Chapter 8 2320 ????
Group Policy Container
A GPO component that's an Active Directory object stored in the System\Policies folder. It stores GPO properties and status information but no actual policy settings
Group Policy Template
A GPO component that's stored as a set of files in the Sysvol share. It contains all the policy settings that make up a GPO as well as related files, such as scripts
WMI filtering
A GPO filtering method that uses Windows Management Instrumentation (WMI), a Windows technology for gathering management information about computers.
Starter GPO
A GPO template that can be used as a baseline for creating new GPOs, much like user account templates.
Domainv GPO
A Group Policy Object stored in Active Directory on domain controllers. These can be linked to a site, a domain, or an OU and affect users and computers whose accounts are stored in these containers
Local GPO
A Group Policy Object that's stored on local computers and can be edited by the Group Policy Object Editor snap-in.
Using Starter GPOs
A Starter GPO is a template for creating GPO's (not a GPT) New GPO wizard includes an option to use a Starter GPO
Network Location Awareness
A Windows feature for configuring each network connection on your computer with one of three settings, called profiles: Domain Profile, Private Profile, and Public Profile.
ADMX central store
A centralized location for maintaining ADMX files so that when an ADMX file is modified from one domain controller, all DCs receive the updated file.
GPO Filtering
A method to alter the normal scope of a GPO and exclude certain objects from being affected by its settings. GPO filtering methods include security filtering, which uses GPO permissions, and WMI filtering, which uses Windows Management Instrumentation queries to select objects
elevation
A process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials.
unmanaged policy setting
A type of group policy setting whereby the setting on the user or computer account is persistent, meaning it remains even after the computer or user object falls out of the GPO's scope
Managed Policy Setting
A type of group policy setting whereby the setting on the user or computer account reverts to its original state when the object is no longer in the scope of the GPO containing the setting.
Local Policies: Security Options Additional settings that are commonly configured:
Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Microsoft network server: Disconnect clients when logon hours expire
MSI files
An MSI file is a collection of files packaged into a single file with an .msi extension Contains the instructions Windows Installer needs to install the application correctly
Local Policies: Audit Policy
Applies to what users can and can't do on the local computer to which they log on Administrators can audit events such as logon and logoff, file and folder access, Active Directory access, and system and process events Can be enabled for successful events, failed events, or both Creates a lot of system overhead so it should be used sparingly Events created by auditing are listed in the Security log
A Group Policy Container (GPC) is stored in the System\Policies folder
Contains GPO properties and status information but no policy settings Similar to GPT in that it uses a GPO's GUID for a folder name
Computer Configuration: Software Settings
Contains the Software Installation extension, which can be configured to install software packages remotely Applications are deployed with the Windows Installer service, which uses MSI files
Creating Custom Rules
Create custom rules by right-clicking the rule category and click Create New Rule The Create Executable Rules Wizard will start Conditions for the rule: Publisher - base the rule on a specific publisher of an application, such as Microsoft or Symantec Path - select the folder the application can be run from File hash - create a rule for an unsigned application
Software Restriction Policies
Designed to prevent users from running certain applications, or to allow users to only be able to run specific applications Security Levels folder contains three rules: Disallowed Basic User Unrestricted Additional rules folder is for exceptions, and contains four ways to identify exceptions: Hash Certificate Path Network zone Three policies can be configured: Enforcement Designated File Types Trusted Publishers
Understanding OU-Linked GPOs
Fine-tuning of group policies should be done at the OU level OU-linked policies are applied last They take precedence over site and domain policies Users and computers with similar policy requirements should be located in the same OU Since OUs can be nested, so can GPOs GPOs applied to nested OUs should be used for exceptions to policies set at a higher level
Enforcing GPO Inheritance
Forcing GPO Inheritance overrides any conflicting configurations at a deeper level A GPO that's enforced has the strongest precedence of all GPOs in its scope If multiple GPOs are enforced, the GPO at the highest level is enforced in a conflict Example: If a GPO linked to an OU and a GPO linked to a domain are both set to be enforced, the GPO linked to the domain has stronger precedence
Group Policy Container
