Chapter 8 2320 ????

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Group Policy Container

A GPO component that's an Active Directory object stored in the System\Policies folder. It stores GPO properties and status information but no actual policy settings

Group Policy Template

A GPO component that's stored as a set of files in the Sysvol share. It contains all the policy settings that make up a GPO as well as related files, such as scripts

WMI filtering

A GPO filtering method that uses Windows Management Instrumentation (WMI), a Windows technology for gathering management information about computers.

Starter GPO

A GPO template that can be used as a baseline for creating new GPOs, much like user account templates.

Domainv GPO

A Group Policy Object stored in Active Directory on domain controllers. These can be linked to a site, a domain, or an OU and affect users and computers whose accounts are stored in these containers

Local GPO

A Group Policy Object that's stored on local computers and can be edited by the Group Policy Object Editor snap-in.

Using Starter GPOs

A Starter GPO is a template for creating GPO's (not a GPT) New GPO wizard includes an option to use a Starter GPO

Network Location Awareness

A Windows feature for configuring each network connection on your computer with one of three settings, called profiles: Domain Profile, Private Profile, and Public Profile.

ADMX central store

A centralized location for maintaining ADMX files so that when an ADMX file is modified from one domain controller, all DCs receive the updated file.

GPO Filtering

A method to alter the normal scope of a GPO and exclude certain objects from being affected by its settings. GPO filtering methods include security filtering, which uses GPO permissions, and WMI filtering, which uses Windows Management Instrumentation queries to select objects

elevation

A process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials.

unmanaged policy setting

A type of group policy setting whereby the setting on the user or computer account is persistent, meaning it remains even after the computer or user object falls out of the GPO's scope

Managed Policy Setting

A type of group policy setting whereby the setting on the user or computer account reverts to its original state when the object is no longer in the scope of the GPO containing the setting.

Local Policies: Security Options Additional settings that are commonly configured:

Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Microsoft network server: Disconnect clients when logon hours expire

MSI files

An MSI file is a collection of files packaged into a single file with an .msi extension Contains the instructions Windows Installer needs to install the application correctly

Local Policies: Audit Policy

Applies to what users can and can't do on the local computer to which they log on Administrators can audit events such as logon and logoff, file and folder access, Active Directory access, and system and process events Can be enabled for successful events, failed events, or both Creates a lot of system overhead so it should be used sparingly Events created by auditing are listed in the Security log

A Group Policy Container (GPC) is stored in the System\Policies folder

Contains GPO properties and status information but no policy settings Similar to GPT in that it uses a GPO's GUID for a folder name

Computer Configuration: Software Settings

Contains the Software Installation extension, which can be configured to install software packages remotely Applications are deployed with the Windows Installer service, which uses MSI files

Creating Custom Rules

Create custom rules by right-clicking the rule category and click Create New Rule The Create Executable Rules Wizard will start Conditions for the rule: Publisher - base the rule on a specific publisher of an application, such as Microsoft or Symantec Path - select the folder the application can be run from File hash - create a rule for an unsigned application

Software Restriction Policies

Designed to prevent users from running certain applications, or to allow users to only be able to run specific applications Security Levels folder contains three rules: Disallowed Basic User Unrestricted Additional rules folder is for exceptions, and contains four ways to identify exceptions: Hash Certificate Path Network zone Three policies can be configured: Enforcement Designated File Types Trusted Publishers

Understanding OU-Linked GPOs

Fine-tuning of group policies should be done at the OU level OU-linked policies are applied last They take precedence over site and domain policies Users and computers with similar policy requirements should be located in the same OU Since OUs can be nested, so can GPOs GPOs applied to nested OUs should be used for exceptions to policies set at a higher level

Enforcing GPO Inheritance

Forcing GPO Inheritance overrides any conflicting configurations at a deeper level A GPO that's enforced has the strongest precedence of all GPOs in its scope If multiple GPOs are enforced, the GPO at the highest level is enforced in a conflict Example: If a GPO linked to an OU and a GPO linked to a domain are both set to be enforced, the GPO linked to the domain has stronger precedence

