Creating Override Policies
To resolve the problem with SMTP functionality that we looked at earlier, you
can create a new GPO called an override policy that you apply only to
the affected servers. The override policy contains just a few modifications
to lower specific security requirements for the affected servers and leave the
other configuration settings intact. The policy is then applied with a higher
priority than the EC – Member Server policy to ensure that the modifications
are implemented successfully. In the SMTP example, the override policy contains
only the three settings that Table 2 shows.
Figure 2 shows how you can use the Group
Policy Management screen's Group Policy Inheritance tab to link various GPOs
in an order that ensures appropriate application of the settings. EC policies
that you configure by using the Security Guide templates should have
a higher precedence than Default policies, and override policies should have
higher precedence than the EC policies.
Different policies apply depending on
which organizational unit (OU) the server
resides in. You can view all the GPOs that apply
to an OU (either directly or by inheritance) by
selecting the Group Policy Inheritance tab.
A More Secure System
Deploying the Security Guide templates requires a lot of planning and
a preproduction lab environment where you can test functionality. However, using
the security templates in combination with the SCW to create policies for your
Windows servers gives you control over your security environment. You'll be
able to make changes across many servers, comply with Microsoft's security best
practices, and add reliability and stability to your environment. See "Dos
and Don'ts of Using Security Templates," below, for tips to successfully use
the security templates.
If Microsoft wants organizations to take security seriously, Exchange (and
other servers and applications) should work out of the box with the EC security
templates. At the very least, Microsoft should document the problems that this
article identifies. This article summarizes the benefits and problems involved
in using the security templates and the SCW; however, it's not a replacement
for reading the documentation that comes with the guide.
Dos and Don'ts of Using Security Templates
DO:
- Incorporate security templates in your Group Policy design from the very beginning.
- Test all policies in a preproduction lab environment.
- Use the SCW to configure start-up settings for system services.
- Create a backup (including a system state backup) before deploying GPOs created from the templates in a production environment.
- Consider using the templates in conjunction with Group Policy to secure and manage your environment.
- Read the documentation that comes with the Windows Server 2003 Security Guide.
DON'T:
- Deploy a new GPO created from a security template and/or the SCW in your production environment without extensive testing and approval from system stakeholders.
- Dismiss the risk to functionality of deploying security settings from a template en masse in a production environment.
- Make changes to your production environment without a proven roll-back plan.
|