GPC
Group Policy Replication
GPCs are replicated with Active Directory GPTs are replicated by one of the following methods: File Replication Service (FRS) - used when running in a mixed environment of differing Windows Server operating systems Distributed File System Replication (DFSR) - used when all DCs are running Windows Server 2008 DFSR is more efficient and reliable GPC and GPT can become out of sync Replication problems can be diagnosed with gpotool.exe
Changing Default GPO Inheritance Behavior
GPO inheritance is enabled by default To see where policies are inherited from, select a container in the left pane of GPMC and click the group policy inheritance tab in the right pane There are several ways to affect GPO inheritance: Blocking inheritance Enforcing inheritance GPO filtering
Creating and linking
GPOs are created in the Group Policy management console and can be linked to one or more AD containers
Understanding Domain-Linked GPO
GPOs at the domain level should contain settings that apply to all objects in the domain Account policies can be defined only at the domain level Active Directory folders, such as Computers and Users, are not OUs and can't have a GPO linked to them Best practices suggest setting account policies and a few critical security policies at the domain level
Understanding Site-Linked GPOs
GPOs linked to a site object affect all users and computers physically located at the site Can be used to set up different policies for mobile users In a singular site and domain environment, it is better to use domain GPOs Site GPOs can be confusing for users if policy changes are drastic enough between sites
Upon creation of a GPO, several files and subfolders are created each
GPT folder will contain at least three items: GPT.ini Machine User
Primary tools for managing, creating, and editing GPOs are
Group Policy Management Console (GPMC) and Group Policy Management Editor (GPME) If editing a GPO that is already linked to a container, changes in policy settings take effect as soon as clients download them There's no Save option in the GPME; changes are saved immediately
GPT
Group Policy Template
Another way to use security filtering is to edit the GPO's DACL directly
In the GPMC, click the GPO in the Group Policy Objects folder, and click the Delegation tab in the right pane to see a complete list of ACEs for the GPO
Local GPOs that allow different policy settings depending on who logs on to the computer:
Local Administrators GPO Local Non-Administrators GPO User-specific GPO
Local GPOs 1
Local GPOs are stored on local computers, and are edited via the Group Policy Object Editor snap-in
Information contained in a GPC:
Name of the GPO File path to GPT Version Status
GPT and GPC have the following common traits:
Naming structure Folder structure
Local GPOs 2
Only settings that are undefined or not configured by domain GPOs can be edited locally
User Account Control policies
Policies that determine what happens on a computer when a user attempts to perform an action that requires elevation. See also elevation.
Blocking GPO Inheritance
Prevents GPOs linked to parent containers from affecting child containers To block GPO inheritance, in GPMC, right click the child domain or OU and click Block Inheritance If blocking is enabled, the OU or domain object is displayed with a blue exclamation point Inheritance blocking should be used sparingly Frequent blocking implies a possible flawed OU design
Restricted Groups
Restricted Groups policy - allows an administrator to control the membership of both domain groups and local groups on member computers This node is empty by default and you configure it by adding groups you want to restrict The Members property controls which accounts can be members of the group The Member of property adds the target group to groups on the list that it isn't already a member of
Two types of GPO filtering
Security filtering Windows Management Instrumentation (WMI) filtering Security filtering uses permissions to restrict objects from accessing a GPO Use the Security Filtering dialog box in the GPMC to add or remove security principals from the GPO access list
Group Policy Settings
Settings in Computer Configuration take precedence over settings in User Configuration, should there be a conflict Three folders under the Policies folder: Software Settings Windows Settings Administrative Templates Policy settings can be managed or unmanaged Managed policies reset to 'Not configured' when the object falls outside of the policy's scope Unmanaged policies are persistent
Local GPOs 4
Settings in local GPOs that are inherited from domain GPOs can't be changed on the local computer.
Starter GPO's
Stored in the Starter GPOs folder in GPMC To use a Starter GPO, select one in the Source Starter GPO list box in the New GPO Wizard, or right click a starter GPO in the starter GPOs folder and click New GPO from Starter GPO To create a Starter GPO, right click the Starter GPOs folder and click New
security templates
Text files with an .inf extension that contain information to define policy settings in the Computer Configuration\Policies\Windows Settings\Security Settings node of a local or domain GPO.
