exercise 7

SectionAImplementingGroupPolicy1. DescribethecomponentsofGroupPolicy.

GroupPolicysettingsareconfigurationsettingsthatallowadministratorstoenforcesettingsbymodifyingthecomputerspecificanduserspecificregistrysettingsondomainbasedcomputers.YoucangrouptogetherGroupPolicysettingstomakeGPOs,whichyoucanthenapplytosecurityprinciples(users,groupsorcomputers).GPOsAGPOisanobjectthatcontainsoneormorepolicysettingsthatapplyconfigurationsettingforusers,computers,orboth.GPOsarestoredinSYSVOL,andcanbemanagedbyusingtheGroupPolicyManagementConsole(GPMC).WithintheGPMC,youcanopenandeditaGPObyusingtheGroupPolicyManagementEditor.GPOsarelogicallylinkedtoActiveDirectorycontainerstoapplysettingstotheobjectsinthosecontainers.GroupPolicySettingsAGroupPolicysettingisthemostgranularcomponentofGroupPolicy.Itdefinesaspecificconfigurationchangetoapplytoanobject(acomputerorauser,orboth)withinActiveDirectoryDomainServices(ADDS).GroupPolicyhasthousandsofconfigurablesettings.Thesesettingscanaffectnearlyeveryareaofthecomputingenvironment.Notallsettingscan

beappliedtoallolderversionsofWindowsServerandWindowsoperatingsystems.Eachnewversionintroducesnewsettingsandcapabilitiesthatonlyapplytothatspecificversion.IfacomputerhasaGroupPolicysettingappliedthatitcannotprocess,itsimplyignoresit.Mostpolicysettingshavethreestates:NotConfigured.TheGPOwillnotmodifytheexistingconfigurationoftheparticularsettingfortheuserorcomputer.

Enabled.Thepolicysettingwillbeapplied.Disabled.Thepolicysettingisspecificallyreversed.Bydefault,mostsettingsaresettoNotConfigured.Theeffectsoftheconfigurationchangedependsonthepolicysetting.Forexample,ifyouenabletheProhibitAccesstoControlPanelpolicysetting,userswillbeunabletoopenControlPanel.Ifyoudisablethepolicysetting,youensurethatuserscanopenControlPanel.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,therebyallowingtheaction.GroupPolicySettingsStructureTherearetwodistinctareasofGroupPolicysettings:Usersettings.ThesearesettingsthatmodifytheHKeyCurrentUserhiveoftheregistry.Computersettings.ThesearesettingsthatmodifytheHKEYLocalMachinehiveoftheregistry.Userandcomputersettingseachhavethreeareasofconfiguration,asdescribedinthefollowingtable.

GroupPolicyManagementEditor

TheGroupPolicyManagementEditordisplaystheindividualGroupPolicysettingsthatareavailableinaGPO.Thesearedisplayedinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,andthenexpandstoshowtheComputerConfigurationnodeandtheUserConfigurationnode.TheGroupPolicyManagementEditoriswhereallGroupPolicysettingsandpreferencesareconfigured.

2. DescribemultiplelocalGPOs.

InWindowsoperatingsystemspriortoWindowsVista,therewasonlyoneavailable

userconfigurationinthelocalGroupPolicy.Thatconfigurationwasappliedtoalluserswhologgedonfromthatlocalcomputer.Thisisstilltrue,butWindowsVistaandnewerWindowsclientoperatingsystems,andWindowsServer2008andnewerWindowsServeroperatingsystemshaveanaddedfeaturemultiplelocalGPOs.

InWindows8andWindowsServer2012,youcanalsonowhavedifferentusersettingsfordifferentlocalusers,butthisisonlyavailablefortheusersconfigurationsthatareinGroupPolicy.Infact,thereisonlyonesetofcomputerconfigurationsavailableinWindows8andWindowsServer2012thataffectsallusersofthecomputer.Windows8andWindowsServer2012providethisabilitywiththefollowingthreelayersoflocalGPOs:LocalGroupPolicy(containsthecomputerconfigurationsettings)AdministratorandNonAdministratorGroupPolicyUserspecificLocalGroupPolicyHowtheLayersAreProcessedThelayersoflocalGPOsareprocessedinthefollowingorder:

1.LocalGroupPolicy2.AdministratorsandNonAdministratorsGroupPolicy3.UserspecificLocalGroupPolicyWiththeexceptionofthecategoriesofAdministratororNonAdministrator,itisnotpossibletoapplylocalGPOstogroups,butonlytoindividuallocaluseraccounts.DomainusersaresubjecttothelocalGroupPolicy,ortheAdministratororNonAdministratorsettings,asappropriate.

3. DescribestorageoptionsfordomainGPOs.

GroupPolicysettingsarepresentedasGPOsintheGPMC,butaGPOisactuallytwocomponents:aGroupPolicytemplate,andaGroupPolicycontainer.GroupPolicyTemplateGroupPolicytemplatesaretheactualcollectionofsettingsthatyoucanchange.GroupPolicytemplatesarestoredinthe%SystemRoot%\PolicyDefinitionsfolder.WindowsServer2012containsGroupPolicytemplateswiththousandsofconfigurablesettings.WhenyoucreateanewGroupPolicy,theGroupPolicyManagementEditorpresentsthetemplatesinanewGPO.WhenyoueditandsavetheGPO,anewGroupPolicycontaineriscreated.GroupPolicyContainer

TheGroupPolicycontainerisanActiveDirectoryobjectthatisstoredintheActiveDirectorydatabase.EachGroupPolicycontainerincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinADDS.TheGroupPolicycontainerdefinesbasicattributesoftheGPOsuchaslinksandversionnumbers,butitdoesnotcontainanyofthesettings.Instead,thesettingsarecontainedintheGroupPolicytemplate,whichisacollectionoffilesstoredintheSYSVOLofeachdomaincontroller.

SYSVOLislocatedinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGroupPolicycontainer.WhenyoumakechangestothesettingsofaGPO,thechangesaresavedtotheGroupPolicytemplateoftheserverfromwhichtheGPOwasopened.Bydefault,whenGroupPolicyrefreshoccurs,theGroupPolicyclientsideextensions(CSEs)applysettingsinaGPOonlyiftheGPOhasbeenupdated.

TheGroupPolicyClientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGroupPolicycontainer,andinatextfile,GPT.ini,intheGroupPolicyTemplatefolder.TheGroupPolicyClientknowstheversionnumberofeachGPOthatithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyClientdiscoversthattheversionnumberoftheGroupPolicycontainerhasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.

WheneditingaGroupPolicy,theversiononthecomputerthathastheprimarydomaincontroller(PDC)emulatorFlexibleSingleMasterOperations(FSMO)roleistheversionbeingedited.Itdoesnotmatterwhatcomputeryouareusingtoperformtheediting,theGPMCisfocusedonthePDCemulatorbydefault.ItispossibletochangethefocusoftheGPMCtoeditaversiononadifferentdomaincontroller.

4. DescribetheGroupPolicyprocessingorder.

GPOsarenotappliedsimultaneouslyrather,theyareappliedinalogicalorder.GPOsthatareappliedlaterintheprocessofapplyingGPOsoverwriteanyconflictingpolicysettingsthatwereappliedearlier.GPOsareappliedinthefollowingorder:

1. LocalGPOs.EachoperatingsystemthatisrunningWindows2000ornewerpotentiallyalreadyhasalocalGroupPolicyconfigured.

2. SiteGPOs.Policiesthatarelinkedtositesareprocessednext.3. DomainGPOs.Policiesthatarelinkedtothedomainareprocessednext.Thereare

oftenmultiplepoliciesatthedomainlevel.Thesepoliciesareprocessedinorderofpreference.

4. OUGPOs.PolicieslinkedtoOUsareprocessednext.ThesepoliciescontainsettingsthatareuniquetotheobjectsinthatOU.Forexample,theSalesusersmighthavespecialrequiredsettings.YoucanlinkapolicytotheSalesOUtodeliverthosesettings.

5. ChildOUpolicies.AnypoliciesthatarelinkedtochildOUsareprocessedlast.Objectsinthecontainersreceivethecumulativeeffectofallpoliciesintheirprocessingorder.

Inthecaseofaconflictbetweensettings,thelastpolicyappliedtakeseffect.Forexample,adomainlevelpolicymightrestrictaccesstoregistryeditingtools,butyoucouldconfigureanOUlevelpolicyandlinkittotheITOUtoreversethatpolicy.BecausetheOUlevelpolicyisappliedlaterintheprocess,accesstoregistrytoolswouldbeavailable.

5. DescribeaGPOlink.

OnceyouhavecreatedaGPOanddefinedallthesettingsthatyouwantitto

deliver,thenextstepistolinkthepolicytoanActiveDirectorycontainer.AGPOlinkisthelogicalconnectionofthepolicytoacontainer.YoucanlinkasingleGPOtomultiplecontainersbyusingtheGPMC.YoucanlinkGPOstothefollowingtypesofcontainers:Sites

DomainsOUs

OnceaGPOislinkedtoacontainer,bydefaultthepolicyisappliedtoalltheobjectsinthecontainer,andsubsequentlyallthechildcontainersunderthatparentobject.ThisisbecausethedefaultpermissionsoftheGPOaresuchthatAuthenticatedUsershaveReadandApplyGroupPolicypermission.YoucanmodifythisbehaviorbymanagingpermissionsontheGPO.

Youcandisablelinkstocontainers,whichremovestheconfigurationsettings.Youcanalsodeletelinks.DeletinglinksdoesnotdeletetheactualGPO,onlythelogicalconnectiontothecontainer.GPOscannotbelinkeddirectlytousers,groups,orcomputers.Inaddition,GPOscannotbelinkedtothesystemcontainersinADDS,includingBuiltIn,Computers,Users,orManagedServiceAccounts.TheADDSsystemcontainersreceiveGroupPolicysettingsfromGPOsthatarelinkedtothedomainlevelonly.

6. DescribetheCentralStore.

Ifyourorganizationhasmultipleadministrationworkstations,therecouldbepotential

issueswheneditingGPOs.IfyoudonothaveaCentralStoreinwhichtocontainthetemplatefiles,thentheworkstationyouareeditingfromwillusethe.admx(ADMX)and.adml(ADML)filesthatarestoredinthelocalPolicyDefinitionsfolder.Ifdifferentadministrationworkstationshavedifferentoperatingsystemsorareatdifferentservicepacklevels,theremightbedifferencesintheADMXandADMLfiles.Forexample,theADMXandADMLfilesthatarestoredonaWindows7workstationwithnoservicepackinstalledmightnotbethesameasthefilesthatarestoredonaWindowsServer2012domaincontroller.

TheCentralStoreaddressesthisissue.TheCentralStoreprovidesasinglepointfromwhichadministrationworkstationscandownloadthesameADMXandADMLfileswheneditingaGPO.TheCentralStoreisdetectedautomaticallybyWindowsoperatingsystemsthataretheWindowsVistaversionornewer,andWindowsServer2008operatingsystems.

Assuch,thelocalworkstationthattheadministratorusestoperformadministrationalwayscheckstoseeifaCentralStoreexistsbeforeloadingthelocalADMXandADMLfilesintheGroupPolicyObjectEditor.WhenthelocalworkstationdetectsaCentralStore,itthendownloadsthetemplatefilesfromthere.Inthisway,thereisaconsistentadministrationexperienceamongmultipleworkstations.

YoumustcreateandprovisiontheCentralStoremanually.Firstyoumustcreateafolderonadomaincontroller,namethefolderPolicyDefinitions,andstorethefolderatC:\Windows\SYSVOL\sysvol\{DomainName}\Policies\.ThisfolderwillnowbeyourCentralStore.YoumustthencopyallthecontentsoftheC:\Windows\PolicyDefinitionsfoldertotheCentralStore.TheADMLfilesinthisfolderarealsoinalanguagespecificfolder(suchasenUS).SectionBSecuringWindowsServer2012withGPO

1. DescribebestpracticesforincreasingWindowsServer2012security.

Considerthefollowingbestpracticesforincreasingsecurity:

Applyallavailablesecurityupdatesasquicklyaspossiblefollowingtheirrelease.Youshouldstrivetoimplementsecurityupdatesassoonaspossibletoensurethatyoursystemsareprotectedfromknownvulnerabilities.Microsoftpubliclyreleasesthedetailsofanyknownvulnerabilitiesafteranupdatehasbeenreleased,whichcanleadtoanincreasedvolumeofmalwareattemptingtoexploitthevulnerability.However,youmuststillensurethatyouadequatelytestupdatesbeforetheyareappliedwidelywithinyourorganization.

Followtheprincipleofleastprivilege.Provideusersandserviceaccountswiththelowestpermissionlevelsrequiredtocompletetheirnecessarytasks.Thisensuresthatanymalwareusingthosecredentialsislimitedinitsimpact.Italsoensuresthatusersarelimitedintheirabilitytoaccidentallydeletedataormodifycriticaloperatingsystemsettings.

Restrictadministratorconsolelogon.Loggingonlocallyataconsoleisagreaterrisktoaserverthanaccessingdataremotely.Thisisbecausesomemalwarecanonlyinfectacomputerbyusingausersessionatthedesktop.IfyouallowadministratorstouseRemoteDesktopConnectionforserveradministration,ensurethatenhancedsecurityfeaturessuchasUserAccountControlareenabled.

Restrictphysicalaccess.Ifsomeonehasphysicalaccesstoyourservers,thatpersonhasvirtuallyunlimitedaccesstothedataonthatserver.Anunauthorizedpersoncoulduseawidevarietyoftoolstoquicklyresetthepasswordonlocaladministratoraccountsandallowlocalaccess,oruseaUSBdrivetointroducemalware.

2. DescribeSecurityComplianceManager(SCM).

TheSecurityComplianceManager(SCM)isafreetoolfromtheMicrosoft

SolutionAcceleratorsteamthatenablesyoutoquicklyconfigureandmanagethecomputersinyourenvironmentandyourprivatecloudusingGroupPolicyandMicrosoftSystemCenterConfigurationManager.

SCMprovidesreadytodeploypoliciesandDCMconfigurationpacksbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices,allowingyoutoeasilymanageconfigurationdriftandaddresscompliancerequirementsforWindowsoperatingsystems,Officeapplications,andotherMicrosoftapplications.

NowyoucaneasilyconfigurecomputersrunningWindowsServer2012,Windows8,MicrosoftOfficeapplications,andWindowsInternetExplorer10withindustryleadingknowledgeandfullysupportedtools.

Features:

BaselinesbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices:Thesebaselinesaredesignedtohelpyoumanageconfigurationdrift,addresscompliancerequirements,andreducesecuritythreats.

Centralizedsecuritybaselinemanagementfeatures:Theseincludeabaselineportfolio,customizationcapabilities,andsecuritybaselineexportflexibilitytoaccelerateyourorganizationsabilitytoefficientlymanagethesecurityandcomplianceprocessforthemostwidelyusedMicrosofttechnologies.

Goldmastersupport:ImportyourexistingGroupPolicytotakeadvantageofit,orcreateasnapshotofareferencemachinetokickstartyourproject.

Standalonemachineconfiguration:DeployyourconfigurationstonondomainjoinedcomputersusingthenewGPOPackfeature.

Updatedsecurityguides:Takeadvantageofthedeepsecurityexpertiseandbestpracticesintheupdatedsecurityguides,andtheattacksurfacereferenceworkbooks,tohelpreducethemostimportantsecurityrisksforyourorganization.

Comparisonsagainstindustrybestpractices:AnalyzeyourconfigurationsagainstprebuiltbaselinesforthelatestWindowsclientandserveroperatingsystems.

3. DescribethepurposeofAppLocker.

AppLocker,whichwasintroducedintheWindows7operatingsystemandWindows

Server2008R2,isasecuritysettingfeaturethatcontrolswhichapplicationsusersareallowedtorun.AppLockerprovidesadministratorsavarietyofmethodsfordeterminingquicklyandconciselytheidentityofapplicationsthattheymaywanttorestrict,ortowhichtheymaywanttopermitaccess.

YouapplyAppLockerthroughGroupPolicytocomputerobjectswithinanOU.YoucanalsoapplyIndividualAppLockerrulestoindividualADDSusersorgroups.AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules.AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefromexecuting,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.

