exercise 7
DESCRIPTION
MCPTRANSCRIPT
-
SectionAImplementingGroupPolicy1. DescribethecomponentsofGroupPolicy.
GroupPolicysettingsareconfigurationsettingsthatallowadministratorstoenforcesettingsbymodifyingthecomputerspecificanduserspecificregistrysettingsondomainbasedcomputers.YoucangrouptogetherGroupPolicysettingstomakeGPOs,whichyoucanthenapplytosecurityprinciples(users,groupsorcomputers).GPOsAGPOisanobjectthatcontainsoneormorepolicysettingsthatapplyconfigurationsettingforusers,computers,orboth.GPOsarestoredinSYSVOL,andcanbemanagedbyusingtheGroupPolicyManagementConsole(GPMC).WithintheGPMC,youcanopenandeditaGPObyusingtheGroupPolicyManagementEditor.GPOsarelogicallylinkedtoActiveDirectorycontainerstoapplysettingstotheobjectsinthosecontainers.GroupPolicySettingsAGroupPolicysettingisthemostgranularcomponentofGroupPolicy.Itdefinesaspecificconfigurationchangetoapplytoanobject(acomputerorauser,orboth)withinActiveDirectoryDomainServices(ADDS).GroupPolicyhasthousandsofconfigurablesettings.Thesesettingscanaffectnearlyeveryareaofthecomputingenvironment.Notallsettingscan
-
beappliedtoallolderversionsofWindowsServerandWindowsoperatingsystems.Eachnewversionintroducesnewsettingsandcapabilitiesthatonlyapplytothatspecificversion.IfacomputerhasaGroupPolicysettingappliedthatitcannotprocess,itsimplyignoresit.Mostpolicysettingshavethreestates:NotConfigured.TheGPOwillnotmodifytheexistingconfigurationoftheparticularsettingfortheuserorcomputer.
Enabled.Thepolicysettingwillbeapplied.Disabled.Thepolicysettingisspecificallyreversed.Bydefault,mostsettingsaresettoNotConfigured.Theeffectsoftheconfigurationchangedependsonthepolicysetting.Forexample,ifyouenabletheProhibitAccesstoControlPanelpolicysetting,userswillbeunabletoopenControlPanel.Ifyoudisablethepolicysetting,youensurethatuserscanopenControlPanel.Noticethedoublenegativeinthispolicysetting:Youdisableapolicythatpreventsanaction,therebyallowingtheaction.GroupPolicySettingsStructureTherearetwodistinctareasofGroupPolicysettings:Usersettings.ThesearesettingsthatmodifytheHKeyCurrentUserhiveoftheregistry.Computersettings.ThesearesettingsthatmodifytheHKEYLocalMachinehiveoftheregistry.Userandcomputersettingseachhavethreeareasofconfiguration,asdescribedinthefollowingtable.
GroupPolicyManagementEditor
-
TheGroupPolicyManagementEditordisplaystheindividualGroupPolicysettingsthatareavailableinaGPO.Thesearedisplayedinanorganizedhierarchythatbeginswiththedivisionbetweencomputersettingsandusersettings,andthenexpandstoshowtheComputerConfigurationnodeandtheUserConfigurationnode.TheGroupPolicyManagementEditoriswhereallGroupPolicysettingsandpreferencesareconfigured.
2. DescribemultiplelocalGPOs.
InWindowsoperatingsystemspriortoWindowsVista,therewasonlyoneavailable
userconfigurationinthelocalGroupPolicy.Thatconfigurationwasappliedtoalluserswhologgedonfromthatlocalcomputer.Thisisstilltrue,butWindowsVistaandnewerWindowsclientoperatingsystems,andWindowsServer2008andnewerWindowsServeroperatingsystemshaveanaddedfeaturemultiplelocalGPOs.
InWindows8andWindowsServer2012,youcanalsonowhavedifferentusersettingsfordifferentlocalusers,butthisisonlyavailablefortheusersconfigurationsthatareinGroupPolicy.Infact,thereisonlyonesetofcomputerconfigurationsavailableinWindows8andWindowsServer2012thataffectsallusersofthecomputer.Windows8andWindowsServer2012providethisabilitywiththefollowingthreelayersoflocalGPOs:LocalGroupPolicy(containsthecomputerconfigurationsettings)AdministratorandNonAdministratorGroupPolicyUserspecificLocalGroupPolicyHowtheLayersAreProcessedThelayersoflocalGPOsareprocessedinthefollowingorder:
-
1.LocalGroupPolicy2.AdministratorsandNonAdministratorsGroupPolicy3.UserspecificLocalGroupPolicyWiththeexceptionofthecategoriesofAdministratororNonAdministrator,itisnotpossibletoapplylocalGPOstogroups,butonlytoindividuallocaluseraccounts.DomainusersaresubjecttothelocalGroupPolicy,ortheAdministratororNonAdministratorsettings,asappropriate.
3. DescribestorageoptionsfordomainGPOs.
GroupPolicysettingsarepresentedasGPOsintheGPMC,butaGPOisactuallytwocomponents:aGroupPolicytemplate,andaGroupPolicycontainer.GroupPolicyTemplateGroupPolicytemplatesaretheactualcollectionofsettingsthatyoucanchange.GroupPolicytemplatesarestoredinthe%SystemRoot%\PolicyDefinitionsfolder.WindowsServer2012containsGroupPolicytemplateswiththousandsofconfigurablesettings.WhenyoucreateanewGroupPolicy,theGroupPolicyManagementEditorpresentsthetemplatesinanewGPO.WhenyoueditandsavetheGPO,anewGroupPolicycontaineriscreated.GroupPolicyContainer
TheGroupPolicycontainerisanActiveDirectoryobjectthatisstoredintheActiveDirectorydatabase.EachGroupPolicycontainerincludesagloballyuniqueidentifier(GUID)attributethatuniquelyidentifiestheobjectwithinADDS.TheGroupPolicycontainerdefinesbasicattributesoftheGPOsuchaslinksandversionnumbers,butitdoesnotcontainanyofthesettings.Instead,thesettingsarecontainedintheGroupPolicytemplate,whichisacollectionoffilesstoredintheSYSVOLofeachdomaincontroller.
-
SYSVOLislocatedinthe%SystemRoot%\SYSVOL\Domain\Policies\GPOGUIDpath,whereGPOGUIDistheGUIDoftheGroupPolicycontainer.WhenyoumakechangestothesettingsofaGPO,thechangesaresavedtotheGroupPolicytemplateoftheserverfromwhichtheGPOwasopened.Bydefault,whenGroupPolicyrefreshoccurs,theGroupPolicyclientsideextensions(CSEs)applysettingsinaGPOonlyiftheGPOhasbeenupdated.
TheGroupPolicyClientcanidentifyanupdatedGPObyitsversionnumber.EachGPOhasaversionnumberthatisincrementedeachtimeachangeismade.TheversionnumberisstoredasanattributeoftheGroupPolicycontainer,andinatextfile,GPT.ini,intheGroupPolicyTemplatefolder.TheGroupPolicyClientknowstheversionnumberofeachGPOthatithaspreviouslyapplied.If,duringGroupPolicyrefresh,theGroupPolicyClientdiscoversthattheversionnumberoftheGroupPolicycontainerhasbeenchanged,theCSEswillbeinformedthattheGPOisupdated.
WheneditingaGroupPolicy,theversiononthecomputerthathastheprimarydomaincontroller(PDC)emulatorFlexibleSingleMasterOperations(FSMO)roleistheversionbeingedited.Itdoesnotmatterwhatcomputeryouareusingtoperformtheediting,theGPMCisfocusedonthePDCemulatorbydefault.ItispossibletochangethefocusoftheGPMCtoeditaversiononadifferentdomaincontroller.
4. DescribetheGroupPolicyprocessingorder.
GPOsarenotappliedsimultaneouslyrather,theyareappliedinalogicalorder.GPOsthatareappliedlaterintheprocessofapplyingGPOsoverwriteanyconflictingpolicysettingsthatwereappliedearlier.GPOsareappliedinthefollowingorder:
1. LocalGPOs.EachoperatingsystemthatisrunningWindows2000ornewerpotentiallyalreadyhasalocalGroupPolicyconfigured.
-
2. SiteGPOs.Policiesthatarelinkedtositesareprocessednext.3. DomainGPOs.Policiesthatarelinkedtothedomainareprocessednext.Thereare
oftenmultiplepoliciesatthedomainlevel.Thesepoliciesareprocessedinorderofpreference.
