Rick Vanover shares a Group Policy tip on how to stop users on Windows Server 2008 machines from disabling network connections.
Every IT pro has right-clicked a network interface and disabled it by accident at some point in their career. This "wild mouse gesture" as I call it can kick servers and clients off the network. Windows Server 2008 makes this situation a little safer by not allowing the network interface on the system tray to be disabled by this type of action. The best way to protect against accidentally disabling network connections is to implement a Group Policy Object (GPO).The ability to disable a network connection is a user property that can be managed through Group Policy. If a GPO needs to be created, this is set in the User Configuration | Policies | Administrative Templates | Network | Network Connections section of Group Policy (Figure A). Figure A
Click the image to enlarge.
This setting applies to user accounts, so it will be implemented slightly differently than computer accounts. In most situations, the user account (especially an administrator on a server) will have the permissions to disable an interface. If the GPO is configured and applied to the user account, the GPO will supersede the user permissions.
This solution applies to client systems and the server system. Further, the permissions model for administrators on a Windows Server would usually allow a network interface to be disabled, even if it was unintentional.
In terms of the server administrator, there may be a situation where the network interfaces may need to intentionally be disabled. I prefer to have it disabled as a safeguard and then turn on the ability to disable interfaces on demand. This can be as simple as adding or removing user accounts to a security group that has this specific GPO configuration applied to it.
Do you feel this safeguard is necessary? Share your thoughts in the discussion.