Upload File

exercise 7

12
Section A Implementing Group Policy 1. Describe the components of Group Policy. Group Policy settings are configuration settings that allow administrators to enforce settings by modifying the computerspecific and userspecific registry settings on domainbased computers. You can group together Group Policy settings to make GPOs, which you can then apply to security principles (users, groups or computers). GPOs A GPO is an object that contains one or more policy settings that apply configuration setting for users, computers, or both. GPOs are stored in SYSVOL, and can be managed by using the Group Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group Policy Management Editor. GPOs are logically linked to Active Directory® containers to apply settings to the objects in those containers. Group Policy Settings A Group Policy setting is the most granular component of Group Policy. It defines a specific configuration change to apply to an object (a computer or a user, or both) within Active Directory Domain Services (AD DS). Group Policy has thousands of configurable settings. These settings can affect nearly every area of the computing environment. Not all settings can

Upload: mike

Post on 19-Nov-2015

218 views

Category:

Documents


1 download

Report

DESCRIPTION

MCP

TRANSCRIPT

  • SectionAImplementingGroupPolicy1. DescribethecomponentsofGroupPolicy.

    GroupPolicysettingsareconfigurationsettingsthatallowadministratorstoenforcesettingsbymodifyingthecomputerspecificanduserspecificregistrysettingsondomainbasedcomputers.YoucangrouptogetherGroupPolicysettingstomakeGPOs,whichyoucanthenapplytosecurityprinciples(users,groupsorcomputers).GPOsAGPOisanobjectthatcontainsoneormorepolicysettingsthatapplyconfigurationsettingforusers,computers,orboth.GPOsarestoredinSYSVOL,andcanbemanagedbyusingtheGroupPolicyManagementConsole(GPMC).WithintheGPMC,youcanopenandeditaGPObyusingtheGroupPolicyManagementEditor.GPOsarelogicallylinkedtoActiveDirectorycontainerstoapplysettingstotheobjectsinthosecontainers.GroupPolicySettingsAGroupPolicysettingisthemostgranularcomponentofGroupPolicy.Itdefinesaspecificconfigurationchangetoapplytoanobject(acomputerorauser,orboth)withinActiveDirectoryDomainServices(ADDS).GroupPolicyhasthousandsofconfigurablesettings.Thesesettingscanaffectnearlyeveryareaofthecomputingenvironment.Notallsettingscan

  • beappliedtoallolderversionsofWindowsServerandWindowsoperatingsystems.Eachnewversionintroducesnewsettingsandcapabilitiesthatonlyapplytothatspecificversion.IfacomputerhasaGroupPolicysettingappliedthatitcannotprocess,itsimplyignoresit.Mostpolicysettingshavethreestates:NotConfigured.TheGPOwillnotmodifytheexistingconfigurationoftheparticularsettingfortheuserorcomputer.

    Enabled.Thepolicysettingwillbeapplied.Disabled.Thepolicysettingisspecificallyreversed.Bydefault,mostsettingsaresettoNotConfigured.Theeffectsoftheconfigurationchangedependsonthepolicysetting.Forexample,ifyouenabletheProhibitAccesstoControlPanelpolicysetting,userswillbeunabletoopenControlPanel.Ifyoudisablethepolicysetting,youensurethatuserscanopenControlPanel.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,therebyallowingtheaction.GroupPolicySettingsStructureTherearetwodistinctareasofGroupPolicysettings:Usersettings.ThesearesettingsthatmodifytheHKeyCurrentUserhiveoftheregistry.Computersettings.ThesearesettingsthatmodifytheHKEYLocalMachinehiveoftheregistry.Userandcomputersettingseachhavethreeareasofconfiguration,asdescribedinthefollowingtable.

    GroupPolicyManagementEditor

  • TheGroupPolicyManagementEditordisplaystheindividualGroupPolicysettingsthatareavailableinaGPO.Thesearedisplayedinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,andthenexpandstoshowtheComputerConfigurationnodeandtheUserConfigurationnode.TheGroupPolicyManagementEditoriswhereallGroupPolicysettingsandpreferencesareconfigured.

