throttle you)
Which parts of the many identified items that you want to look at are you going to run in the logon script vs GPO?
What is your Password policy set at and why?
Have you got a plan on how your administration model is going to look like? (workstation admins, Super Users, etc)

Be prepared, what you have planned to lock down is multi-phased. It requires a lockdown from the firewall, to IDS/IPS, NAC and most importantly, complete process controlled object management in AD and requisite GPO's.
 
S

scoobs

Well-Known Member
Joined
Sep 1, 2016
Messages
183
DMNknight said:
You don't need a wizard. You need standards. Against these standards, you can then have measurables, exceptions and lock downs.

Example:
Standard workstation (not a laptop) = XYZ OS
Office Installation
C: & D: drive
USB ports disallowed
Must be domain joined
Auto-renew certificate authentication based on domain membership
etc.

Standard Laptop
OS = XYZ Operating syste,
Office & Powerpoint std install
C: Drive only
C: Drive encryption
USB allowed for modem use only
Must be domain joined
Requires user based certificate for wifi auth
Auto-renew certificate authentication based on domain membership

That's just off the top of my head on some example items you want to look at.

Next, what's your OU structure like.
Which settings are you going to put into which policies?
How are you going to identify Laptops vs Workstations vs Servers? (the wrong answer is WMI Query)
Do you have a system software auditing tool in place?
Do you have a software deployment tool in place? (Say GPO and I will throttle you)
Which parts of the many identified items that you want to look at are you going to run in the logon script vs GPO?
What is your Password policy set at and why?
Have you got a plan on how your administration model is going to look like? (workstation admins, Super Users, etc)

Be prepared, what you have planned to lock down is multi-phased. It requires a lockdown from the firewall, to IDS/IPS, NAC and most importantly, complete process controlled object management in AD and requisite GPO's.
Click to expand...

Shiz ok, like i said im almost done with my list then i will pop in and you guys tell me if its going to work, thanks for the information its really helpful
 
You must log in or register to reply here.
Top