1 week 6 - implement group policy delegate the support of computers manage security settings manage...
TRANSCRIPT
1
Week 6 - Implement Group Policy
•Delegate the Support of Computers
•Manage Security Settings
•Manage Software with GPSI
•Auditing
•Troubleshooting
2
Delegation of Control
Delegation of Administration Means: Changing properties on a particular container
Creating and deleting objects of a specific type under an organizational unit
Updating specific properties on objects of a specific type under an organizational unit
Domain
OU1
OU2
OU3
Admin1
Admin2
Admin3
3
Using the Delegation of Control Wizard
Tasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or Groups
Start the Delegation of Control Wizard
Select Users or Groups to Which to Delegate Control
Assign Tasks to Delegate
Select Active Directory Object Type
Assign Permissions to Users or Groups
4
DELEGATION OF CONTROL WIZARD
5
Guidelines for Delegating Administrative Control
Track the Delegation of Permission AssignmentsTrack the Delegation of Permission Assignments
Use the Delegation of Control WizardUse the Delegation of Control Wizard
Assign Control at the OU LevelAssign Control at the OU Level
Follow Organizational Guidelines for Delegating ControlFollow Organizational Guidelines for Delegating Control
6
View the ACL of an Active Directory Object
•Ensure Advanced Features are enabled in the View menu
•Properties Security Advanced Edit
DemoDemo
7
Understand Restricted Groups Policies•Restricted Groups policies enable you to manage the membership of groups.
Members• Policy is for a local group• Specify its members
(groups and users)• Authoritative
Member Of• Policy is for a domain group• Specify its membership in a
local group• Cumulative
DemoDemo
8
Define Group Membership with Group Policy Preferences
•Create, delete, or replace a local group
•Rename a local group
•Change the Description
•Modify group membership
•Local Group preferencesare available in bothComputer Configuration andUser Configuration
9
What Is Security Policy Management?
•Enterprise IT Security Policy security configuration
settings
•Manage security configuration Create the security policy
Apply the security policy to one or more systems
Analyze security settings against the policy
Update the policy, or correct the discrepancies on the system
•Tools Local Group Policy and Domain Group Policy
Security Templates snap-in
Security Configuration and Analysis snap-in
Security Configuration Wizard
10
Local Security Policy Domain Group Policy
Configure the Local Security Policy
11
Manage Security Configurationwith Security Templates
•Settings are a subset of domain GPO settingsbut different than local GPO
•Security Templates Plain text files
Can be applied directly to a computer• Security Configuration & Analysis• Secedit.exe
Can be deployed with Group Policy
Can be used to analyze a computer'scurrent security settings against thesecurity template's
DemoDemo
12
Use Security Configuration and Analysis
•Build-your-own MMC
•Create a database Import template(s)
•Use the database Analyze computer
Correct discrepancies
Configure computer
Export as template
•Secedit.exe
ImportTemplate
ExportTemplate
ImportPolicy
Configure
AnalyzeComputer
GroupPolicy
ModifyDatabase
13
The Security Configuration Wizard•Security policy: .xml file that configures
Role-based service configuration
Network security, including firewall rules
Registry values
Audit policy
Can incorporate a security template (.inf)
•Create the policy
•Edit the policy
•Apply the policy
•Roll back the policy
•Transform the policy into a Group Policy object scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"
DemoDemo
14
Understand Group Policy Software Installation (GPSI)
•Client-side extension (CSE)
•Installs supported packages Windows Installer packages (.msi)
• Optionally modified by Transform (.mst) or patches (.msp)• GPSI automatically installs with elevated privileges
Downlevel application package (.zap)• Supported by “publish” option only• Requires user has admin privileges
SCCM and other deployment tools can support a wider variety of installation and configuration packages
•No “feedback” No centralized indication of success or failure
No built-in metering, auditing, license management
15
Assigning Software
Start
Assigning in User ConfigurationAssigning in User ConfigurationAssigning in User ConfigurationAssigning in User Configuration
The application is installed the next time the user activates the applicationThe application is installed the next time the user activates the application
Assigning in Computer ConfigurationAssigning in Computer ConfigurationAssigning in Computer ConfigurationAssigning in Computer Configuration
The application is installed the next time the computer starts upThe application is installed the next time the computer starts up
Software Distribution Point
Software Distribution Point
16
Publishing Software
??Document ActivationDocument ActivationDocument ActivationDocument Activation
The application is installed when the user double-clicks an unknown file typeThe application is installed when the user double-clicks an unknown file type
Add/Remove ProgramsAdd/Remove ProgramsAdd/Remove ProgramsAdd/Remove ProgramsThe application is installed when the user selects it from Add/Remove Programs in Control Panel
The application is installed when the user selects it from Add/Remove Programs in Control Panel
Software Distribution Point
Software Distribution Point
17
Software Deployment
TasksTasksTasksTasks
Create or modify a GPO
Acquire a Windows Installer package file .msi file
Place the package on a software distribution point
Configure the GPO
18
Create and Scope a Software Deployment GPO•Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click New Package
Browse to .msi file through network path (\\server\share)
Choose deployment optionrecommend: Advanced
•Managing the scope of asoftware deployment GPO Typically easiest to manage with
security group filtering
Create an app group, for exampleAPP_XML Notepad
Put users into the group
Put computers into the group if assigning to computers
19
Maintain Software Deployed with GPSI•Redeploy application
After successful install, client will not attempt to reinstall app
You might make a change to the package
Package All Tasks Redeploy Application
•Upgrade application Create new package in same or different GPO.