    2. DescribemultiplelocalGPOs.

    InWindowsoperatingsystemspriortoWindowsVista,therewasonlyoneavailable

    userconfigurationinthelocalGroupPolicy.Thatconfigurationwasappliedtoalluserswhologgedonfromthatlocalcomputer.Thisisstilltrue,butWindowsVistaandnewerWindowsclientoperatingsystems,andWindowsServer2008andnewerWindowsServeroperatingsystemshaveanaddedfeaturemultiplelocalGPOs.

    InWindows8andWindowsServer2012,youcanalsonowhavedifferentusersettingsfordifferentlocalusers,butthisisonlyavailablefortheusersconfigurationsthatareinGroupPolicy.Infact,thereisonlyonesetofcomputerconfigurationsavailableinWindows8andWindowsServer2012thataffectsallusersofthecomputer.Windows8andWindowsServer2012providethisabilitywiththefollowingthreelayersoflocalGPOs:LocalGroupPolicy(containsthecomputerconfigurationsettings)AdministratorandNonAdministratorGroupPolicyUserspecificLocalGroupPolicyHowtheLayersAreProcessedThelayersoflocalGPOsareprocessedinthefollowingorder:

  • 1.LocalGroupPolicy2.AdministratorsandNonAdministratorsGroupPolicy3.UserspecificLocalGroupPolicyWiththeexceptionofthecategoriesofAdministratororNonAdministrator,itisnotpossibletoapplylocalGPOstogroups,butonlytoindividuallocaluseraccounts.DomainusersaresubjecttothelocalGroupPolicy,ortheAdministratororNonAdministratorsettings,asappropriate.

    3. DescribestorageoptionsfordomainGPOs.

    GroupPolicysettingsarepresentedasGPOsintheGPMC,butaGPOisactuallytwocomponents:aGroupPolicytemplate,andaGroupPolicycontainer.GroupPolicyTemplateGroupPolicytemplatesaretheactualcollectionofsettingsthatyoucanchange.GroupPolicytemplatesarestoredinthe%SystemRoot%\PolicyDefinitionsfolder.WindowsServer2012containsGroupPolicytemplateswiththousandsofconfigurablesettings.WhenyoucreateanewGroupPolicy,theGroupPolicyManagementEditorpresentsthetemplatesinanewGPO.WhenyoueditandsavetheGPO,anewGroupPolicycontaineriscreated.GroupPolicyContainer

    TheGroupPolicycontainerisanActiveDirectoryobjectthatisstoredintheActiveDirectorydatabase.EachGroupPolicycontainerincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinADDS.TheGroupPolicycontainerdefinesbasicattributesoftheGPOsuchaslinksandversionnumbers,butitdoesnotcontainanyofthesettings.Instead,thesettingsarecontainedintheGroupPolicytemplate,whichisacollectionoffilesstoredintheSYSVOLofeachdomaincontroller.

  • SYSVOLislocatedinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGroupPolicycontainer.WhenyoumakechangestothesettingsofaGPO,thechangesaresavedtotheGroupPolicytemplateoftheserverfromwhichtheGPOwasopened.Bydefault,whenGroupPolicyrefreshoccurs,theGroupPolicyclientsideextensions(CSEs)applysettingsinaGPOonlyiftheGPOhasbeenupdated.

    TheGroupPolicyClientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGroupPolicycontainer,andinatextfile,GPT.ini,intheGroupPolicyTemplatefolder.TheGroupPolicyClientknowstheversionnumberofeachGPOthatithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyClientdiscoversthattheversionnumberoftheGroupPolicycontainerhasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.

    WheneditingaGroupPolicy,theversiononthecomputerthathastheprimarydomaincontroller(PDC)emulatorFlexibleSingleMasterOperations(FSMO)roleistheversionbeingedited.Itdoesnotmatterwhatcomputeryouareusingtoperformtheediting,theGPMCisfocusedonthePDCemulatorbydefault.ItispossibletochangethefocusoftheGPMCtoeditaversiononadifferentdomaincontroller.

