1

Week 6 - Implement Group Policy

•Delegate the Support of Computers

•Manage Security Settings

•Manage Software with GPSI

•Auditing

•Troubleshooting

2

Delegation of Control

Delegation of Administration Means: Changing properties on a particular container

Creating and deleting objects of a specific type under an organizational unit

Updating specific properties on objects of a specific type under an organizational unit

Domain

OU1

OU2

OU3

Admin1

Admin2

Admin3

3

Using the Delegation of Control Wizard

Tasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or GroupsTasks for Delegating Control to Users or Groups

Start the Delegation of Control Wizard

Select Users or Groups to Which to Delegate Control

Assign Tasks to Delegate

Select Active Directory Object Type

Assign Permissions to Users or Groups

4

DELEGATION OF CONTROL WIZARD

5

Guidelines for Delegating Administrative Control

Track the Delegation of Permission AssignmentsTrack the Delegation of Permission Assignments

Use the Delegation of Control WizardUse the Delegation of Control Wizard

Assign Control at the OU LevelAssign Control at the OU Level

Follow Organizational Guidelines for Delegating ControlFollow Organizational Guidelines for Delegating Control

6

View the ACL of an Active Directory Object

•Ensure Advanced Features are enabled in the View menu

•Properties Security Advanced Edit

DemoDemo

7

Understand Restricted Groups Policies•Restricted Groups policies enable you to manage the membership of groups.

Members• Policy is for a local group• Specify its members

(groups and users)• Authoritative

Member Of• Policy is for a domain group• Specify its membership in a

local group• Cumulative

DemoDemo

8

Define Group Membership with Group Policy Preferences

•Create, delete, or replace a local group

•Rename a local group

•Change the Description

•Modify group membership

•Local Group preferencesare available in bothComputer Configuration andUser Configuration

9

What Is Security Policy Management?

•Enterprise IT Security Policy security configuration

settings

•Manage security configuration Create the security policy

Apply the security policy to one or more systems

Analyze security settings against the policy

Update the policy, or correct the discrepancies on the system

•Tools Local Group Policy and Domain Group Policy

Security Templates snap-in

Security Configuration and Analysis snap-in

Security Configuration Wizard

10

Local Security Policy Domain Group Policy

Configure the Local Security Policy

11

Manage Security Configurationwith Security Templates

•Settings are a subset of domain GPO settingsbut different than local GPO

•Security Templates Plain text files

Can be applied directly to a computer• Security Configuration & Analysis• Secedit.exe

Can be deployed with Group Policy

Can be used to analyze a computer'scurrent security settings against thesecurity template's

DemoDemo

12

Use Security Configuration and Analysis

•Build-your-own MMC

•Create a database Import template(s)

•Use the database Analyze computer

Correct discrepancies

Configure computer

Export as template

•Secedit.exe

ImportTemplate

ExportTemplate

ImportPolicy

Configure

AnalyzeComputer

GroupPolicy

ModifyDatabase

13

The Security Configuration Wizard•Security policy: .xml file that configures

Role-based service configuration

Network security, including firewall rules

Registry values

Audit policy

Can incorporate a security template (.inf)

•Create the policy

•Edit the policy

•Apply the policy

•Roll back the policy

•Transform the policy into a Group Policy object scwcmd transform /p:"MySecurity.xml" /g:"My New GPO"

DemoDemo

14

Understand Group Policy Software Installation (GPSI)

•Client-side extension (CSE)

•Installs supported packages Windows Installer packages (.msi)

• Optionally modified by Transform (.mst) or patches (.msp)• GPSI automatically installs with elevated privileges

Downlevel application package (.zap)• Supported by “publish” option only• Requires user has admin privileges

SCCM and other deployment tools can support a wider variety of installation and configuration packages

•No “feedback” No centralized indication of success or failure

No built-in metering, auditing, license management

15

Assigning Software

Start

Assigning in User ConfigurationAssigning in User ConfigurationAssigning in User ConfigurationAssigning in User Configuration

The application is installed the next time the user activates the applicationThe application is installed the next time the user activates the application

Assigning in Computer ConfigurationAssigning in Computer ConfigurationAssigning in Computer ConfigurationAssigning in Computer Configuration

The application is installed the next time the computer starts upThe application is installed the next time the computer starts up

Software Distribution Point

Software Distribution Point

16

Publishing Software

??Document ActivationDocument ActivationDocument ActivationDocument Activation

The application is installed when the user double-clicks an unknown file typeThe application is installed when the user double-clicks an unknown file type

Add/Remove ProgramsAdd/Remove ProgramsAdd/Remove ProgramsAdd/Remove ProgramsThe application is installed when the user selects it from Add/Remove Programs in Control Panel

The application is installed when the user selects it from Add/Remove Programs in Control Panel

Software Distribution Point

Software Distribution Point

17

Software Deployment

TasksTasksTasksTasks

Create or modify a GPO

Acquire a Windows Installer package file .msi file

Place the package on a software distribution point

Configure the GPO

18

Create and Scope a Software Deployment GPO•Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation Right-click New Package

Browse to .msi file through network path (\\server\share)

Choose deployment optionrecommend: Advanced

•Managing the scope of asoftware deployment GPO Typically easiest to manage with

security group filtering

Create an app group, for exampleAPP_XML Notepad

Put users into the group

Put computers into the group if assigning to computers

19

Maintain Software Deployed with GPSI•Redeploy application

After successful install, client will not attempt to reinstall app

You might make a change to the package

Package All Tasks Redeploy Application

•Upgrade application Create new package in same or different GPO.