Advanced Upgrades Select package to upgrade
Uninstall old version first; or install over old version
•Remove application Package All Tasks Remove
Uninstall immediately (forced removal) orPrevent new installations (optional removal)
Don’t delete or unlink GPO until all clients have applied setting
20
An Overview of Audit Policies
•Audit events in a category of activities Access to NTFS files/folders
Account or object changes in Active Directory
Logon
Assignment or use of user rights
•By default, DCs audit success events for most categories
•Goal: Align audit policies with corporate security policies and reality Over-auditing: logs are too big to find the events that matter
Under-auditing: important events are not logged
Tools that help you consolidate and crunch logs can be helpful
21
•Account logon events Registered by the system
that authenticates the account
• domain controllers• local computer
•Logon events Registered by the machine at
which (or to which) a user logged on
Interactive logon: user's system
Network logon: server• Access a network share
Account Logon and Logon Events
Logon Event
Account Logon Event
Logon Event
22
Scoping Audit Policies
DomainControllers
RemoteDesktopServers
HR Clients
CustomGPO
LogonEvents
Default Domain
Controllers Policy
AccountLogonEvents
23
Recommended Audit Events
24
Setting Up Auditing -- Two Steps
• Step 1 - Set the audit policy: Enables auditing of objects but does not activate auditing of specific types
• Stept 2 - Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified
25
Step 1 - Setting Up an Audit Policy
• Categories of events
• Configuration settings: Track successful or failed attempts
• Audit policies are set in the Group Policy snap-in.
26
50 new Sub-Categories in 2008
• E.g. Object Access have 11 sub-categories:§ File System§ Registry§ Kernel Object§ SAM§ Certification Services§ Application Generated§ Handle Manipulation§ File Share§ Filtering Platform Packet Drop§ Filtering Platform Connection§ Other Object Access Events
• Enable Audit using Group Policy Management Console will enable all Sub-Categories a lot un-wanted auditing
• Use AuditPol.exe to manually enable sub-category
27
Step 2 – Enable Auditing Specific Resources• Files and folders to be
audited must be on Microsoft Windows NTFS volumes.
• Auditing for specific files and folders is enabled from Advanced Properties sheet of the object to be audited
• Specify which types of access to audit, either by users or by groups.
• Same method for auditing Printers or other Active Directory Objects
DemoDemo
28
Audit Policy Guidelines
• Determine the computers on which to set up auditing.
• Plan the events to audit on each computer.
• Audit resource access by the Everyone group instead of the Users group.
• Determine whether to audit the success of events, failure of events, or both.
Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning.
Tracking failed events may alert the administrator of possible security breaches.
29
View Logon Events
•Security log of the system that generated the event The DC that authenticated the user: account logon
• Note: Not replicated to other DCs
The system to which the user logged on or connected: logon
30
Evaluate Events in the Security Log•Security Log
The security log is limited in size.
The amount of disk space to devote to the security log must be considered.
Review the log frequently
The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log.
31
Group Policy Tools
Diagnostic tool Purpose
GPUpdate Refresh / Load Group Policy.
GPLogView
Free download from Microsoft
Export GP-related events from the system and operational logs, into text, HTML, or XML files.
DCGPOFix Restore the default GPOs to their original state
GPResult Display information about the user, the computer, the GP affecting them, and domain controller supplied the GP.
32
Resultant Set of Policy
•Inheritance, filters, loopback, and other policy scope and precedence factors are complex!
•RSoP The "end result" of policy application
Tools to help evaluate, model, and troubleshoot the application of Group Policy settings
•RSoP analysis The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe
33
Generate RSoP Reports•Group Policy Results Wizard
Queries WMI to report actual Group Policy application
•Requirements Administrative credentials on the target computer
Access to WMI (firewall)
User must have logged on at least once
•RSoP report Can be saved
View in Advanced mode• Shows some settings that do not show in the HTML report• View Group Policy processing events
•GPResult.exe /s ComputerName /h filename
34
Perform What-If Analyses with the Group Policy Modeling Wizard
•Group Policy Modeling Wizard Emulates Group Policy application to report anticipated
RSoP
35
Examine Policy Event Logs
•System log High-level information about Group Policy
Errors elsewhere in the system that could impact Group Policy
•Application log Events recorded by CSEs
•Group Policy Operational log Detailed trace of Group Policy application
DemoDemo