4. OUGPOs.PolicieslinkedtoOUsareprocessednext.ThesepoliciescontainsettingsthatareuniquetotheobjectsinthatOU.Forexample,theSalesusersmighthavespecialrequiredsettings.YoucanlinkapolicytotheSalesOUtodeliverthosesettings.
5. ChildOUpolicies.AnypoliciesthatarelinkedtochildOUsareprocessedlast.Objectsinthecontainersreceivethecumulativeeffectofallpoliciesintheirprocessingorder.
Inthecaseofaconflictbetweensettings,thelastpolicyappliedtakeseffect.Forexample,adomainlevelpolicymightrestrictaccesstoregistryeditingtools,butyoucouldconfigureanOUlevelpolicyandlinkittotheITOUtoreversethatpolicy.BecausetheOUlevelpolicyisappliedlaterintheprocess,accesstoregistrytoolswouldbeavailable.
5. DescribeaGPOlink.
OnceyouhavecreatedaGPOanddefinedallthesettingsthatyouwantitto
deliver,thenextstepistolinkthepolicytoanActiveDirectorycontainer.AGPOlinkisthelogicalconnectionofthepolicytoacontainer.YoucanlinkasingleGPOtomultiplecontainersbyusingtheGPMC.YoucanlinkGPOstothefollowingtypesofcontainers:Sites
-
DomainsOUs
OnceaGPOislinkedtoacontainer,bydefaultthepolicyisappliedtoalltheobjectsinthecontainer,andsubsequentlyallthechildcontainersunderthatparentobject.ThisisbecausethedefaultpermissionsoftheGPOaresuchthatAuthenticatedUsershaveReadandApplyGroupPolicypermission.YoucanmodifythisbehaviorbymanagingpermissionsontheGPO.
Youcandisablelinkstocontainers,whichremovestheconfigurationsettings.Youcanalsodeletelinks.DeletinglinksdoesnotdeletetheactualGPO,onlythelogicalconnectiontothecontainer.GPOscannotbelinkeddirectlytousers,groups,orcomputers.Inaddition,GPOscannotbelinkedtothesystemcontainersinADDS,includingBuiltIn,Computers,Users,orManagedServiceAccounts.TheADDSsystemcontainersreceiveGroupPolicysettingsfromGPOsthatarelinkedtothedomainlevelonly.
6. DescribetheCentralStore.
Ifyourorganizationhasmultipleadministrationworkstations,therecouldbepotential
issueswheneditingGPOs.IfyoudonothaveaCentralStoreinwhichtocontainthetemplatefiles,thentheworkstationyouareeditingfromwillusethe.admx(ADMX)and.adml(ADML)filesthatarestoredinthelocalPolicyDefinitionsfolder.Ifdifferentadministrationworkstationshavedifferentoperatingsystemsorareatdifferentservicepacklevels,theremightbedifferencesintheADMXandADMLfiles.Forexample,theADMXandADMLfilesthatarestoredonaWindows7workstationwithnoservicepackinstalledmightnotbethesameasthefilesthatarestoredonaWindowsServer2012domaincontroller.
-
TheCentralStoreaddressesthisissue.TheCentralStoreprovidesasinglepointfromwhichadministrationworkstationscandownloadthesameADMXandADMLfileswheneditingaGPO.TheCentralStoreisdetectedautomaticallybyWindowsoperatingsystemsthataretheWindowsVistaversionornewer,andWindowsServer2008operatingsystems.
Assuch,thelocalworkstationthattheadministratorusestoperformadministrationalwayscheckstoseeifaCentralStoreexistsbeforeloadingthelocalADMXandADMLfilesintheGroupPolicyObjectEditor.WhenthelocalworkstationdetectsaCentralStore,itthendownloadsthetemplatefilesfromthere.Inthisway,thereisaconsistentadministrationexperienceamongmultipleworkstations.
YoumustcreateandprovisiontheCentralStoremanually.Firstyoumustcreateafolderonadomaincontroller,namethefolderPolicyDefinitions,andstorethefolderatC:\Windows\SYSVOL\sysvol\{DomainName}\Policies\.ThisfolderwillnowbeyourCentralStore.YoumustthencopyallthecontentsoftheC:\Windows\PolicyDefinitionsfoldertotheCentralStore.TheADMLfilesinthisfolderarealsoinalanguagespecificfolder(suchasenUS).SectionBSecuringWindowsServer2012withGPO
1. DescribebestpracticesforincreasingWindowsServer2012security.
Considerthefollowingbestpracticesforincreasingsecurity:
Applyallavailablesecurityupdatesasquicklyaspossiblefollowingtheirrelease.Youshouldstrivetoimplementsecurityupdatesassoonaspossibletoensurethatyoursystemsareprotectedfromknownvulnerabilities.Microsoftpubliclyreleasesthedetailsofanyknownvulnerabilitiesafteranupdatehasbeenreleased,whichcanleadtoanincreasedvolumeofmalwareattemptingtoexploitthevulnerability.However,youmuststillensurethatyouadequatelytestupdatesbeforetheyareappliedwidelywithinyourorganization.
-
Followtheprincipleofleastprivilege.Provideusersandserviceaccountswiththelowestpermissionlevelsrequiredtocompletetheirnecessarytasks.Thisensuresthatanymalwareusingthosecredentialsislimitedinitsimpact.Italsoensuresthatusersarelimitedintheirabilitytoaccidentallydeletedataormodifycriticaloperatingsystemsettings.
Restrictadministratorconsolelogon.Loggingonlocallyataconsoleisagreaterrisktoaserverthanaccessingdataremotely.Thisisbecausesomemalwarecanonlyinfectacomputerbyusingausersessionatthedesktop.IfyouallowadministratorstouseRemoteDesktopConnectionforserveradministration,ensurethatenhancedsecurityfeaturessuchasUserAccountControlareenabled.
Restrictphysicalaccess.Ifsomeonehasphysicalaccesstoyourservers,thatpersonhasvirtuallyunlimitedaccesstothedataonthatserver.Anunauthorizedpersoncoulduseawidevarietyoftoolstoquicklyresetthepasswordonlocaladministratoraccountsandallowlocalaccess,oruseaUSBdrivetointroducemalware.
2. DescribeSecurityComplianceManager(SCM).
TheSecurityComplianceManager(SCM)isafreetoolfromtheMicrosoft
SolutionAcceleratorsteamthatenablesyoutoquicklyconfigureandmanagethecomputersinyourenvironmentandyourprivatecloudusingGroupPolicyandMicrosoftSystemCenterConfigurationManager.
SCMprovidesreadytodeploypoliciesandDCMconfigurationpacksbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices,allowingyoutoeasilymanageconfigurationdriftandaddresscompliancerequirementsforWindowsoperatingsystems,Officeapplications,andotherMicrosoftapplications.
NowyoucaneasilyconfigurecomputersrunningWindowsServer2012,Windows8,MicrosoftOfficeapplications,andWindowsInternetExplorer10withindustryleadingknowledgeandfullysupportedtools.
Features:
BaselinesbasedonMicrosoftsecurityguiderecommendationsandindustrybestpractices:Thesebaselinesaredesignedtohelpyoumanageconfigurationdrift,addresscompliancerequirements,andreducesecuritythreats.
Centralizedsecuritybaselinemanagementfeatures:Theseincludeabaselineportfolio,customizationcapabilities,andsecuritybaselineexportflexibilitytoaccelerateyourorganizationsabilitytoefficientlymanagethesecurityandcomplianceprocessforthemostwidelyusedMicrosofttechnologies.
Goldmastersupport:ImportyourexistingGroupPolicytotakeadvantageofit,orcreateasnapshotofareferencemachinetokickstartyourproject.
Standalonemachineconfiguration:DeployyourconfigurationstonondomainjoinedcomputersusingthenewGPOPackfeature.
-
Updatedsecurityguides:Takeadvantageofthedeepsecurityexpertiseandbestpracticesintheupdatedsecurityguides,andtheattacksurfacereferenceworkbooks,tohelpreducethemostimportantsecurityrisksforyourorganization.
Comparisonsagainstindustrybestpractices:AnalyzeyourconfigurationsagainstprebuiltbaselinesforthelatestWindowsclientandserveroperatingsystems.
3. DescribethepurposeofAppLocker.
AppLocker,whichwasintroducedintheWindows7operatingsystemandWindows
Server2008R2,isasecuritysettingfeaturethatcontrolswhichapplicationsusersareallowedtorun.AppLockerprovidesadministratorsavarietyofmethodsfordeterminingquicklyandconciselytheidentityofapplicationsthattheymaywanttorestrict,ortowhichtheymaywanttopermitaccess.