    4. DescribetheGroupPolicyprocessingorder.

    GPOsarenotappliedsimultaneouslyrather,theyareappliedinalogicalorder.GPOsthatareappliedlaterintheprocessofapplyingGPOsoverwriteanyconflictingpolicysettingsthatwereappliedearlier.GPOsareappliedinthefollowingorder:

    1. LocalGPOs.EachoperatingsystemthatisrunningWindows2000ornewerpotentiallyalreadyhasalocalGroupPolicyconfigured.

  • 2. SiteGPOs.Policiesthatarelinkedtositesareprocessednext.3. DomainGPOs.Policiesthatarelinkedtothedomainareprocessednext.Thereare

    oftenmultiplepoliciesatthedomainlevel.Thesepoliciesareprocessedinorderofpreference.

    4. OUGPOs.PolicieslinkedtoOUsareprocessednext.ThesepoliciescontainsettingsthatareuniquetotheobjectsinthatOU.Forexample,theSalesusersmighthavespecialrequiredsettings.YoucanlinkapolicytotheSalesOUtodeliverthosesettings.

    5. ChildOUpolicies.AnypoliciesthatarelinkedtochildOUsareprocessedlast.Objectsinthecontainersreceivethecumulativeeffectofallpoliciesintheirprocessingorder.

    Inthecaseofaconflictbetweensettings,thelastpolicyappliedtakeseffect.Forexample,adomainlevelpolicymightrestrictaccesstoregistryeditingtools,butyoucouldconfigureanOUlevelpolicyandlinkittotheITOUtoreversethatpolicy.BecausetheOUlevelpolicyisappliedlaterintheprocess,accesstoregistrytoolswouldbeavailable.

    5. DescribeaGPOlink.

    OnceyouhavecreatedaGPOanddefinedallthesettingsthatyouwantitto

    deliver,thenextstepistolinkthepolicytoanActiveDirectorycontainer.AGPOlinkisthelogicalconnectionofthepolicytoacontainer.YoucanlinkasingleGPOtomultiplecontainersbyusingtheGPMC.YoucanlinkGPOstothefollowingtypesofcontainers:Sites

  • DomainsOUs

    OnceaGPOislinkedtoacontainer,bydefaultthepolicyisappliedtoalltheobjectsinthecontainer,andsubsequentlyallthechildcontainersunderthatparentobject.ThisisbecausethedefaultpermissionsoftheGPOaresuchthatAuthenticatedUsershaveReadandApplyGroupPolicypermission.YoucanmodifythisbehaviorbymanagingpermissionsontheGPO.

    Youcandisablelinkstocontainers,whichremovestheconfigurationsettings.Youcanalsodeletelinks.DeletinglinksdoesnotdeletetheactualGPO,onlythelogicalconnectiontothecontainer.GPOscannotbelinkeddirectlytousers,groups,orcomputers.Inaddition,GPOscannotbelinkedtothesystemcontainersinADDS,includingBuiltIn,Computers,Users,orManagedServiceAccounts.TheADDSsystemcontainersreceiveGroupPolicysettingsfromGPOsthatarelinkedtothedomainlevelonly.

    6. DescribetheCentralStore.

    Ifyourorganizationhasmultipleadministrationworkstations,therecouldbepotential

    issueswheneditingGPOs.IfyoudonothaveaCentralStoreinwhichtocontainthetemplatefiles,thentheworkstationyouareeditingfromwillusethe.admx(ADMX)and.adml(ADML)filesthatarestoredinthelocalPolicyDefinitionsfolder.Ifdifferentadministrationworkstationshavedifferentoperatingsystemsorareatdifferentservicepacklevels,theremightbedifferencesintheADMXandADMLfiles.Forexample,theADMXandADMLfilesthatarestoredonaWindows7workstationwithnoservicepackinstalledmightnotbethesameasthefilesthatarestoredonaWindowsServer2012domaincontroller.

  • TheCentralStoreaddressesthisissue.TheCentralStoreprovidesasinglepointfromwhichadministrationworkstationscandownloadthesameADMXandADMLfileswheneditingaGPO.TheCentralStoreisdetectedautomaticallybyWindowsoperatingsystemsthataretheWindowsVistaversionornewer,andWindowsServer2008operatingsystems.

