Importance Of Windows Server 2003 Group Policies Part III

In the previous installment of this article, I discussed how to classify the different types of users in an organization, as well as the systems they use. Why is an understanding of how each user works and the types of systems they use important to applying change control? Classifying users by their job area will help you begin to develop change policies based on job function, security levels, applications required, and so on, and translate job classifications into domain security groups. Getting a handle on the big picture will help you develop and implement policies that allow users enough latitude to do their jobs effectively and efficiently without exposing their systems and the network to compromise.

If you’re working strictly in a workgroup environment without domain security, you can still use this knowledge to plan local security policies for each computer. In addition, understanding the types of systems each user or group uses will help you identify potential security risks associated with specific types of systems.

For example, if most of your workstations are diskless Terminal Services clients without Internet connectivity, you don’t have to worry much about users introducing unauthorized applications through download. Systems with modems or direct Internet access, or remote systems over which you have little control, are a different story.

In addition to understanding users’ responsibilities and the systems they use, you also need to become familiar with the applications they use. This doesn’t mean you need to become an expert at using the application and become capable of answering any question about it (although your users no doubt expect that from you). Instead, you need to understand their applications in the context of how changes that the users are allowed to make can impact those applications, what changes they need to be able to make because of the applications, and how to recover their applications and data if they manage to drive through some loophole you’ve overlooked.

Finally, make sure you develop an adequate recovery strategy to accommodate problems when they do occur. Perhaps the best way to do this is to plan for the scenario that group policies don’t exist, put in place recovery strategies to deal with the possibilities engendered by rampant changes, and then apply change restrictions to prevent all of those possibilities from occurring. In other words, plan for the worst and design for the best.