Application Control Policies
The Application Control Policies node contains a subnode named AppLocker Affects only Windows 7 and later There are four categories of rules and each category has its own enforcement settings: Not configured Enforce rules Audit only Four rule categories: Executable Rules Script Rules Windows Installer Rules Packaged app Rules
Policies in the Computer Configuration Node
The Computer Configuration node applies policies to computers regardless of who logs on to the computer Contains most of the security related settings in the Account Policies, User Rights Assignment, Audit Policy, and Security Options nodes Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter
File System
The File System node enables an administrator to configure permissions and auditing on files and folders on any computers in the GPO on which the policy is configured You need to add a folder or file and then configure the settings Once you're done configuring, the file system settings are transmitted to the file system of target computers
Group Policy Scope
The scope of a group policy defines which objects in AD are affected by settings in the policy If two GPOs are applied to an object, and a setting is configured on one GPO but not the other, the configured setting is applied Policies are applied in this order: 1. Local policies 2. Site-linked GPOs 3. Domain-linked GPOs 4. OU-linked GPOs The last policy applied takes precedence over policies applied earlier
Auditing Object Access
There are two steps for auditing objects: Enable the "Audit object access" policy for success, failure, or both Enable auditing on target objects for success, failure, or both After object access is enabled in Group Policy, you need to enable auditing on the target object Do this by changing the system access control list (SACL) for the object in the Auditing tab of the Advanced Security Settings dialog box for the object
Local Policies: Security Options
This subnode includes almost 100 settings One category of security policies to configure right away is User Account Control Determine what happens on a computer when a user attempts to perform an action that requires elevation Elevation - a process that occurs when a user attempts to perform an action requiring administrative rights and is prompted to enter credentials
Creating Rules
Three ways to create AppLocker rules: Create default rules Create a custom rule by using the Create Executable Rules Wizard Let Windows generate rules automatically Create default rules by right-clicking the rule category under AppLocker and click Create Default Rules
Editing an Existing GPO
To edit, right click the GPO in GPMC and click Edit, which will open the GPO in GPME It is possible to make changes to the default Domain Policy, but not advisable Recommended method for making changes to domain policies is creating a new GPO and linking it to the domain GPOs are applied to objects in reverse of the specified link order
Creating a New GPO
Two ways to create a new GPO with the GPMC: Right click the container you're linking the GPO to and select "Create a GPO in this domain, and Link it here" Right click the Group Policy Objects folder and click New Best practice is to create GPOs that focus on a category of settings, then name the GPO accordingly
Local Policies: User Rights Assignment
User rights define the actions users can take on a computer More than 40 user rights polices can be assigned The Default Domain Controllers Policy specifies User Rights Assignment policies that define actions users can take on domain controllers
Local GPOs 3
When you run gpedit.msc, you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes
Changing Default Auditing
Windows Server 2012/R2 logs successful logon events and certain other events by default You must use the auditpol.exe command-line tool to have more control over the types of events that are audited To clear all audit policy subcategories so that auditing is controlled only by Group Policy, type: auditpol /clear
administrative template files
XML format text files that define policies in the Administrative Templates folder in a GPO. You can create custom ADMX files to create your own policies.
GPO's
an object containing policy settings that affect user and computer operating environments and security. Can be local or AD objects
Domain GPOs
are stored in Active Directory on domain controllers & Consists of two separate parts: a Group Policy Template (GPT) and a Group Policy Container (GPC)
A Group Policy Template (GPT)
contains all the policy settings that make up a GPO as well as related files, such as scripts, and is contained in the Sysvol share on a domain controller
Computer Configuration: Windows Settings
contains four subnodes: Name Resolution Policy - used to deploy DNS security (DNSSEC) policies to clients Scripts (Startup/Shutdown) - allows the creation of scripts to be run during startup or shutdown Security Settings - contains subnodes for setting security policies Policy-based QoS - enables administrators to manage the use of network bandwidth and prioritize network packets based on type of data in the packet
WMI filtering
uses queries to select a group of computers based on certain attributes, and then applies or doesn't apply policies based on the query's results
Replication
ensures that all domain controllers have a current copy of each GPO
Scope and inheritance
the scope of a group policy defines which users and computers are affected by its settings
