Group Policy is a powerful tool for controlling the configuration of desktops and servers on an Active Directory network, but Group Policy's lesser cousin, Local Group Policy, can also be useful to know about. In a domain environment, Group Policy objects (GPOs) can be linked to domain, organizational unit (OU), and site containers to control hundreds of settings for users and computers in these containers. GPOs are processed according to a simple inheritance rule: site GPOs first, and then domain GPOs, followed by OU GPOs starting from top-level OUs on down. This rule, however, can be modified in complex ways using features like No Override, Block Inheritance, Loopback, Security Filtering, and WMI filters. The result can be so complex that Microsoft has created additional tools, Resulting Set of Policy (RSoP), to help you figure out how dozens of GPOs might be processed in a given situation.
Local Group Policy Objects (LGPOs), on the other hand, are much simpler, because there is exactly one LGPO on each Windows 2000 or later computer on your network. In an Active Directory environment, LGPOs have the lowest precedence and are always processed first if they have been configured, and so the result is that LGPO settings are usually overwritten by GPOs linked to domains, sites, or OUs. As a result, you usually won't need to configure LGPOs unless you have stand-alone computers that belong to a workgroup. Another scenario in which LGPOs might need to be configured would be kiosk machines configured in a stand-alone environment for public users to access.
While neither of those two scenarios is common in enterprise environments, one place where LGPOs can be important in the enterprise is for bastion hosts residing on a perimeter network (demilitarized zone or DMZ) where your firewall protects your internal private network from the external public internet. In such a case, you can lock down your public web server, for example, by importing a security template into the LGPO on your web server and configuring other LGPO settings to harden your web server as necessary.
The simplest way to configure the LGPO on a Windows 2000 or later computer is by choosing Start -> Run -> gpedit.msc -> OK. As shown in Figure 1 below, this opens the Local Computer Policy in the Group Policy Object Editor.
Figure 1. Opening an LGPO in the Group Policy Object Editor
Note that the Group Policy Object Editor (GPOE) can edit the LGPO only on the computer on which the GPOE is running. In other words, you can't use the GPOE to open the LGPO on a remote machine. One workaround for this might be to enable Remote Desktop on your bastion host so that you can use Terminal Services to run the GPOE remotely. This has the drawback of widening the attack surface on your remote machine, since RDP requires an additional port (3389) to be opened, so you may instead want to run the GPOE directly from the console of the remote machine when you perform your initial hardening procedures.
Once the LGPO has been opened on the computer, you can either configure its settings manually or import a security template to do the hardening for you. (You can also import administrative templates to give you more options for configuring the machine.) For example, to import the hisecws.inf security template into your LGPO, you would do the following:
If your bastion host is running Windows Server 2003, then instead of using the default security templates found in %windir%\security\templates, you can more effectively harden your machine by using the custom security templates provided with the Windows Server 2003 Security Guide. These custom templates are designed to harden servers based on individual roles (like web server, file/print server, and so on), and there are different templates provided for different needs, including legacy environments where Windows 9x/NT machines are still present, enterprise environments where all machines are running Windows 2000 or later, and high-security environments that have their own requirements and needs.
As a final observation, note that Microsoft says in its documentation that every Windows 2000 or later computer has exactly one LGPO and that this LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This is not quite true, however, as I discovered recently when I worked as tech reviewer for Microsoft Press on the upcoming Microsoft Windows Group Policy Guide. It turns out that this %windir%\system32\Group Policy folder doesn't actually exist on a computer until you first open the GPOE to edit Local Group Policy on that machine. Thus initially there is no LGPO at all on a Windows machine until you decide to configure local policy on the machine using the GPOE.
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
Copyright © 2009 O'Reilly Media, Inc.