YouapplyAppLockerthroughGroupPolicytocomputerobjectswithinanOU.YoucanalsoapplyIndividualAppLockerrulestoindividualADDSusersorgroups.AppLockeralsocontainsoptionsformonitoringorauditingtheapplicationofrules.AppLockercanhelporganizationspreventunlicensedormalicioussoftwarefromexecuting,andcanselectivelyrestrictActiveXcontrolsfrombeinginstalled.
Itcanalsoreducethetotalcostofownershipbyensuringthatworkstationsarestandardizedacrosstheenterprise,andthatusersarerunningonlythesoftwareandapplicationsthatareapprovedbytheenterprise.UsingAppLockertechnology,companiescanreduceadministrativeoverheadandhelpadministratorscontrolhowusersYoucanuseAppLockertorestrictsoftwarethat:
Is not allowed to be used in the company. For example, software that can disrupt employees business productivity, such as social networking software, or software that
-
streams video files or pictures that can use a large amounts of network bandwidth and diskspace.
Is no longer used or it has been replaced with a newer version. For example, software thatisnolongermaintained,orforwhichlicenseshaveexpired.
Is no longer supported in the company. Software that is not updated with security updatesmightposeasecurityrisk.
Should be used only by specific departments. You can configure AppLocker settings by browsing in GPMC to: Computer Configuration \Policies\Windows Settings\Security Settings\ApplicationControlPolicies.
4. DescribeFirewallProfiles.
WindowsFirewallwithAdvancedSecurityusesfirewallprofilestoprovideaconsistentconfigurationfornetworksofaspecifictype,andallowsyoutodefineanetworkaseitheradomainnetwork,apublicnetwork,oraprivatenetwork.WithWindowsFirewallwithAdvancedSecurity,youcandefineaconfigurationsetforeachtypeofnetworkeachconfigurationsetisreferredtoasafirewallprofile.Firewallrulesareactivatedonlyforspecificfirewallprofiles.WindowsFirewallwithAdvancedsecurityincludestheprofilesinthefollowingtable.
Windows Server 2012 allows multiple firewall profiles to be active on a server simultaneously. This means that a multihomed server that is connected to both the internal network and the perimeter network can apply the domain firewall profile to the internal network, and the public orprivatefirewallprofiletotheperimeternetwork.
5. Describeconnectionsecurityrules.Aconnectionsecurityruleforcesauthenticationbetweentwopeercomputersbeforetheycanestablishaconnectionandtransmitsecureinformation.Theyalsosecurethattrafficbyencryptingthedatathatistransmittedbetweencomputers.WindowsFirewallwithAdvanced
-
SecurityusesIPsectoenforcetheserules.Theconfigurableconnectionsecurityrulesare: Isolation.Anisolationruleisolatescomputersbyrestrictingconnectionsthatarebased
oncredentialssuchasdomainmembershiporhealthstatus.Isolationrulesallowyoutoimplementanisolationstrategyforserversordomains.
AuthenticationExemption.Youcanuseanauthenticationexemptiontodesignateconnectionsthatdonotrequireauthentication.YoucandesignatecomputersbyaspecificIPaddress,anIPaddressrange,asubnet,orapredefinedgroupsuchasagateway.
ServertoServer.Aservertoserverruleprotectsconnectionsbetweenspecificcomputers.Thistypeofruleusuallyprotectsconnectionsbetweenservers.Whencreatingtherule,specifythenetworkendpointsbetweenwhichcommunicationsareprotected.Thendesignaterequirementsandtheauthenticationthatyouwanttouse.
Tunnel.Withatunnelrule,youcanprotectconnectionsbetweengatewaycomputers.Typically,youwoulduseatunnelrulewhenconnectingacrosstheInternetbetweentwosecuritygateways.
Custom.UseacustomruletoauthenticateconnectionsbetweentwoendpointswhenyoucannotsetupauthenticationrulesthatyouneedbyusingtheotherrulesavailableinthenewConnectionSecurityRuleWizard.
HowFirewallRulesandConnectionSecurityRulesWorkTogether
Firewallrulesallowtrafficthroughthefirewall,butdonotsecurethattraffic.TosecuretrafficwithIPsec,youcancreateconnectionsecurityrules.However,connectionsecurityrulesdonotallowtrafficthroughafirewall.Youmustcreateafirewallruletodothis.Connectionsecurityrulesarenotappliedtoprogramsandservicesinstead,theyareappliedbetweenthecomputersthatmakeupthetwoendpoints.