CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY Chapter 8 CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY Briefly describe the topics covered in the chapter. Refer to the objective list at the beginning of Chapter 8, “Configuring the User and Computer Environment Using Group Policy.”

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SECURITY POLICIES This information is discussed in Table 8-1, “Computer Configuration Node Security Settings,” of the textbook.

USER CONFIGURATION NODE SECURITY SETTINGS Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY USER CONFIGURATION NODE SECURITY SETTINGS This information is discussed in Table 8-2 of the textbook.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY ACCOUNT POLICIES Emphasize that these policies only apply when they are linked to the domain container. The following slides elaborate on each policy.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY PASSWORD POLICY Describe each setting in Password Policy. Students will configure and test Password Policy in the lab.

ACCOUNT LOCKOUT POLICY Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY ACCOUNT LOCKOUT POLICY Describe each setting in Account Lockout Policy. Students will configure and test Account Lockout Policy in the lab. Explain what happens if the Account Lockout Duration setting is set to zero. In such a case, only the administrator can unlock a locked account.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY KERBEROS POLICY Describe each setting in the Kerberos Policy. Mention that although the Account Lockout Policy and Password Policy are often adjusted, the Kerberos Policy is rarely adjusted. The Kerberos Policy node is available only in an Active Directory domain; it is not present in the Local Security Policy, as shown in upcoming slides. Point out that this is the policy that mandates system times within an Active Directory domain and may not skew more than five minutes. This setting exists to prevent replay attacks. A replay attack involves capturing an authentication request using a protocol analyzer or other network packet-capturing software and then using that request to gain authentication to a resource by resending that request on the network at a later time.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY LOCAL POLICIES Briefly summarize that Local Policies are available on each Windows NT, Windows 2000, Windows XP, and Windows Server 2003 computer, regardless of domain membership.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY AUDIT POLICY Discuss each audit setting. If you want to know more about any Audit policy, click on the policy’s name and press F1. The context-sensitive help feature in Windows Server 2003 opens a description of each policy. This description includes policy functions, proper usage, and event types generated. A summary of these settings is included on the Instructor CD-ROM under the Textbook\Chapter 8 folders in a document named AuditSettings.doc. For more information on any of these settings, check “Auditing Policy: Security Setting Descriptions” in the Windows Server 2003 product documentation.

DEFAULT DOMAIN CONTROLLER AUDIT POLICY Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY DEFAULT DOMAIN CONTROLLER AUDIT POLICY Emphasize that there is default auditing enabled and a specifically disabled No Auditing setting for the domain controllers of each domain. In Windows 2000, all of these settings were specifically set to No Auditing, so this is a change for Windows Server 2003. If the students are sitting in front of their computers, have them look at the Event Viewer Security Log of their domain controllers, or open the Event Viewer Security Log on the instructor computer and show them the security events that are in there.

THE CRASHONAUDITFAIL SETTING Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY THE CRASHONAUDITFAIL SETTING This animated slide illustrates the settings that must be configured to ensure you lose no security events. You must configure the Security Options – Audit: Shut Down System Immediately If Unable To Log Security Audits setting. You must also configure your Event Viewer – Security Log – Security Properties for Do Not Overwrite Events (Clear Log Manually). If your log allows overwriting, an intruder could potentially generate many bogus security events in order to cover up a security event that the intruder does not want you to discover. However, you must archive the security log regularly and review the events, otherwise there is no point in logging them. If the number of Security events exceeds the size of the log file, the system shuts down and a stop error message, STOP: CC0000244 {Audit Failed} An Attempt To Generate A Security Audit Failed, is displayed. If this happens, a user account that is a member of the Administrators group must log on and reset the CrashOnAuditFail key. Until that happens, no other users can log on to the system. A setting of 2 means that the security log is full. A setting of 1 means that the security log is not full, and the CrashOnAuditFail setting (a.k.a. Audit: Shut Down System Immediately If Unable To Log Security Audits Policy) is active. A setting of 0 means that the policy/setting is not active. You should consider that using this policy does allow an intruder to potentially launch a successful Denial-of-service (DoS) attack because the intruder can remotely shut down the system just by generating enough security events to fill the security log.

AUDITING BEST PRACTICES AND TIPS Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY AUDITING BEST PRACTICES AND TIPS Audit only pertinent items. Archive security logs to provide a documented history. Understand the following categories: System events Policy change Account management Logon event versus account logon event Configure the size of your security logs carefully. This slide relates to the information presented in the “Planning an Audit Policy” textbook section. For more information on this topic, use the Windows Server 2003 Help And Support option and search for Auditing Policy. Locate and read the section titled “Best Practices: Auditing Security Events.” Students will implement object access auditing in the lab. Consider showing them how to implement one or two other auditing features at this time.

USER RIGHTS ASSIGNMENT Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY USER RIGHTS ASSIGNMENT Students adjusted the User Rights assignment in Exercise 4-1. You can remind them of this here and discuss other user rights that might be of interest, such as Shut Down The Computer. Perhaps some students noticed during the lab that when they log on using normal domain user accounts, they do not have the option to Shut Down. If you want to know more about a User Rights Assignment policy, click on the policy’s name and press F1. The context-sensitive help feature in Windows Server 2003 opens a description of each User Rights Assignment policy.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SECURITY OPTIONS If you want to know more about a Security Options policy, click on the policy’s name and press F1. The context-sensitive help feature in Windows Server 2003 opens a description of each Security Options policy.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY EVENT LOG POLICY This is an animated slide covering Event Viewer and log settings. It also illustrates where to find the Group Policy settings for the Event Viewer that can be distributed through an Active Directory GPO.

