Networking / Beginners

Restricted Groups

Restricted groups is a way to control group membership with Group Policy. A lot of administrators have tried to control groups by making wholesale ACL changes on the system. This typically has the result that the system ends up being less secure than it was before and that they still have not achieved complete control of the group they wanted to restrict.

Restricted groups provides a much better way to control certain groups, such as Power Users, Server Operators, and Backup Operators. For instance, if you do not want anyone who is a member of Server Operators to be able to access any files because of that membership, make Server Operators a restricted group and control who can be a member of it.

Restricted groups also provide a very strong way to control who is an administrator. For instance, at one point we had an administrator who was running a lab for one of the authors. That must have been a terrible job because he was charged with keeping us out of his lab. We, on the other hand, kept trying to hack him. To prevent us from becoming administrators, he made that group a restricted group using domain policy; and we were not in it. That means that we had only 15 minutes from the time we became administrators to turning off the policy. Some of the time, that actually worked. To stop this, he then set the Group Policy refresh interval to one minute, which pretty much stopped us cold. Although we cannot recommend refreshing Group Policy every minute, we do recommend using restricted groups to manage group membership for certain sensitive groups.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools