?

The Policy Concept

Windows policy, better known as Group Policy, is a feature of all Microsoft Windows operating systems (…Windows 7, Windows 8.1, Windows 10…) that controls the working environment and behaviour of a system. For example, a policy setting that allows or disallows remote access to computers. Setting up policies, especially those related to security and privacy, is important to manage computers in a safe and secure environment, at both work and home.  

System security policies related to

×          Account, authentication & user right

×          Usage behaviour & personalisation

×          System & network configuration

Privacy policies related to

×          Personal data collecting and transmitting to Microsoft

×          Personal data accessing by apps and different account users

 

Behaving like social media services, Microsoft is controversially being criticised for disregarding users’ privacy rights. It is known that Windows systems collect users’ data with little or without their consents and this is even worse with the Windows 10 operating system. Apart from user privacy, some Group Policy default settings in Windows 10 also open up security weaknesses. These privacy and security defaults require us to carefully review and protect our campus Windows 10 environment by modifying them in the Windows 10 policy settings.

To make a change on a policy setting in Windows 10, we can employ either one of the following methods:

         i.            Configure and apply the Group Policy directly on each local computer

       ii.            Configure the Group Policy in the domain server and remotely apply the Group Policy on domain user computers

 

If a change on a policy setting is done locally, i.e. method i) mentioned above, the owner/administrator of the computer can use the local group policy editor. The diagram below shows a typical layout of the editor. However, it is advised that general users who are unfamiliar with the effect of the change should not modify the policy settings themselves since improper change of the settings may lead to chained and unpredictable effects.

 

For organisations like us, changing the policy settings is managed centrally through the domain controller (DC) that manages all LAN computers, i.e. method ii) mentioned above. The domain administrator will work out carefully the desired Windows policy settings which are best for the campus work environment, then apply them on the DC for deploying to all user computers by groups, i.e. by department.  Policies applied via the DC cannot be modified by users of the LAN computers, therefore, most organizations will only determine policies that affect critical security and user privacy via the DC, leaving users the flexibilities to turn on/off policies that are mostly personal preferences/habits by employing method i) as mentioned above.

 

How are Windows 10 policies managed on Staff LAN computers?

 

There are as many as 15,000 policies in Windows 10, and around 100 of them are tightened in the Staff LAN environment. When a department/user request for a Windows 10 installation, a “golden image” with the recommended policies (which the user can change) will be used to clone to a user computer, one by one. The computer will then join the CityU Domain and the DC will apply the security and privacy policies (which the user cannot change).

 

How to make changes to Windows policies?

 

In some cases, a tightened policy that attains a higher level of security protection may prevent users from performing certain tasks that are necessary for their works, for example “Turning off the Store application” policy will deny users from accessing the Store application which users may require. Therefore, modifying policies to fit users’ genuine needs maybe unavoidable.

 

To change policies that are controlled locally, users can use the local policy editor, i.e. method i) mentioned above; however, novice users may not have the necessary technical know-how and are advised to request support from the Computing Services Centre (CSC) by raising a CSC Work Request for on-site assistance.

 

Request to change security and privacy policies that are managed by the DC will not be entertained without strong justifications. In this regard, users are required to raise CSC Work Requests providing details of their justifications.  

 

Last but not least, users are reminded that relaxing the protection level of policies may put computers at higher risk of security breach and unauthorized access to personal data. Therefore, this should be avoided unless thorough consideration has been given and the situation permits, i.e. to only relax policy setting for a short period of time and that the concerned PC will be used/monitored by a technical personnel.