Manage User Rights with Group Policy

Group Policy is nothing but flexible and extremely powerful when it comes to both configuration management and installation of software.  In addition, Group Policy is one of your best tools for securing your endpoints.  You can manage anything and everything from Firewall rules, account privileges, application white-listing, etc.  You can also manage user rights as well.

Computers and Users in your environment have a lot of rights, by default, that they don’t need.  Using Group Policy, we can manage these privileges and start to lock-down our environments without making it burdensome for our end users.  One such privilege is the ability to Log on Locally.

Use Group Policy to define accounts or services that are allowed to log on locally
Use Group Policy to define accounts or services that are allowed to log on locally

By default, anyone that has the correct username and password can log on locally to a system, but do you really need to log on to a server in your datacenter using a local account?  Some of you might, in this case you should explicitly allow certain accounts to have this privilege.  Instead of using the default setting of “if you have a local account you can log in to this system”, but instead restrict this at a global level.  This ensures that your systems are properly managed and no one was being lazy or malicious by creating a one-time account they forgot about.

Use Group Policy to define accounts or services that are not allowed to log on locally
Use Group Policy to define accounts or services that are not allowed to log on locally

Let’s take the opposite approach.  Do you have systems on your network(s) that should only be logged on by specific individuals, accounts, services, etc?  Instead of relying on plainly on the security of your username and password, we should restrict this right to the specific accounts, computers, users, etc. that should have access. Only then, if they have the correct credentials are they allowed to login over the network.

Use Group Policy to allow access to computers from the network
Use Group Policy to allow access to computers from the network

By restricting this access to only the certain machines or users within a specific group, someone who has either found a set of credentials or has somehow infiltrated your network will only be able authorize a set of systems because others have been restricted.

Another example is to manage who has access to Log on Remote Desktop Services permissions.  Does everyone need to access a set of systems (this goes for both workstations and servers)?  I bet not, so why just enable RDP (Remote Desktop Protocol) for anyone who has valid credentials?  We should tightly restrict who has access to our systems, especially when using RDP.

Use Group Policy to allow or deny access to Remote Desktop Services
Use Group Policy to allow or deny access to Remote Desktop Services

For all situations regarding user rights and access to systems, we should always restrict access as much as possible.  The key is to create these restrictions without being burdensome for your end-users.  There is a fine line, but we should always attempt to be reasonable with this approach.  Some systems just shouldn’t be accessed over RDP or locally, this will be up to the discretion of your organizations risk.  Providing clear guidance and allowing your management to either enable these restrictions or to accept the risk is all that we as IT professionals can do.

 

Advertisements

Understanding Group Policy order

Group Policy order can be confusing. To understand how exactly Windows applies one GPO (Group Policy Object) versus another, you can use the “LSD OU” rule.

You should always ask yourself two questions when dealing with Group Policy:

  1. Where are you (local, site, domain, or organizational unit)?
  2. What are you (computer or user)?

Read More

Download files from Github without Git using PowerShell

Have you ever needed to download code or a repository from Github, but didn’t want to download and install Git on a machine, create an SSH key, etc. If so, I have something that you may like.

You can find the entire function here: https://github.com/MSAdministrator/GetGithubRepository

To use this function, you will need to know the path to the Github repository (of course) you want to download.  Once you have that URL, you will need to pass each piece of the URL into a parameter on the function.

For example, let’s take a URL like https://github.com/MSAdministrator/WriteLogEntry.  This URL can be broken down as follows

  • MSAdministrator = Owner
  • WriteLogEntry = Repository

We also know that we want to download the “master” branch of this repository.  The next part is that we need to gather a list of files/paths that we need to download as well.  These will be passed as an array of strings to the FilePath parameter.

  • Branch = Master (unless you want a different branch)
  • FilePath = (Files and paths you want to download)

By default this function will always get the master branch of the repository you are wanting to download, but you can specify a different branch if wanted.  Additionally, this function will download the specified files to your user profiles Module Path (C:\users\some_user\Documents\WindowsPowerShell\Modules)

To use this function, you will need to pass the following values as parameters to the function.  For example, to download my WriteLogEntry repository you will need to call the function like so:
Get-GithubRepository -Owner MSAdministrator -Repository WriteLogEntry -Verbose -FilePath `
'WriteLogEntry.psm1',
'WriteLogEntry.psd1',
'Public',
'en-US',
'en-US\about_WriteLogEntry.help.txt',
'Public\Write-LogEntry.ps1'

I hope that this function helps some of you who want to quickly download a Github repository without installing or using Git.  If you have issues or like this function, please submit issues or fork requests to my Github.

Enjoy!

Original Image here: