Chapter 8 Group Policy Architecture

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Computer Configuration Windows Settings Security Settings Registry

Sets NTFS permisions on registry keys on target computers

Computer Configuration Windows Settings Security Settings File System

Sets NTFS permissions and controls auditing and inheritance on files and folders on target computers

Accounts: Limit local account use of blank passwords to console logon only

enabled by default, this policy disallows network users from logging on to the computer if their password is blank

Microsoft network server:connect clients when logon hours expire

enables by default, if a user accounts has restricted hours, thier sessions are disconnected from file shares if theyre connected outside valid logon hours. IF ITS DISABLED, USERS CAN CONTINUE TO WORK AFTER LOGON HOURS EXPIRE IF THEY ARE ALREADY LOGGED ON.

There are two ways to create a GPO

1. Right click the GPO your linking it to and select "create GPO in this domain, and link it here". 2. Right click the group policy objects foldeer and click "new". Rule 2 is preferable.

Group policy architecture and functioning involve Gpo's - .

A GPO is an object containing policy settings that effect user and computer operating environments and security. GPO's - can be Local (stored on user's computers) or Active Directory objects linked to sites, domains, and OU's

Group Policy Objects

A GPO is the main component of group policies, contains policy settings for managing aspects of domain controllers, member servers, member computers and users.

MSI File

A collection of of files packaged into a single file with an .msi extention and contians the instuctions windows installer needs to install the application correctly.

Group Policy Replication

AD object GPC's are replicated during normal AD replication. GPC's located in the sysvol share are replicated by using; File Replication Service or distributed File System Replication

Computer Configuration Windows Settings Name Resolution Policy

Added in win 2008 r2, is used to deploy DNS security (DNSSEC)

Local Policies Audit Policy

Admin can audit events occuring on computers, including log on & off, file and folder Access, AD access and system and process events. Auditing can be for successful event, failed events or both By default no audit ploicies are defined on either Default GPO. Indows server 2012/r2 certian events are like logons and directory service are audited by default and can be changed only by using the command line tool "auditpol.exe events created by auditing are listed in the security log and can be viewed with event viewer.

Interactive Logon:Message text for users attempting logon

Allow administrator to define a message that users see on the log on screen

Restricted groups page 365

Allows the administrator to control the membership of both domain groups and local groups on member computers. by default this node is empty, you configure it by adding groups you want to restrict. THis istypically used for groups that require high security you can control members and members of properties of a grop. current members of the target group not on the list are removed (unless the admin account is among them) and those in the list that arent already members of the target group are added.

Computer Configuration Node

Applies policies to computers regardless of who logs on. Mosgt important is this node contains most of the security related settings in the accounts policies, user rights assignment, audit policy and security options nodes. Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter.

Domain GPO's

Are stored in Active Directory on Domain Controllers. Can be linked to a site, domain, or an OU and effect users and computers whose accounts are stored in these containers. A domain GPO is represented by an AD object, but it is composed of two parts- Group Policy template and Group Policy Container.

Elevation

Being promted for credentials

If you edit a GPO thats linked to an AD contianer 343

Changes are not saved, they take effect emmediately as soon as clients download them. By default client computers download GPO's at restart, and user policies are downloaded at next log on.

Blocking GPO Inheritance Page 350

Blocks GPO's Linked to parent objects from afecting child contianers. You can block inheritance on a domain or an OU.

Default GPO Inheritance Behavior

By default, GPO inheritance is enabled and settings linked to a parent object are applied to all child objects. Settings in a GPO linked to the domain object are inherited by all OU's and thier child objects in the domain. Settings in a GPO linked to a site are inherited by all objects in that site.

Replication Problems GPOTOOL.EXE 341

Can be diagnosed with GPOTOOl.EXE, which verifies the version number and status of GPO's on all DC's and reports any Discrepancies.

Turn off local group policy object processing

Causes member computers to ignore local GPO's. Doing so is a good idea to ensure that all policies are controlled from the domain.

The two main types of GPO's

Local and Domain

Local Security Policy

Enables you to edit policies in just the security settings node of the local GPO. You access this MMC via administrative tools in control panel or by entering secpol.msc at the command line.

Domain Policy Naming Structure GPT & GPC have this in common

Each GPO is assigned a globally unique identifier (GUID) a 128bit value represented by 32 hexadecimal digits that windows uses to to ensure unique object ID's. The GPT and GPC associated with the GPO are stored in a folder with the same name as the GPO's GUID

Domain Policy Folder Structure GPT & GPC have this in common

Each GPT and GPC has two subfoldes: Machine & User. The Machine folder stores info related to a GPO's computer configuration node. The User folder stores info about the User configuration node.

Computer Configuration Windows Settings Page 357

Contains four subnodes Name resolution policy Scripts (startup/shutdown

Computer Configuration Windows Settings Security Settings Application Control Policies

Contains the subnode AppLocker, which extends the function of software restriction policies. this policy can be used only on computers running windows 7/ windows 2008 r2 and later.

Computer Configuration Node Software Settings

Contians the software installation extention, which can be configured to install software packages remotely on computers, regardless of who logs on to the computer. Applications are deployed with the windows installer service, which ises installation packages caled MSI files

Computer Configuration Windows Settings Security Settings IP Security Policies on Active Directory

Controls IPsec policies on target computers. IPsec is a network protocol that provides secure, encrypted communication between computers

Computer Configuration Windows Settings Security Settings Wired Network IEEE 802.3

Controls a variety of authentication parameters on computers with wired connections to the network.

Computer Configuration Windows Settings Security Settings Network List manager policies

Controls aspects of the network identified by windows, such as location type, and network name and whether users can change information.

Computer Configuration Windows Settings Security Settings Windows Firewall with advanced Security

Controls firewall settings on windows vista and server 2008 and later computers.

Computer Configuration Windows Settings Security Settings Wireless Network Policies IEEE 802.11

Controls how wireless clients can connect to wireless networks, including network type (adhoc, or infrastructure), service set identifier (SSID), authentication, and encryption protocols

Computer Configuration Windows Settings Security Settings Public Key Policies

Controls parameters associated with public key infrastructure, including EFS and certificate handling

Computer Configuration Windows Settings Security Settings Event Log

Controls parameters of the main logs in event viewer on target computers. policies include log file sizez and retention parameters

Computer Configuration Windows Settings Security Settings Network Access Protection

Controls the NAP environment for target computers, including enforcement services, user interface, and servers used for health registration certificates.

Computer Configuration Windows Settings Security Settings Software Restriction Policies

Controls which software can run on a computer

Creating and Linking GPO's Page 341

Creating new GPO's and linking them to to containers is preferable to editing existing default GPO's.

When a GPO is created

Files and folders are created under the root folder, the number varies. Each has three items; GPT.ini Machine User

GPC & GPT Sync

GPC's replicate when active directory replication occurs, the interval is about 15 seconds, but can be longer between DC's on different sites. DFSR in the sysvol share (and the GPT) occur emmediately after a change is made. So starting with Win XP the client computer checks the version number of both components before applying GPO settings.

Group policy architecture and functioning involve Creating and Linking-

GPO's are created in group policy management console and can the be linked to one or more active directory containers. Multiple GPO's can be linked to the same container.

Site Linked GPO's PG 349

GPO's linked to a site object affect all users and computers physically located at the site. because sites are based on IP address, GPO processing determines from where a user is loggin on and from what computer based on that computers IP address. So users that log on from different sites may have different policies applied depending on where they log on.

Domain LInked GBPO's Page 349

GPO's set at a domian level should contian settings that you want to apply to all objects in a domain. THe default domain policy is configured and linked to the domain object by default and mostly defines user account policies. Accounts policies that affect domain logons can be defined only at the domain level.

Main tools for editing, creating and managing GPO's 341

Group policy Management console, (GPMC/Group Policy Management MMC) Group Policy mangement Editor, (GPME) The purpose of using these is to carry out changes to the security and or working environment for users and computers

Policies folder page 357

Have three folders in it; Software Settings, Windows Settings, and Administrative Templates Software and Windows settings have extentions in them

WMI Filtering Windows Management Instrumentation page 355

Is a windows technology for gathering management information about computers such as the hardware platform, OS version, available disk space, and so on. WMI filtering uses queries to select a group of computers based on certian attributes, and then applies or doesnt apply policies based on the results.

Group Policy containers

Is an AD object stored in the system/policies folder and can be viewed in AD users and Computers with the advanced features option enabled.

Unmanaged Policy Setting

Is persistant meaning it remains even after the user or computer falls out of the GPO's scope, until it is changed by anothe policy or manually. the policies already loaded in AD are managed, but you can customize group policy by adding your own policies which are unmanaged.

Local Computer Policy Object

Is processed first for all users and isthe only local GPO that effects the computer configuration. Local Admin and Non Admin GPO is processed next, if configured User specific GPO is processed last if configured. Any conflictingsettings are resolved in the same order. in other words, the last configured policy setting that is applied takes precedence.

Computer Configuration Windows Settings Security Settings Local Policies

Is so named because all settings in its subnodes pertian to security options applied to computers and what users can and cant do on the local computers to which they log on. because these policies affect computers, there defined in GPO's linked to OU's containing computer accounts THere are three subnodesAudit policy, us3er rights assignment and securtiy options

File Replication Service (FRS)

Is used if you have DC's in your domain that are running versions of Windows Server earlier than Windows Server 2008. DFS is not as efficient or reliable as DFSR

Distributed File System Replication (DFSR)

Is used when all DC's are running Windows server 2008 or later DFSR is more efficient and reliable than DFS, because it uses remote differential compression (RDC), and because of improvements in handling unexpected service shutdown tha could corrupt data. And cause it uses a multimaster replication scheme.

Group Policy Templates

Isnt stored in AD, it's in a folder in the SYSVOL share on a domain controller. It contians all the policy settings that make up a GPO as well as related files. such as scripts. Every GPO has a GPT associated with it. The local path to GPT folders on a domain controller is %\systenroot%\sysvolsysvoldomain\policies. %systemroot represents the drive letter and folder name where the windows OS is stored.

Policies are applied in this order page 348

Local Policies Site-Linked GPO's Domian-Linked GPO's OU Linked GPO's Policies defined in GPOs in AD take precedence over all local policies. OU linked GPO's have astronger precedence when conflicting policies exist.

GPT Folders

Look random, but two folders have the same name on every domain controller. The folder starting with 6AC1 is the GPT for the default domain controllers controller The folder starting with 31B2 is the GPT for the default domain policy

Additonal Local GPO's Local Administrators GPO

Mambers of the local admin group are effected by settings in this GPO. The default membership includes the local admin account and the domain admins global group when the computer is a domain member.

OU Linked GPO's Page 349

Moist fine tuninjg of group policies, particularly user policies should be done at the OU level. Because OU linked policies are applied last they take precedence ove site and domain policies ( with exception of account policies which can be applied only at the domian level)

info the GPC provides

Name of GPO, File path to GPT, Version, and Status

Computer Configuration Windows Settings Policy based QOS

New in Server 2008 enabled administrators to manage network bandwidth use on a per computer basis and prioritize network packets based on the type of data the packet carries.

Remote Differential Compression

Only data blocks tha have changed are transferred across a network.

Accounts: rename guest account

Similar to the rename admin account

Starter GPO page 346

Starter GPO's are GPO templates. An adminisgtrator creates a started GPO to be used ass a baseline for new GPo's. Starteer GPO's are stored in the starter GPO's folder in the GPMC. Starter GPo's dont contain all the nodes of a regular GPO, only the admin templates folder, and the computer configuration and user configuration is included.

GPC

Stores GPO properties and status information but no actual policy settings. Like a GPT the folder name of each GPC is the same as the GPO's GUID. The GPC is an active directory object that links the GPO to AD and is critical for replication to all DC's

GPC File Path to GPT

The GPCfilesyspath attribute specifeis the universal naming convention (UNC) path to the related GPT folder

GPC Version

The VersionNumber attribute should have the same session numbet as the GPT.INI file int the GPT Folder

GPC Name of GPO

The displayName attribute tells you the name of the GPO the GPC is associated with.

GPT Status

The flags attribute contains a value that indicates the GPO's status. The value 0 indicates the GPO is enabled The value 3 indicates the GPo is disabled.

Local GPO's Policy settings

The policy settings on a domain member computers can be effected by domain GPO's linked to the site, domain, or OU in active directory. Settings in local GPO's that are inherited from domain GPO's cant be changed on the local computer, only settings that are undefined or not configured by domain GPo's can be edited locally.

Group policy architecture and functioning involve Scope and Enheritance

The scope of a group policy defines which users and computers are affected by its settings. The scope can be a single computer (in the case of a local GPO) or an OU, a domain, or a site. Like permissions, policy settings applied to users and computers are inherited from the parent containers, like permissions inheritance, an administrator can override the default behavior of group policy inheritance.

Auditing Object Access page 359

There are two steps; 1. enable the audit object access policy for success, failure or both. 2. enable auditing on target objects for success, failure or both. After object access is enabled in group policy, you need to enable auditing on target object, such as a file or folder. you can do this by changing the system access control list for the object in the auditing tab of the advanced security settings dialog box for the object. by default when you audit a folder, the auditing extends to the subfolders and files.s

GPO Filtering Page 354

There are two types; Security Filtering and Windows management instrumentation (WMI) Filtering.

Computer Configuration Windows Settings Security Settings page 358

There sre hundreds , the most important are under the account policies and local policies because they contian baseline security options for your computer.

GptTmpl.inf

This file contains settings configured in the security settings node under computer configuration.

GPO root folder GPT.ini

This file contains the version number used to determine when a GPO has been modified. Everytime a GPO changes the version number is updated. Whenever a GPo is replicated the DC's use this number to determine whether the local copy of the GPO is up to date.

GPO root folder User

This folder caontains subfolders that store policy settings related to the user configuration node.

GPO root folder Machine

This folder contians subfolders that store policy settings related to the computer configuration node.

Local Policies Security Options

This subnode includes almost 100 settings, available policies are arganized into 15 catagories. You should configure "User Account Control Policies" right away.

Changing Default Auditing

To clear all audit subcatagories so that auditing is controlled only by group policy type auditpol /clear at the command prompt. this command stops all auditing on the computer where you run it, unless auditing is enables in the local policy or a GPO in the computers scope.

Local Policies User Rights Assignment

User rights define the actions users can take on a computer, such as changingsystem time, shutting down, logging on locally more than 40 user rights policies can be assigned, and for each policy you can add users or groups. the default DC policy specifies user rights assignmentspolicies that define the default actions users can take on DC's

Enforcing GPO Inheritance Page 350

When GPO inheritence is enforced the settings are applied to all child objects, even if the GPO with conflicting settings is linked to the contianer at a deeper Level. The GPO that is enforced has the strongest precedence of all GPO's in its scope. If muiltiple GPO's are inforced the GPO thats highest in the AD hierarchy has the strongest precedence. GPO enforcement overides GPO inheritance blocking.

Nested Ou's

When OU's are nested the GPO applied to the OU nested the deepest takes precedence overallother GPO's.

GPEDITE.MSC

When your run gpedit.msc you open a local GPO named Local Computer Policy containing Computer Configuration and User Configuration nodes. The policies defined in this GPO, when configured on non domain member computers, apply by default to all users who log on to the computer.

Computer Configuration Windows Settings Scripts (startup/shutdown)

You can create scripts in a variety of scripting languages, including VB script, Jscript, and batch files startup scripts run when the computer starts up, and shut down scripts run before the computer shuts down. Scripts must be placed in the scripts folder under the GPO's GPT folder in the SYSVOL share.

Additonal Local GPO's User Specific GPO

a user specific GPO is created for each account (except fo guest) in the local Security Accounts Manager (SAM) database.

To access additional GPO's

add the Group Policy Object Editor snap-in to an MMc. Instead of accepting the default local computer policy, click browse to open the dialog box, then click the users tab and select one of the GPOs. Local GPO's are intended to be configured on non-domain computers, because domain GPO's take precedence over local GPO's. and administration is is centralized by using domain GPO's.

Member Of property

adds the target group to groups on the list that it isnt already a member of, but it doesnt remove the target group from existing memberships.

In The GPMC

all GPO's are stored in the Group policy objects folder, GPO's linked to AD container are displayed as shortcut objects in the contianer to which they are linked.

Additonal Local GPO's Local NON- Administrators GPO

all users who log on to the computer who arent members of the local admin group are effected by setting in this GPO, including domain users when the computer is a domain member.

Additonal Local GPO's

allow different policy setting based on who logs on to the computer. They arent configured, so they have no effect on users until they are configured. They have only a user configuration node, so policies are limited to user related settings.

Account: rename administrator account

allow you to rename the admin account. if set on a domain based GPO, the admin account on all member computers affected by the GPO is renamed

Group policy

allows admin to manage most aspects of computer and user environments centrally through active directory.

Interactive logon: Number of previous logons to cache

allows the computer to locally cache logon info so that users can log on to the computer ifno domain controller is available by default, 10 logons are cached. if set to 0, a dc must be available for a user to log on to the local computer.

AD folders Computers and Users Page 349

are not OU's, and cant have GPO's linked to them. Only Domain linked GPO's and Site linked GPo's affect objects in these folders.

Local GPO's

are stored on local computers and can be edited with the group policy object editor snap in. To use add the group policy editor to a custom MMC or enter gpedit.msc at the command line to open a already confugred MMC called Local Group Policy Editor.

Computer Configuration Windows Settings Security Settings Account Policies

contian settings that affect user authentication and logon A GPO with settings configured in account policies must be linked to a domain in order for these policies to have any effect on domain logons. If a gpo linked to an OU has settings configured in account policies, they only affect the account policy setting on the local computer accounts within the the scope of the GPO, which only pertains to local user accounts The default domain policy is configured with default account policies settings, and many administrators keep all account policies in this GPO.

Computer Configuration Windows Settings Security Settings Restricted Groups

controls group memberships for both domain groups and locl SAM groups. After policy is applied, existing members of the target group are deleted and replaced with the membership specified in the policy

User Account Control Policies page 363

determine what happens on a computer when a user attempts to perform an action that requires elevation. when user account control is enabled, users with administrative credentials run with regular user priviedges.When users attempt to perform an action requiring admin rights they are prompted for thier credentials Regular user accounts cant be elevated, but users accounts in the admin group can. by default the built in admin account doesnt require elevation

Accounts: Guest account status

disabled by default, but you can enable it with this setting.

Accounts: Administrator account status

enable or disable the local administrator account. In client OS's the administrator account is disabled by default

Interactive logon: Do not require CTRL+ALT+DEL

if this is enabled, users dont have to press ctrl+alt+del to log on to the local computer.

Managed Policy Setting

is applied to a user or computer when the object is in the scope of the GPO contianing the setting.when the object is no longer in the GPOs scope or the policy is set to not configured the setting on the user or computer reverts to its original state.

Computer Configuration Windows Settings Security Settings System Services

manages the startup mode and security settings of services on target computers

Interactive LOgon: Do not display last user name

prevents the logon screen from showing the username of the last logged on user disabled by default

Group policy architecture and functioning involve Replication -

replication of active directory based GPO's ensures that all domain controllers have a current copy of each GPO. Changes to GPO's can be made on any DC and are replicated to all other DC's.

A GPC is composed of

several attributes you can view in the attribute folder tab of its properties dialog box

File System page 366

the file system node enables an admin to configure permissions and auditing on files and folders on any computers that fall into the scope of the GPO on which the policy is configured. Similar to restricted groups, there are no File System Policies defined by default. so you must add a folder or file and then configure the settings as you would configure permissions and auditing on any file or folder.

Group Policy Scope Page 348

the scope of a group policy defines which objects in AD are effected by settings in the policy.

Security Filtering page 354

uses permissions to restrict objects from accessing a GPO. like any object in an AD, a GPO has a discretionary access control list (DACL) in which list of security principals are granted permission to access the GPO. userrs and computers accounts must have the read and apply group policy permissions for a GPO to apply them. by defualt the authenticated users special identity is granted these permissions to every GPO. Authenticated Users applies to both logged on users and computers.


Set pelajaran terkait

Reading Quiz J OP Abeka 7th Grade

View Set

Тема 15. Сучасна архітектура додатків

View Set

Social Studies Section 30 Study Guide

View Set

Dermatologic Structure & Function - Burns

View Set

Pre-Lecture Quiz: Chapter 14 Before Conception (Look at numbers 66-75)

View Set