Using Group Policy Object (GPO) To Restrict Access

Using Group Policy Object (GPO) To Restrict Access

  • Type: Article
  • Author: Laura Boniello Miller
  • Date: September 2016
  • Download PDF
Enlarge image
Will Group Policy Object (GPO) lock down my system, restrict access, and provide sufficient security to my network, device, and user? The short and long answer: It depends on your user, your usage, and your security needs. Group Policy can provide users access to the desktop and allow them to work with Windows applications. GPO can also restrict access to external devices or allow for various configurations/allowances based on the user “group”.  Still, there are many things that Group Policy does not protect from and/or restrict. If your device is to be used for public access or to access restricted information, kiosk software will provide a much stronger blanket of security.
 
GPOs and kiosks can both be used to manage data security.  The difference is in set up and maintenance.  Kiosk software allows for simple configuration set up, mitigating the unknowns and reducing vulnerability due to user error. GPOs work best on a closed network with no unknown devices connecting to network resources and every potential user have an individual log in.  
 
Here are just a few things to consider when deciding if GPO provides the level of security you need.
 
1. GPO does not launch an attract screen. If a Windows Screen Saver is sufficient, GPO will suffice, otherwise you’ll want to consider kiosk software like KioWare that utilizes an attract screen to provide users with a clear message and/or path.
 
2. GPO does not filter unwanted keyboard keys (Ctrl+Alt+Del in particular). If your device will be public facing and needs to be protected from malicious users and/or from users interested in impacting the intended usage of the device, you will want to restrict access – disallowing functions and keys that can disrupt device reliability & functionality.
 
3. Time limited sessions can be a valuable asset in making sure that activity resets when a kiosk or device has been left mid-session. This feature is not available via GPO but can be configured with KioWare. Session resets not only need to reset the application for the next user, but also clear all session data of the user who just left (cookies, cache, print queue).
 
4. Disabling left and/or right mouse clicks can be of use with regard to select applications (right clicks for Adobe Reader or Flash, for example). GPO does not easily allow this restriction, though KioWare does.
 
5. Mailto: Links are another place in which users sometimes can gain access to information or functions to which they should not have access. Group Policy is not able to accommodate this restriction.
 
6. Administrators may inadvertently alter the GPO settings, allowing users access to information or programs that they are not authorized to view. If you have multiple tech support or administrative users for Windows machines throughout the organization, this issue becomes more likely and this potential security gap more significant. 

7. Group Policy does not recognize the health or state of the kiosk application. If the kiosk application crashes, becomes unresponsive or closes, GPOs do not automatically reset the application, bring the kiosk back to a usable state.

8. User session management, a critical feature of kiosk software, is not addressed at all using GPOs. Group Policy does not recognize that a user session has started or ended, it does not clear the cache or private data, and it does not reset to a preset start page once a particular (exit) page is reached. Kiosk system software does this, and more, to manage user sessions.

In addition to these basic self-service and/or lockdown requirements, GPO does not provide managers with remote monitoring or centrally controlled statistics like those presented by KioWare Server. KioWare’s remote monitoring solution provides managers, marketers, and tech teams with the information needed to improve the user experience, manage their devices, and deploy devices to the appropriate locations.
 
GPO relies heavily on both your level of knowledge and your ability to know exactly which areas to lock down to restrict users from inadvertent or deliberate unauthorized access. Kiosk software can eliminate the variables, taking away the chance that you will “miss” an important step to restrict access.
 
Additionally, kiosk software will lockdown and restrict access to the OS, keyboard, external devices and/or unauthorized websites. The configuration file is also extremely easy to update and deploy across multiple devices. Unattended installation can assist with large scale deployments and xml file usage will allow configuration updates on all devices when the single xml file is updated.
 
All in all, GPO can be used to provide users across an organization with a level of restriction, but wide access to the device applications. Kiosk software should be considered when lockdown is the paramount concern, and browser based applications are the primary function for the devices. Since both kiosk software and GPOs can be centrally managed, you'll want to consider cost, ease of use, and security needs in order to determine which option is better suited for your needs.
 
Some examples:
Single user access (GPO) Multi user or Public Access (KioWare) 
Public data (GPO) Private Data, Healthcare Data, Financial Data (KioWare) 
Limited Restrictions (GPO) Secure Lockdown, Restricted Usage (KioWare)
 
Read other comparison articles: