Companies discouraged from relying on group policy objects

News by SC Staff

Companies should not rely on group policy objects within their configuration management program.

Companies should not rely on group policy objects within their configuration management program.


Chris Schwartzbauer, vice president of Shavlik Technologies claimed that group policy objects should be recognised as a tool for deploying configuration settings within a Microsoft Windows Active Directory environment and not as a configuration management solution that can be relied upon to support security and compliance efforts.


Schwartzbauer said: “An over-reliance on group policy objects creates a false sense of security for managers, while desktop support and IT administrators struggle to understand why attacks continue to penetrate defences.


“Our customers tell us that auditors no longer accept screen shots of group policy objects as proof that the company is complying with security policy. Auditors expect you to prove rules are correctly applied, at a moment's notice. No small feat with group policy objects which does not have a mechanism for reporting back the status of the deployment settings.


“It does not even report whether a policy has been properly applied. Individual queries can be generated for each machine and combined manually, but this would not provide a real-time view of your overall configuration status. Chances are several servers or desktops will have drifted away from the deployed setting by the time the report is prepared.”


He went on to claim that any number of issues can block proper application of group policy objects, ranging from inadvertent corruption of the local security policy files to intentional or accidental alteration by users who have permissions on the machine, while the events that block proper application of group policy objects are recorded locally on the desktop or server.


Schwartzbauer claimed that typically 10-15 per cent of companies' systems are not properly managed within the active directory footprint. Without another layer of control to quickly and comprehensively scan, verify and report on the status of every machine that is connecting to the network, they cannot have the confidence that group policy objects policies are in effect.


Schwartzbauer said: “Organisations have to get a grip over the entire flow of tasks that ensure security policies can be upheld.  The link needs to be made between the patch policies and the configuration rules, with real-time visibility of the process for the administrators responsible for those machines.


“To claim compliance with any regulatory framework, administrators are under significant pressure to manage configurations so the reality on the network conforms to official corporate policies. This requires a level of visibility that cannot be achieved with group policy objects alone.


“Even when the effort to query and combine system status reports is made, the time involved allows the queried systems to drift out of compliance before any central report can be finalised - leaving plenty of opportunity for the auditors who are increasingly skilled at finding the weak spots that go undetected. But perhaps more disconcerting is the fact that the threats continue to be realised when the weak spots are detected.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews