Using Group Policy to Comply with CSU’s IT Security Policy
There are several Group Policy Object settings that can be applied to domain-joined computers on your network which can assist you in complying with the University’s IT Security Policy. The following settings are ACNS recommendations for managing browser privacy using Group Policy.
Note: ACNS recommends creating a separate and distinct GPO for these settings.
Computer Configuration Settings
Empty Temporary Internet Files on Internet Explorer exit – Set to ENABLED
Computer Config\Admin Templates\Windows Components\Internet Explorer\Internet Control Panel\ Advanced Page\Empty Temporary Internet Files folder when browser is closed
Minimize the length of time browser history is retained – Set to ENABLED
Computer Config\Admin Templates\Windows Components\Internet Explorer\Disable “Configuring History” – Set to 1 Day (Note that setting is available in User Config as well)
User Configuration Settings
Disable caching of form field data (AutoComplete) – Set to ENABLED
User Config\Admin Templates\Windows Components\Internet Explorer\Disable AutoComplete for forms
Disable caching of passwords – Set to DISABLED
User Config\Admin Templates\Windows Components\Internet Explorer\Turn on the auto-complete feature for user names and passwords – DISABLED (prevents user from changing setting, caching of username and passwords)
Minimize the amount of disk space available for Temporary Internet Files
Instructions to configure this are located here: http://www.chrisse.se/MAQB.asp?ID=18
Minimize the length of time browser history is retained – Set to ENABLED
User Config\Admin Templates\Windows Components\Internet Explorer\Disable “Configuring History” – Set to 1 Day (Note that setting is available in Computer Config as well)
Delete Cookies at logon via User Configuration-based logon script
User Config\Windows Settings\Scripts (Logon/Logoff)\Logon
Windows XP script line:
del c:\Docume~1\%username%\Cookies\*.* /q
Windows Vista script line:
del C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies\Low /q
Questions
- What if the above GPO settings only apply to User objects and an IT Admin doesn't want to set GPOs on User objects?
Loopback Policy Processing will allow you to apply User Configuration-based settings to any user that logs onto a computer, eliminating the need to create two separate GPOs for Computer and User Configuration settings. However, note that Loopback Policy Processing will affect ALL GPOs linked to a specific OU, which can affect how cumulative Group Policy is processed and applied to individual workstations.
To enable Loopback Policy Processing, use the following setting:
Computer Config\Admin Templates\System\Group Policy\User Group Policy loopback processing mode – ENABLED, set to Replace
- What should I do if Loopback Policy Processing is not an option in my environment?
There may be situations in a complex Group Policy configuration where Loopback Policy Processing has an adverse affect correct GPO application. In such cases, the best practice is to create one GPO containing all Computer Configuration settings for browser privacy/security, and link it directly to the OU containing the computer accounts of those users who should receive this policy. Then create a second OU containing only User Configuration settings, and link it directly to each OU that contains users who log on to the computers in the first OU mentioned above.
More information about Loopback Policy Processing can be found here: http://support.microsoft.com/kb/231287
- How reliable are scripts that manually remove contents of cache folders in for Firefox/Safari?
Several IT departments on campus have successfully deployed startup and logon scripts that delete cookies and browser history files from both Firefox and Safari. These scripts work especially well in lab environments where computers can be rebooted once nightly to force the script to execute consistently. When GPO scripts are configured to run invisibly (Computer Config\Admin Templates\System\Scripts\Run startup scripts visible – DISABLED), users will likely never even know this maintenance is happening.
(back)