    Assuch,thelocalworkstationthattheadministratorusestoperformadministrationalwayscheckstoseeifaCentralStoreexistsbeforeloadingthelocalADMXandADMLfilesintheGroupPolicyObjectEditor.WhenthelocalworkstationdetectsaCentralStore,itthendownloadsthetemplatefilesfromthere.Inthisway,thereisaconsistentadministrationexperienceamongmultipleworkstations.

    YoumustcreateandprovisiontheCentralStoremanually.Firstyoumustcreateafolderonadomaincontroller,namethefolderPolicyDefinitions,andstorethefolderatC:\Windows\SYSVOL\sysvol\{DomainName}\Policies\.ThisfolderwillnowbeyourCentralStore.YoumustthencopyallthecontentsoftheC:\Windows\PolicyDefinitionsfoldertotheCentralStore.TheADMLfilesinthisfolderarealsoinalanguagespecificfolder(suchasenUS).SectionBSecuringWindowsServer2012withGPO

    1. DescribebestpracticesforincreasingWindowsServer2012security.

    Considerthefollowingbestpracticesforincreasingsecurity:

    Applyallavailablesecurityupdatesasquicklyaspossiblefollowingtheirrelease.Youshouldstrivetoimplementsecurityupdatesassoonaspossibletoensurethatyoursystemsareprotectedfromknownvulnerabilities.Microsoftpubliclyreleasesthedetailsofanyknownvulnerabilitiesafteranupdatehasbeenreleased,whichcanleadtoanincreasedvolumeofmalwareattemptingtoexploitthevulnerability.However,youmuststillensurethatyouadequatelytestupdatesbeforetheyareappliedwidelywithinyourorganization.

  • Followtheprincipleofleastprivilege.Provideusersandserviceaccountswiththelowestpermissionlevelsrequiredtocompletetheirnecessarytasks.Thisensuresthatanymalwareusingthosecredentialsislimitedinitsimpact.Italsoensuresthatusersarelimitedintheirabilitytoaccidentallydeletedataormodifycriticaloperatingsystemsettings.

    Restrictadministratorconsolelogon.Loggingonlocallyataconsoleisagreaterrisktoaserverthanaccessingdataremotely.Thisisbecausesomemalwarecanonlyinfectacomputerbyusingausersessionatthedesktop.IfyouallowadministratorstouseRemoteDesktopConnectionforserveradministration,ensurethatenhancedsecurityfeaturessuchasUserAccountControlareenabled.

    Restrictphysicalaccess.Ifsomeonehasphysicalaccesstoyourservers,thatpersonhasvirtuallyunlimitedaccesstothedataonthatserver.Anunauthorizedpersoncoulduseawidevarietyoftoolstoquicklyresetthepasswordonlocaladministratoraccountsandallowlocalaccess,oruseaUSBdrivetointroducemalware.

    2. DescribeSecurityComplianceManager(SCM).

    TheSecurityComplianceManager(SCM)isafreetoolfromtheMicrosoft

    SolutionAcceleratorsteamthatenablesyoutoquicklyconfigureandmanagethecomputersinyourenvironmentandyourprivatecloudusingGroupPolicyandMicrosoftSystemCenterConfigurationManager.

    SCMprovidesreadytodeploypoliciesandDCMconfigurationpacksbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices,allowingyoutoeasilymanageconfigurationdriftandaddresscompliancerequirementsforWindowsoperatingsystems,Officeapplications,andotherMicrosoftapplications.

    NowyoucaneasilyconfigurecomputersrunningWindowsServer2012,Windows8,MicrosoftOfficeapplications,andWindowsInternetExplorer10withindustryleadingknowledgeandfullysupportedtools.

    Features:

    BaselinesbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices:Thesebaselinesaredesignedtohelpyoumanageconfigurationdrift,addresscompliancerequirements,andreducesecuritythreats.

    Centralizedsecuritybaselinemanagementfeatures:Theseincludeabaselineportfolio,customizationcapabilities,andsecuritybaselineexportflexibilitytoaccelerateyourorganizationsabilitytoefficientlymanagethesecurityandcomplianceprocessforthemostwidelyusedMicrosofttechnologies.

    Goldmastersupport:ImportyourexistingGroupPolicytotakeadvantageofit,orcreateasnapshotofareferencemachinetokickstartyourproject.

    Standalonemachineconfiguration:DeployyourconfigurationstonondomainjoinedcomputersusingthenewGPOPackfeature.

  • Updatedsecurityguides:Takeadvantageofthedeepsecurityexpertiseandbestpracticesintheupdatedsecurityguides,andtheattacksurfacereferenceworkbooks,tohelpreducethemostimportantsecurityrisksforyourorganization.

    Comparisonsagainstindustrybestpractices:AnalyzeyourconfigurationsagainstprebuiltbaselinesforthelatestWindowsclientandserveroperatingsystems.

    3. DescribethepurposeofAppLocker.

    AppLocker,whichwasintroducedintheWindows7operatingsystemandWindows

    Server2008R2,isasecuritysettingfeaturethatcontrolswhichapplicationsusersareallowedtorun.AppLockerprovidesadministratorsavarietyofmethodsfordeterminingquicklyandconciselytheidentityofapplicationsthattheymaywanttorestrict,ortowhichtheymaywanttopermitaccess.

    YouapplyAppLockerthroughGroupPolicytocomputerobjectswithinanOU.YoucanalsoapplyIndividualAppLockerrulestoindividualADDSusersorgroups.AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules.AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefromexecuting,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.

    Itcanalsoreducethetotalcostofownershipbyensuringthatworkstationsarestandardizedacrosstheenterprise,andthatusersarerunningonlythesoftwareandapplicationsthatareapprovedbytheenterprise.UsingAppLockertechnology,companiescanreduceadministrativeoverheadandhelpadministratorscontrolhowusersYoucanuseAppLockertorestrictsoftwarethat:

    Is not allowed to be used in the company. For example, software that can disrupt employees business productivity, such as social networking software, or software that

  • streams video files or pictures that can use a large amounts of network bandwidth and diskspace.

    Is no longer used or it has been replaced with a newer version. For example, software thatisnolongermaintained,orforwhichlicenseshaveexpired.

    Is no longer supported in the company. Software that is not updated with security updatesmightposeasecurityrisk.

    Should be used only by specific departments. You can configure AppLocker settings by browsing in GPMC to: Computer Configuration \Policies\Windows Settings\Security Settings\ApplicationControlPolicies.

    4. DescribeFirewallProfiles.

    WindowsFirewallwithAdvancedSecurityusesfirewallprofilestoprovideaconsistentconfigurationfornetworksofaspecifictype,andallowsyoutodefineanetworkaseitheradomainnetwork,apublicnetwork,oraprivatenetwork.WithWindowsFirewallwithAdvancedSecurity,youcandefineaconfigurationsetforeachtypeofnetworkeachconfigurationsetisreferredtoasafirewallprofile.Firewallrulesareactivatedonlyforspecificfirewallprofiles.WindowsFirewallwithAdvancedsecurityincludestheprofilesinthefollowingtable.

    Windows Server 2012 allows multiple firewall profiles to be active on a server simultaneously. This means that a multihomed server that is connected to both the internal network and the perimeter network can apply the domain firewall profile to the internal network, and the public orprivatefirewallprofiletotheperimeternetwork.

    5. Describeconnectionsecurityrules.Aconnectionsecurityruleforcesauthenticationbetweentwopeercomputersbeforetheycanestablishaconnectionandtransmitsecureinformation.Theyalsosecurethattrafficbyencryptingthedatathatistransmittedbetweencomputers.WindowsFirewallwithAdvanced

  • SecurityusesIPsectoenforcetheserules.Theconfigurableconnectionsecurityrulesare: Isolation.Anisolationruleisolatescomputersbyrestrictingconnectionsthatarebased

    oncredentialssuchasdomainmembershiporhealthstatus.Isolationrulesallowyoutoimplementanisolationstrategyforserversordomains.