Advanced Upgrades Select package to upgrade

Uninstall old version first; or install over old version

•Remove application Package All Tasks Remove

Uninstall immediately (forced removal) orPrevent new installations (optional removal)

Don’t delete or unlink GPO until all clients have applied setting

20

An Overview of Audit Policies

•Audit events in a category of activities Access to NTFS files/folders

Account or object changes in Active Directory

Logon

Assignment or use of user rights

•By default, DCs audit success events for most categories

•Goal: Align audit policies with corporate security policies and reality Over-auditing: logs are too big to find the events that matter

Under-auditing: important events are not logged

Tools that help you consolidate and crunch logs can be helpful

21

•Account logon events Registered by the system

that authenticates the account

• domain controllers• local computer

•Logon events Registered by the machine at

which (or to which) a user logged on

Interactive logon: user's system

Network logon: server• Access a network share

Account Logon and Logon Events

Logon Event

Account Logon Event

Logon Event

22

Scoping Audit Policies

DomainControllers

RemoteDesktopServers

HR Clients

CustomGPO

LogonEvents

Default Domain

Controllers Policy

AccountLogonEvents

23

Recommended Audit Events

24

Setting Up Auditing -- Two Steps

• Step 1 - Set the audit policy: Enables auditing of objects but does not activate auditing of specific types

• Stept 2 - Enable auditing of specific resources: The specific events to track for files, folders, printers, and Active Directory objects must be identified

25

Step 1 - Setting Up an Audit Policy

• Categories of events

• Configuration settings: Track successful or failed attempts

• Audit policies are set in the Group Policy snap-in.

26

50 new Sub-Categories in 2008

• E.g. Object Access have 11 sub-categories:§ File System§ Registry§ Kernel Object§ SAM§ Certification Services§ Application Generated§ Handle Manipulation§ File Share§ Filtering Platform Packet Drop§ Filtering Platform Connection§ Other Object Access Events

• Enable Audit using Group Policy Management Console will enable all Sub-Categories a lot un-wanted auditing

• Use AuditPol.exe to manually enable sub-category

27

Step 2 – Enable Auditing Specific Resources• Files and folders to be

audited must be on Microsoft Windows NTFS volumes.

• Auditing for specific files and folders is enabled from Advanced Properties sheet of the object to be audited

• Specify which types of access to audit, either by users or by groups.

• Same method for auditing Printers or other Active Directory Objects

DemoDemo

28

Audit Policy Guidelines

• Determine the computers on which to set up auditing.

• Plan the events to audit on each computer.

• Audit resource access by the Everyone group instead of the Users group.

• Determine whether to audit the success of events, failure of events, or both.

Tracking successful events identifies which users gained access to specific files, printers, or objects, information that can be used for resource planning.

Tracking failed events may alert the administrator of possible security breaches.

29

View Logon Events

•Security log of the system that generated the event The DC that authenticated the user: account logon

• Note: Not replicated to other DCs

The system to which the user logged on or connected: logon

30

Evaluate Events in the Security Log•Security Log

The security log is limited in size.

The amount of disk space to devote to the security log must be considered.

Review the log frequently

The Manage Auditing And Security Log user right for the computer is necessary to configure an audit policy or review an audit log.

31

Group Policy Tools

Diagnostic tool Purpose

GPUpdate Refresh / Load Group Policy.

GPLogView

Free download from Microsoft

Export GP-related events from the system and operational logs, into text, HTML, or XML files.

DCGPOFix Restore the default GPOs to their original state

GPResult Display information about the user, the computer, the GP affecting them, and domain controller supplied the GP.

32

Resultant Set of Policy

•Inheritance, filters, loopback, and other policy scope and precedence factors are complex!

•RSoP The "end result" of policy application

Tools to help evaluate, model, and troubleshoot the application of Group Policy settings

•RSoP analysis The Group Policy Results Wizard

The Group Policy Modeling Wizard

GPResult.exe

33

Generate RSoP Reports•Group Policy Results Wizard

Queries WMI to report actual Group Policy application

•Requirements Administrative credentials on the target computer

Access to WMI (firewall)

User must have logged on at least once

•RSoP report Can be saved

View in Advanced mode• Shows some settings that do not show in the HTML report• View Group Policy processing events

•GPResult.exe /s ComputerName /h filename

34

Perform What-If Analyses with the Group Policy Modeling Wizard

•Group Policy Modeling Wizard Emulates Group Policy application to report anticipated

RSoP

35

Examine Policy Event Logs

•System log High-level information about Group Policy

Errors elsewhere in the system that could impact Group Policy

•Application log Events recorded by CSEs

•Group Policy Operational log Detailed trace of Group Policy application

DemoDemo