Skip to content

Step by Step : Protecting Windows Server 2012 R2 using GPO

August 2, 2014

Protecting IT infrastructure especially your valuable data & servers, has always been a priority for any organizations.

Many security risks threaten companies and their critical data, either attack happen internally @ externally. When your companies do not have adequate security policies, they can lose data, experience server unavailability, and lose credibility.

To help protect against security threats, companies must have well-designed security policies that include many organizational and IT-related components.

Organizations must evaluate security policies on a regular basis.

Before you begin designing security policies to help protect your organization’s data, services, and IT infrastructure, you must learn how to identify security threats, plan your strategy to mitigate security threats, and secure your Windows Server 2012 R2 infrastructure.

So, enough said, in my post this time, lets go through step by step how you as a administrator can secure / protect your Windows Server 2012 R2 infra by using GPO.

it’s actually a very straight forward step, make sure you prepare your domain Server & Member Server for this exercises…

1 – Lets create  a new OU for our Member Server…

In the OSI-ADDS01 domain server, in the Active Directory Users and Computers, right-click osi.local, click New, and then click Organizational Unit, then in the Name box, type OSI Member Server, and then click OK…

1

2 – In Active Directory Users and Computers console, click Computers container, highly any Member Server that you want to apply the GPO, right click then click Move

2

3 – In the Move interface, click OSI Member Server, and then click OK

3

4 – verify in the OSI Member Server OU you have all the Server that you move just now…

4

5 – Now lets create a Member Server Security Settings GPO

Right click OSI Member Server OU, then click Create a GPO in this domain, and link it here

5

6 – In the New GPO window, type OSI Member Server Security GPO, and then click OK

6

7 – next, right-click OSI Member Servers GPO, and then click Edit

7

8 – In the Group Policy Management Editor interface, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups, then right-click Restricted Groups, and then click Add Group

8

9 – In the Add Group box, type OSI Admin, and then click OK..

9

10 – In the OSI Admin Properties interface, next to Members of this group, click Add, then add OSI Server Admins & Domain Admins Group

10

 

11 – verify that in OSI Admin Properties interface, under Members of this group:, you have OSI\Domain Admins & OSI\OSI Server Admins

11

12 – switch back to OSI-SVR01 server, open cmd and then type gpupdate /boot /force

12

13 – Next, open Computer Management console…

13

14 – expand Local Users and Groups, click Groups, and then double-click Administrators, confirm that the Administrators group contains both OSI\Domain Admins and OSI\OSI Server Admin as members (you may add the group manually if the group is not showing in the Members list)…

14

15 – now switch back to OSI-ADDS01 domain server, in the Group Policy Management Editor interface, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment, double click Allow log on locally

15

16 – In the Allow log on locally Properties dialog box, click the Define these policy settings check box, and then in the Add User or Group, add OSI\Domain Admins then click OK…

16

17 – repeat the previous step to add Administrators, then click OK…

17

 

18 – Next, still in the Group Policy Management Editor interface, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, then double click User Account Control: Admin Approval Mode for the Built-in Administrator account

18

19 – In the User Account Control: Admin Approval Mode for the Built-in Administrator account Properties interface, select the Define this policy settings check box, ensure that Enabled is selected, and then click OK

19

20 – now lets verify that a nonadministrative user cannot sign in to a member server

switch back to OSI-SVR01 server, log in as a Kern (domain user)

20

21 – verify that Kern could not sign…

21

22 – lets try log in as Ed, you should successfully log in the OSI-SVR01 server using Ed profile…

22

23 – why we can successfully log in as Ed? this is because Ed is a part of OSI Server Admins group

23

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: