When Microsoft’s group policy isn’t enough

Windows customers use Microsoft’s Group Policy Object technology to help automate and ease administration of end user rights and access to all network computers. With Group Policy, tasks such as deploying software, implementing security settings and enforcing policy can be configured and distributed across organizational units, domains or sites.

GPO administration should be a critical security concern, as it is the means by which Microsoft administrators set up parameters for things such as password policies and patching rules if they are using Windows Server Update Services.

Our testing has shown that Microsoft’s central administration tool, Group Policy Management Console (GPMC), comes up short in several areas that are vital in today’s corporate environment. To fill in the gaps, however, there are third-party tools such as those we’ve tested from Desktop Standard, NetIQ, Quest Software and ScriptLogic.

1. Change management.

Compliance officers, regulators and auditors are all looking for documented evidence of changes to key areas within the security infrastructure. With GPMC, multiple administrators could be logged on to the domain and making changes to the same policy.

If changes are made at the same time without coordination or review, the results could be disastrous, corrupting the GPO and requiring a complete restore from backup. Depending on the changes, a number of servers and end users’ systems also may be affected.

Several of the third-party tools provide change-management functionality. With most of these products, when a policy was being edited by an administrator, the policy was “checked out” – locked from being used by any other administrator. The tools also implemented some type of workflow to enable segregation of duties. The implementation differed between products, but the goal was the same: enable a process where changes must be reviewed and approved before going live.

2. Version control.

Within the scope of GPMC, previous versions of a company’s policies are not automatically maintained for review or easy restore in the event of a problem.

The third-party tools have simple restore options that put any previous version of a policy back into the production environment. If a policy placed into production has bad effects, current Windows tools require an administrator to remember to make a manual backup of the GPO before making any changes. Although you can implement processes and checklists that require this step, it may still be missed. The third-party tools make an administrator’s job easier by not requiring that they remember to perform this step manually.

The third-party products also add version control, providing quick and easy methods to review all previous versions of any policy. With version control, these products are able to create differential analyses between policies. What changed in the current policy from the policy in effect two months ago? With current GPMC administration tools, this would be a manual process. The third-party tools make it as simple as a few clicks of the mouse and creating reports that easily identify changes.

3. Offline testing.

In the default Active Directory administration environment, all changes are put immediately into production. Testing is not an easy option. You can get around this by building completely separate testing domains and networks, but that is not always feasible. The third-party tools make changes to offline copies of policies, only pushing them to production once they’re approved.

4. Access control.

Using only GPMC to control who has access to modify policies is also problematic. To make these changes, users require high-level permissions, which should not be provided to most users. Companies are frequently asked to lock down and decrease the number of users with powerful administrative rights, but this is difficult if users need those rights to perform day-to-day operations.

Some of the third-party products enable detailed administrative access to group policies and do not require that users have full control of the production environment. With these access-control models, a single account acts as a proxy and makes changes to the production environment. The product’s access control system enables administrators to limit users’ access to individual policies.

5. Audit trail.

Corporations deal with tremendous audit and compliance requirements in today’s regulatory environment, and therefore, their ability to provide a complete audit trail of changes is paramount. Windows offers some assistance in its Security Event Log, if auditing is enabled, but the log messages for the most part are cryptic.

Also, no reporting functionality is included that would help an administrator quickly query and identify the exact user who made a specific change at a given point in time. Again, third-party products add this functionality, often creating databases of change events. Administrators can then create reports showing very specific change-event information.

Microsoft offers Resultant Set of Policy functionality, analysis information showing the full implementation of a policy, as a separate Microsoft Management Console snap-in from GPMC. You can run in logging mode or planning mode. Logging mode looks at the current production environment, and planning mode provides the ability to perform some what-if analysis.

The third-party products, however, pull this functionality into their own management consoles, making it easier to access. They also improve the reports from the default console, making them easier to read and understand.

The trade-offs with third-party tools

Third-party tools add a lot of features, but at a price.

First, they are separate products that need to be purchased and maintained. Second, with their detailed access-control functions, you need to take the time to plan and design segregation of duties. Otherwise, most users end up with all rights because the proper model has not been implemented to take advantage of the tools. Third, a new product has a learning curve, and some users may be frustrated at the beginning.

The area that could have the biggest effect on your environment, though, is additional entries in the Security Event Log. The performance impact depends a lot on the specific log items you enable and how frequently you make changes, but this needs to be tested thoroughly before going to production.

You can develop your own, similar tools using the APIs and hooks into GPO management that Microsoft provides.

This is challenging, though, as administrators and developers are already scarce in most organizations. You also need to consider that developing Windows management tools may not be a core competency.

Andress is president of ArcSec Technologies, a security company focusing on product reviews and analysis. She can be reached at mandy@arcsec.com.