Every admin knows group policies inside out. Group policy objects (GPOs) are still the most effective means of centrally managing and, above all, protecting clients. They play a crucial role, especially when it comes to protection against ransomware.

Generally speaking, Windows Server 2022 reveals no technical innovations in the area of group policies for local installations. The GPO infrastructure and the available feature set are static, with no more development in this area. However, some innovation and change is emerging in the cloud, but only if you sign up for the right plan. Still, there's nothing out of the box in a plain vanilla Azure Active Directory (AD) that controls the client as extensively as group policies can locally. With this in mind, I look at new or changed approaches that have emerged over 20 years of group policy design and structure, with an emphasis on rules that should always be implemented, even if nothing has changed technically and the best practices have been valid for years.

GPOs in the Light of Ransomware

Where admins struggled with desktop configurations in the early days of AD, today the greatest effort is put into defending the environment against ransomware and the sword of Damocles called the General Data Protection Regulation (GDPR) in the event of a possible data loss. Surprisingly, very few ADs are up to these requirements in terms of delegation and group policies.

The companies affected by ransomware attacks often have many things in common, but the main similarity is an IT structure built 20 years ago. Admins have neglected to change fundamentals and keep structures current, instead focusing on issues other than AD as a core login resource. User login works fine, why should there be a problem? This way of thinking is now getting in the way. After ransomware has made it into an organization, it spreads with PsExec and a batch file distributed by the admin share.

This Windows NT4 technology is still commonplace today and many administrators use it in their daily work. The doors are open internally, there is no firewall strategy between the clients, no software allowlist, and no delimitation of the administrative accounts in terms of their spheres of action. The passwords in use may be "secret" literally but not by nature. Instead, you see password recycling, identical passwords for various accounts, and a domain administrator password that is often 15 years old. The last time I tried to change the password, so many services failed that it was easier to keep the old one than to find all the places it was stored. At any rate, this and similar excuses are often sought when things come to light during an audit or health check – or simply when talking to a service provider. In the worst case, ransomware will exploit these flaws.

One Setting Does Not a Policy Make

Admins have spent a long time and much brain power worrying about configuration and customizing group policies. Today, the focus is more on security requirements, as well as reducing telemetry data. However, you do not have to reinvent the wheel, because the technology is available and guidelines exist.

The challenge facing an administrator today when it comes to group policy is answering the question, "What do I need to configure?" The answer, as always, depends on your own capabilities: As a policy, some configurations are just a single switch and extremely trivial from a policy perspective. Not much more happens than toggling a registry value, but the function behind it often requires the right hardware, as in the case of virtualization-based code integrity protection; or the case of a certificate infrastructure and processes that are required to implement code signing; or whether you are confronted with organizational issues when you have to handle three, four, or even more accounts for administrative tasks (depending on the security group or level).

In the search for "what" predefined templates can help, vendors already offer ready-made policy sets and make them available for download. Others charge money, or they provide a fully documented PDF that you have to convert into a GPO yourself.

GPO Innovations in Windows Server 2022

Before I talk about the general methods and rules independent of Windows Server 2022, I'll offer some resources that look at what's new:

• The Windows Server 2022 ADMX and GPO settings in an Excel sheet [1]
• Administrative templates (ADMX) for Windows Server 2022 [2]
• Group policy settings for Windows Server 2022 [3]

Windows Server 2022 comes with 47 new policy settings, for a total of 4,442 policies. More key data include:

• 39 new policies for the computer object and eight for the user
• 13 policies in the privacy and telemetry section
• Six policies for Windows Defender
• Another six GPOs that control the Windows sandbox

Looking at the numbers and distribution alone, you can see that no major changes are required when it comes to controlling the operating system. Microsoft has added functionality to some components, but it's not as big a leap as going from Windows Server 2003 to 2008 R2 or 2008 R2 to 2016. Few companies used the intermediate versions (e.g., Server 2019). Most moved from Server 2003 to 2008 R2 to 2016, which means Server 2022 is now the next step in AD for many IT organizations.