    AuthenticationExemption.Youcanuseanauthenticationexemptiontodesignateconnectionsthatdonotrequireauthentication.YoucandesignatecomputersbyaspecificIPaddress,anIPaddressrange,asubnet,orapredefinedgroupsuchasagateway.

    ServertoServer.Aservertoserverruleprotectsconnectionsbetweenspecificcomputers.Thistypeofruleusuallyprotectsconnectionsbetweenservers.Whencreatingtherule,specifythenetworkendpointsbetweenwhichcommunicationsareprotected.Thendesignaterequirementsandtheauthenticationthatyouwanttouse.

    Tunnel.Withatunnelrule,youcanprotectconnectionsbetweengatewaycomputers.Typically,youwoulduseatunnelrulewhenconnectingacrosstheInternetbetweentwosecuritygateways.

    Custom.UseacustomruletoauthenticateconnectionsbetweentwoendpointswhenyoucannotsetupauthenticationrulesthatyouneedbyusingtheotherrulesavailableinthenewConnectionSecurityRuleWizard.

    HowFirewallRulesandConnectionSecurityRulesWorkTogether

    Firewallrulesallowtrafficthroughthefirewall,butdonotsecurethattraffic.TosecuretrafficwithIPsec,youcancreateconnectionsecurityrules.However,connectionsecurityrulesdonotallowtrafficthroughafirewall.Youmustcreateafirewallruletodothis.Connectionsecurityrulesarenotappliedtoprogramsandservicesinstead,theyareappliedbetweenthecomputersthatmakeupthetwoendpoints.


Exercise 7 animal tissues

Reading Exercise (TOEFL) Meeting 7

Experiment 7 Mini-Project Exercise

137 Lab Exercise 7

Accounting Homework Exercise 4-7

Module 7 Practical Exercise - International Civil Aviation ...€¦ · Module 7 - Practical Exercise 01/11/2019 ICAO EDTO Workshop –Module 7 Practical Exercise 4 WP-911 Operational

Exercise 7

BTEC NC Sport & Exercise Sciences Unit 7 Anatomy for Sport & Exercise

Example Exercise 1-7

Laboratory Exercise # 7 – Formatting Pages

Accounting (National 5) Additional course resource ... · Exercise 7 13 Exercise 8 14 Exercise 9 15 Exercise 10 16 Exercise 11 17 Section 3 — Statement of Account 18 Exercise 12

7. Exercise: Network Forensic - CERT Polska · 7. Exercise: Network Forensic Main Objective The objective of the exercise is to familiarize students with standard network monitoring

Page 239, exercise 7

Exercise – 7

Exercise #1: Harrington Chapter 7 – Exercise 12 · Exercise #1: Harrington Chapter 7 – Exercise 12 . ... +4(1-p)p+ (1-p) , and ... they form a cartel, acting as a monopolist

Page 337, exercise 7

Exercise 7 (Lesson 9)

Exercise session 7

Exercise 6 & 7 Digital Information Processing

Fall 2006 Bio 205L Exercise 7

EXERCISE CHAPTER 7 F2.pdf

TOEIC ERROR RECOGNITION EXERCISE 7

Chapter 7: Algebraic Expressions Exercise – 7

Exercise book 7

Exercise Express Grade 4 Week 7

Evaluation Exercise Grade 7

Exercise 7 - HSPEXP · 2015. 7. 30. · Exercise 7 – HSPEXP Water Quality Calibration/ Validation Parameter Development/Model Setup Hydrologic Calibration/ Validation Timeseries

Exercise physiology 7

Lec 7 Practical Exercise Bio Statistics

EXERCISE 7-2 a. - Cengage · EXERCISE 7-1 . EXERCISE 7-2 . a. b. c. ... EXERCISE 7-3 . Portable Video CD ... Cost of Merchandise Sold ; Inventory . Date : Quantity . Unit Cost : Total

Exercise 7.1 Page No: 7

Exercise 7.1 page: 7

7 reasons to exercise

Corsera ML Exercise #7 Guidelines

Laboratory Exercise #7 - Introduction to Atmospheric