Itcanalsoreducethetotalcostofownershipbyensuringthatworkstationsarestandardizedacrosstheenterprise,andthatusersarerunningonlythesoftwareandapplicationsthatareapprovedbytheenterprise.UsingAppLockertechnology,companiescanreduceadministrativeoverheadandhelpadministratorscontrolhowusersYoucanuseAppLockertorestrictsoftwarethat:

Is not allowed to be used in the company. For example, software that can disrupt employees business productivity, such as social networking software, or software that

streams video files or pictures that can use a large amounts of network bandwidth and diskspace.

Is no longer used or it has been replaced with a newer version. For example, software thatisnolongermaintained,orforwhichlicenseshaveexpired.

Is no longer supported in the company. Software that is not updated with security updatesmightposeasecurityrisk.

Should be used only by specific departments. You can configure AppLocker settings by browsing in GPMC to: Computer Configuration \Policies\Windows Settings\Security Settings\ApplicationControlPolicies.

4. DescribeFirewallProfiles.

WindowsFirewallwithAdvancedSecurityusesfirewallprofilestoprovideaconsistentconfigurationfornetworksofaspecifictype,andallowsyoutodefineanetworkaseitheradomainnetwork,apublicnetwork,oraprivatenetwork.WithWindowsFirewallwithAdvancedSecurity,youcandefineaconfigurationsetforeachtypeofnetworkeachconfigurationsetisreferredtoasafirewallprofile.Firewallrulesareactivatedonlyforspecificfirewallprofiles.WindowsFirewallwithAdvancedsecurityincludestheprofilesinthefollowingtable.

Windows Server 2012 allows multiple firewall profiles to be active on a server simultaneously. This means that a multihomed server that is connected to both the internal network and the perimeter network can apply the domain firewall profile to the internal network, and the public orprivatefirewallprofiletotheperimeternetwork.

5. Describeconnectionsecurityrules.Aconnectionsecurityruleforcesauthenticationbetweentwopeercomputersbeforetheycanestablishaconnectionandtransmitsecureinformation.Theyalsosecurethattrafficbyencryptingthedatathatistransmittedbetweencomputers.WindowsFirewallwithAdvanced

SecurityusesIPsectoenforcetheserules.Theconfigurableconnectionsecurityrulesare: Isolation.Anisolationruleisolatescomputersbyrestrictingconnectionsthatarebased

oncredentialssuchasdomainmembershiporhealthstatus.Isolationrulesallowyoutoimplementanisolationstrategyforserversordomains.

AuthenticationExemption.Youcanuseanauthenticationexemptiontodesignateconnectionsthatdonotrequireauthentication.YoucandesignatecomputersbyaspecificIPaddress,anIPaddressrange,asubnet,orapredefinedgroupsuchasagateway.

ServertoServer.Aservertoserverruleprotectsconnectionsbetweenspecificcomputers.Thistypeofruleusuallyprotectsconnectionsbetweenservers.Whencreatingtherule,specifythenetworkendpointsbetweenwhichcommunicationsareprotected.Thendesignaterequirementsandtheauthenticationthatyouwanttouse.

Tunnel.Withatunnelrule,youcanprotectconnectionsbetweengatewaycomputers.Typically,youwoulduseatunnelrulewhenconnectingacrosstheInternetbetweentwosecuritygateways.

Custom.UseacustomruletoauthenticateconnectionsbetweentwoendpointswhenyoucannotsetupauthenticationrulesthatyouneedbyusingtheotherrulesavailableinthenewConnectionSecurityRuleWizard.

HowFirewallRulesandConnectionSecurityRulesWorkTogether

Firewallrulesallowtrafficthroughthefirewall,butdonotsecurethattraffic.TosecuretrafficwithIPsec,youcancreateconnectionsecurityrules.However,connectionsecurityrulesdonotallowtrafficthroughafirewall.Youmustcreateafirewallruletodothis.Connectionsecurityrulesarenotappliedtoprogramsandservicesinstead,theyareappliedbetweenthecomputersthatmakeupthetwoendpoints.