RESTRICTED GROUPS POLICY Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY RESTRICTED GROUPS POLICY Explain how Restricted Groups work. Typically, they are used to control group memberships to special groups like Administrators on client computers and member servers on the domain. The animated slide illustrates how to configure a Restricted Groups setting. The final step of configuring the Local Admins group as Member Of is typically not needed for most networks. In most cases, the local Administrators group has no additional group memberships. This setting is only illustrated for demonstration purposes; it is acceptable to not configure the Member Of setting and still control group membership.

SYSTEM SERVICES POLICY Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SYSTEM SERVICES POLICY (Animated slide.) You can manage services centrally for the domain member computers on your network through Group Policy. A good security and performance optimization tip is to set services that are not needed to Manual. You can do this through a GPO by using the System Services node.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY REGISTRY POLICY You can configure registry keys that can be propagated to domain member computers.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY FILE SYSTEM POLICY You can configure files to be distributed to domain member computers.

WIRELESS NETWORK (IEEE 802.11) POLICIES Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY WIRELESS NETWORK (IEEE 802.11) POLICIES (Animated slide.) Wireless configuration and security is an important issue for many organizations. This policy helps to control many settings that relate to basic wireless configuration and security. Show students the possible config-urations. To learn more about configuring wireless GPO settings, click on the Wireless Network (IEEE 802.11) Policies node and then press F1. Navigate to the Wireless Networking Help document.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY PUBLIC KEY POLICIES Briefly describe what each node subordinate to Public Key Policies does. In the textbook, there is a thorough description of how to distribute smart cards using autoenrollment. This is a good example of how to implement autoenrollment for a specific purpose. Emphasize that autoenrollment can be used to distribute certificates that allow users to digitally encrypt and sign e- mail messages and attach to secured Internet servers without logging on, as well as to smart cards. In order for autoenrollment to work, both the Renew and Update check boxes must be selected. Furthermore, the following items must be in place: Enterprise certificate authority (CA) Appropriate certificate template that is published in the directory and configured for the specific purpose intended, such as smart card logon, digital signature, and so on Users whom you want to be able to autoenroll must have the Read, Apply, and Autoenroll permissions enabled

SOFTWARE RESTRICTION POLICIES Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SOFTWARE RESTRICTION POLICIES Briefly explain what these policies can do and then explain that it is covered in detail in the next chapter. Mention that these policies are not a replacement for virus protection software.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY FOLDER REDIRECTION Allows you to redirect user folders to a central location Benefits: Centralized backup of user files Centralized access of user files when users change computers Works with roaming profiles

FOLDER REDIRECTION (continued) Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY FOLDER REDIRECTION (continued) This animated slide demonstrates configuration options for redirecting Application Data. However, the options are exactly the same for all four (Application Data, Desktop, My Documents, and Start Menu) redirection options. On the last image in this animation, mention that if you do not select the option to redirect the folder back to the local user profile when the policy is removed, and you remove the policy, you must create another policy to redirect the folders back to the user’s local profile in case you need to move the user’s folders in the future.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY OFFLINE FILES This animated slide that first shows all the settings for offline files from Windows XP and Windows Server 2003 computers and then shows the Offline File settings in Group Policy.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY DISK QUOTAS This animated slide that illustrates how to set up disk quotas on a single machine and then how to enable disk quotas in a GPO object. Default entry means that administrators are not subject to disk quotas. You must have NTFS volumes to implement disk quotas.

REFRESH INTERVALS FOR COMPUTERS Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY REFRESH INTERVALS FOR COMPUTERS Explain the Group Policy refresh interval as you show this animated slide. The slide illustrates where to configure Refresh Intervals in the Group Policy Object Editor. The example refresh screens illustrate the default settings for computers—90 minutes with a 30-minute offset, and for domain controllers—5 minutes with no offset. The following slide illustrates the GPO refresh interval for user settings.

REFRESH INTERVALS FOR USERS Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY REFRESH INTERVALS FOR USERS This animated slide illustrates the refresh interval for users. Again, the settings shown are the default settings—90 minutes with a 30-minute offset. Mention that not all Group Policies refresh on this cycle. Software will not deploy to computers until after a restart. Software will not deploy and folders are not redirected for user accounts until a logoff or logon.

MANUALLY REFRESHING GROUP POLICY Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY MANUALLY REFRESHING GROUP POLICY

OPTIMIZING GROUP POLICY PROCESSING Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY OPTIMIZING GROUP POLICY PROCESSING There is no need to make the user logon process or computer logon process apply a policy that has no settings configured. If you are only using half of a GPO, either Computer Settings or User Settings, you can disable the unused half.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SUMMARY Most security settings are in the Computer Configuration node of a GPO. Domain-wide policies should be made in the Default Domain Controllers GPO. Specifically, account policies such as Password, Account Lockout, and Kerberos belong here. Local policies are processed first and overwritten by all other policies in the hierarchy. Auditing can be done at any level, but should be configured carefully. Default Domain Controllers Policy has some default auditing configured. Results are posted to the security log in the Event Viewer.

Chapter 8: CONFIGURING THE USER AND COMPUTER ENVIRONMENT USING GROUP POLICY SUMMARY (continued) GPOs are refreshed every 90 minutes with a 30-minute offset, except on domain controllers, which refresh GPOs every five minutes. Disable the unneeded Group Policy portion, either User Settings or Computer Settings.