Group Policy Container

GPC

Group Policy Replication

GPCs are replicated with Active Directory GPTs are replicated by one of the following methods: File Replication Service (FRS) - used when running in a mixed environment of differing Windows Server operating systems Distributed File System Replication (DFSR) - used when all DCs are running Windows Server 2008 DFSR is more efficient and reliable GPC and GPT can become out of sync Replication problems can be diagnosed with gpotool.exe

Changing Default GPO Inheritance Behavior

GPO inheritance is enabled by default To see where policies are inherited from, select a container in the left pane of GPMC and click the group policy inheritance tab in the right pane There are several ways to affect GPO inheritance: Blocking inheritance Enforcing inheritance GPO filtering

Creating and linking

GPOs are created in the Group Policy management console and can be linked to one or more AD containers

Understanding Domain-Linked GPO

GPOs at the domain level should contain settings that apply to all objects in the domain Account policies can be defined only at the domain level Active Directory folders, such as Computers and Users, are not OUs and can't have a GPO linked to them Best practices suggest setting account policies and a few critical security policies at the domain level

Understanding Site-Linked GPOs

GPOs linked to a site object affect all users and computers physically located at the site Can be used to set up different policies for mobile users In a singular site and domain environment, it is better to use domain GPOs Site GPOs can be confusing for users if policy changes are drastic enough between sites

Upon creation of a GPO, several files and subfolders are created each

GPT folder will contain at least three items: GPT.ini Machine User

Primary tools for managing, creating, and editing GPOs are

Group Policy Management Console (GPMC) and Group Policy Management Editor (GPME) If editing a GPO that is already linked to a container, changes in policy settings take effect as soon as clients download them There's no Save option in the GPME; changes are saved immediately

GPT

Group Policy Template

Another way to use security filtering is to edit the GPO's DACL directly

In the GPMC, click the GPO in the Group Policy Objects folder, and click the Delegation tab in the right pane to see a complete list of ACEs for the GPO

Local GPOs that allow different policy settings depending on who logs on to the computer:

Local Administrators GPO Local Non-Administrators GPO User-specific GPO

Local GPOs 1

Local GPOs are stored on local computers, and are edited via the Group Policy Object Editor snap-in

Information contained in a GPC:

Name of the GPO File path to GPT Version Status

GPT and GPC have the following common traits:

Naming structure Folder structure

Local GPOs 2

Only settings that are undefined or not configured by domain GPOs can be edited locally

User Account Control policies

Policies that determine what happens on a computer when a user attempts to perform an action that requires elevation. See also elevation.

Blocking GPO Inheritance

Prevents GPOs linked to parent containers from affecting child containers To block GPO inheritance, in GPMC, right click the child domain or OU and click Block Inheritance If blocking is enabled, the OU or domain object is displayed with a blue exclamation point Inheritance blocking should be used sparingly Frequent blocking implies a possible flawed OU design

Restricted Groups

Restricted Groups policy - allows an administrator to control the membership of both domain groups and local groups on member computers This node is empty by default and you configure it by adding groups you want to restrict The Members property controls which accounts can be members of the group The Member of property adds the target group to groups on the list that it isn't already a member of

Two types of GPO filtering

Security filtering Windows Management Instrumentation (WMI) filtering Security filtering uses permissions to restrict objects from accessing a GPO Use the Security Filtering dialog box in the GPMC to add or remove security principals from the GPO access list

Group Policy Settings

Settings in Computer Configuration take precedence over settings in User Configuration, should there be a conflict Three folders under the Policies folder: Software Settings Windows Settings Administrative Templates Policy settings can be managed or unmanaged Managed policies reset to 'Not configured' when the object falls outside of the policy's scope Unmanaged policies are persistent

Local GPOs 4

Settings in local GPOs that are inherited from domain GPOs can't be changed on the local computer.

Starter GPO's

Stored in the Starter GPOs folder in GPMC To use a Starter GPO, select one in the Source Starter GPO list box in the New GPO Wizard, or right click a starter GPO in the starter GPOs folder and click New GPO from Starter GPO To create a Starter GPO, right click the Starter GPOs folder and click New

security templates

Text files with an .inf extension that contain information to define policy settings in the Computer Configuration\Policies\Windows Settings\Security Settings node of a local or domain GPO.

Application Control Policies

The Application Control Policies node contains a subnode named AppLocker Affects only Windows 7 and later There are four categories of rules and each category has its own enforcement settings: Not configured Enforce rules Audit only Four rule categories: Executable Rules Script Rules Windows Installer Rules Packaged app Rules

Policies in the Computer Configuration Node

The Computer Configuration node applies policies to computers regardless of who logs on to the computer Contains most of the security related settings in the Account Policies, User Rights Assignment, Audit Policy, and Security Options nodes Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter

File System

The File System node enables an administrator to configure permissions and auditing on files and folders on any computers in the GPO on which the policy is configured You need to add a folder or file and then configure the settings Once you're done configuring, the file system settings are transmitted to the file system of target computers

Group Policy Scope

The scope of a group policy defines which objects in AD are affected by settings in the policy If two GPOs are applied to an object, and a setting is configured on one GPO but not the other, the configured setting is applied Policies are applied in this order: 1. Local policies 2. Site-linked GPOs 3. Domain-linked GPOs 4. OU-linked GPOs The last policy applied takes precedence over policies applied earlier

Auditing Object Access

There are two steps for auditing objects: Enable the "Audit object access" policy for success, failure, or both Enable auditing on target objects for success, failure, or both After object access is enabled in Group Policy, you need to enable auditing on the target object Do this by changing the system access control list (SACL) for the object in the Auditing tab of the Advanced Security Settings dialog box for the object

Local Policies: Security Options

This subnode includes almost 100 settings One category of security policies to configure right away is User Account Control Determine what happens on a computer when a user attempts to perform an action that requires elevation Elevation - a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials

Creating Rules

Three ways to create AppLocker rules: Create default rules Create a custom rule by using the Create Executable Rules Wizard Let Windows generate rules automatically Create default rules by right-clicking the rule category under AppLocker and click Create Default Rules

Editing an Existing GPO

To edit, right click the GPO in GPMC and click Edit, which will open the GPO in GPME It is possible to make changes to the default Domain Policy, but not advisable Recommended method for making changes to domain policies is creating a new GPO and linking it to the domain GPOs are applied to objects in reverse of the specified link order

Creating a New GPO

Two ways to create a new GPO with the GPMC: Right click the container you're linking the GPO to and select "Create a GPO in this domain, and Link it here" Right click the Group Policy Objects folder and click New Best practice is to create GPOs that focus on a category of settings, then name the GPO accordingly

Local Policies: User Rights Assignment

User rights define the actions users can take on a computer More than 40 user rights polices can be assigned The Default Domain Controllers Policy specifies User Rights Assignment policies that define actions users can take on domain controllers

Local GPOs 3

When you run gpedit.msc, you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes

Changing Default Auditing

Windows Server 2012/R2 logs successful logon events and certain other events by default You must use the auditpol.exe command-line tool to have more control over the types of events that are audited To clear all audit policy subcategories so that auditing is controlled only by Group Policy, type: auditpol /clear

administrative template files

XML format text files that define policies in the Administrative Templates folder in a GPO. You can create custom ADMX files to create your own policies.

GPO's

an object containing policy settings that affect user and computer operating environments and security. Can be local or AD objects

Domain GPOs

are stored in Active Directory on domain controllers & Consists of two separate parts: a Group Policy Template (GPT) and a Group Policy Container (GPC)

A Group Policy Template (GPT)

contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller

Computer Configuration: Windows Settings

contains four subnodes: Name Resolution Policy - used to deploy DNS security (DNSSEC) policies to clients Scripts (Startup/Shutdown) - allows the creation of scripts to be run during startup or shutdown Security Settings - contains subnodes for setting security policies Policy-based QoS - enables administrators to manage the use of network bandwidth and prioritize network packets based on type of data in the packet

WMI filtering

uses queries to select a group of computers based on certain attributes, and then applies or doesn't apply policies based on the query's results

Replication

ensures that all domain controllers have a current copy of each GPO

Scope and inheritance

the scope of a group policy defines which users and computers are affected by its settings


Kaugnay na mga set ng pag-aaral

civics Principles of American Democracy 1. What is the supreme law of the land?

View Set

Identifying websites based on their domain

View Set

The Adventure of the Speckled Band

View Set

Recognizing Race and Ethnicity Fitzgerald Ch.3

View Set